Why Nation State Wants to Hack My Company


Listen and discover what industry leaders are doing to protect the companies and teams they serve and why. Get the inside scoop on why you should steer clear of security companies that advertise that they can keep your business safe 100% of the time, and get even more tips on how to strategize your risk mitigation plan.

Why Would I Be a Target?
It’s about your access to data, being in a specific role and what that role allows you to do, or who you have access to like other companies or vendors. The bottom line is that you have power, money, and resources and someone wants it. If you are working with another company, you are not only a target, you are now a vulnerability to whoever you work with.

Wars Aren't Only Being Fought on the Battlefield, They're Being Fought in Wall Street

How Would They Even Find Me?
You are more places than you think. Any device you use that connects to the internet is a target. So are your personal and business related social media accounts. There is no hiding your digital footprint and many people don't realize how much they are giving away.

Sometimes it's not even about you. if you hold a list of partners and vendors or anyone you are affiliated for that matter, your list could be a valuable resource for adversaries. 

Loose Lips Sink Ships.
Companies that rely on the public sector for funding generally have a responsibility to tell the public where exactly their money is going. The challenge is to find the right balance by not giving away too much information. 

Some people post their excitement about certain contracts and projects on social media. There are even photos of military personnel in the middle of training exercises on dating sites! Criminals can target people based on what they share. 

At the time of this recording, there were over 32,000 profiles on LinkedIn that advertised their credentials. That is 32,000 opportunities for an adversary. How about a company that announces a large contract? Let that sink in for a moment. 

Why Would Another Country Want to Steal YOUR Data?
Multiple reasons. The want the tech without paying, they want to have it before you do, they want to mess up your design to sabotage your products once they do go into production. They do it because it's where the money is. Power play. Need we say more?

Who ARE These People?
There are the farmers who take existing exploits and farm them out to whoever wherever. They send out malware, you click it, they get paid.
Then there are more organized people who take things down for a period of time.
Scammers pretty much are the people who don't know how to copy and paste that try to scam you over the phone or phishing email. They'll pretend they love you but not really.
Then there are the cyber criminals who will get in no matter what. (possible Insider)

How do I deal with each one of these? Think in those terms

How Can We Stop the Spread?
How do we educate the human? How do we change people to think about protecting more? What about the business end of the stick? This is a two fold approach.

Finding a balance between the human element and the personal elements. For example, LinkedIn is used to not only have a professional presence but to also network to either gain knowledge or even advance careers. BUT, adding that you have a top secret security clearance to your profile also makes you a target.

Companies are finding out they need to audit social media accounts.

The Business End. There is very little that we can keep secret. If we focus on significant parts of something that needs to be protected and decipher the parts that do not, that would help the perspective. When you try to protect everything, you protect nothing.

Over classification tends to dilute all security. Giving employees a document saying all things need to be protected when clearly there are things that do not, tends to make them question the rest of it. For example, when protecting customer data, do we care about their favorite color as much as their social security number? No. Therefore, the focus should most definitely be on protecting the social security number.

How Do We Know What Needs to be Protected?
Understand what you are trying to protect, segment it, identify the high risk high priority items, and build your risk mitigation plan around that. 

It's a Team Thing. Time for Happy Hour. Go out and have a drink and have the conversations and create a strategy that includes other departments. What do you critically need in order to exist? Protect THOSE. Keep in mind that what may be important to the sales department may not be important to the engineering team. The goal is to find which trees will burn the entire forest.

Understand what everyone brings to the table and what their capabilities are. What are their limitations? This helps bring the vulnerabilities to the surface so that you can work on them. Test and test again. It's better to be proactive and find the bad things so that they can be fixed internally.

Leadership needs to support this kind of collaboration. 

Get a fresh set of eyes from someone who is not invested in the company to look at the vulnerabilities and then discuss your findings in addition to theirs to help create a risk mitigation strategy. Test, test, and test again.

It’s always the path of least resistance with the adversary.

Moderated by

  • Wizer’s hacker, Chris Roberts!