Military strategist Sun Tzu, the author of The Art of War, had the fight against hackers all figured out. If you know your enemies, he wrote, and you know yourself, you will not be imperiled in one hundred battles. Further, he tells us, to know your enemy, you must become your enemy.
If you break this wisdom down into modern-day anti-hacker strategy, it’s this: to protect your organization from all the awful things that can result from successful hackings, you have to think like a hacker in order to understand why you’re being targeted, exactly how you’re being targeted, and the vulnerabilities in your organization that could allow those attacks to succeed.
To that end, here are five must-know facts about hackers.
Hacker fact #1: it probably isn’t personal
Your organization being hacked is like a high-level version of your home being broken into. Not only do you have to deal with the consequences of what was stolen and the damage that was done, but you end up struggling with thoughts of what you did to invoke the wrath of the person who perpetrated this crime against you. Why were you targeted? What could you have done differently?
However, just like most burglars, most hackers are pure opportunists. They found a vulnerability in your system or network and they pounced, stealing what they could to make a buck on the online black market. It might feel personal, but it probably isn’t. You don’t have to have enemies to get hacked. All you need to become a target of a hacker is a connected component of your business and boom, you’ve got a bullseye on you. This is why cybersecurity readiness is an absolute must for absolutely every organization.
Hacker fact #2: that said, hackers know a lot more about your organization than you think
Though they may be opportunists, hackers aren’t impulsive. They’re cautious and thorough and tend to do their homework on a target – hours upon hours of it – before they strike in order to know what they’re after, where they might find it, and what sort of systems and networks and related vulnerabilities they could be dealing with.
You would probably be shocked to hear some of the sources a hacker may use to construct their playbook against you. Have you ever put up a job listing for an IT position and listed the programs, platforms, and systems the successful hire needs to be familiar with? Does your organization have any court records or financial filings that are publicly accessible? Have high-ranking security personnel ever attended conferences or given interviews on your organization’s behalf? Are you listed as a client of any cybersecurity vendors? Are you partnered with any other businesses, or do you have suppliers or strategic customers that could represent an easier route to your data and other assets? This is all information that can be gathered from search engines or basic record searches, and in the wrong hands, it’s practically a how-to hacking guide on who and what they’re up against, how they could get in, and what they could get once they are in.
Hacker fact #3: hackers look for the weakest link in the chain, and they will find it
Hackers, on the whole, may be people who are innately drawn to puzzles and other twisted problem solving and surely, they must enjoy the thrill of a challenge, but that doesn’t mean they’re not going to find the easiest possible way to access your assets. Whether it’s through a known vulnerability, a zero-day threat that had previously gone undiscovered, a backdoor, a malware exploit, stolen credentials, weak security on administrative accounts or social engineering, hackers will the opportunity that has been afforded to them by your organization.
No matter how good your security operation center may be or how top of the line your cyber security managed services are, you can never assume your organization is safe. Your cybersecurity strategy needs to be proactive and it has to involve taking that attacker point of view and completing regular hacking simulation to find every single potential vulnerability and deal with them accordingly, whether it means strengthening security around them or instituting additional monitoring. Cybersecurity awareness across all employees also needs to be considered, as many weak links in the chain are related to employees and their privileges.
Hacker fact #4: they’ve got time, more than you do
When a hacker targets you, he or she has one job: get into your system. That means every single minute that hacker feels like working, he or she can focus every ounce of their time and effort on defeating you. Meanwhile, your cybersecurity team has to deal with every single threat on the internet while your IT personnel have to keep your organization up and running with basic day to day operations. It’s never going to be a fair fight, so you need a proactive cybersecurity strategy that gets you out ahead and keeps you there.
Hacker fact #5: they will not stop
You know what tends to stop hackers? Being arrested. You know how many hackers are arrested relative to how many hackers are active? A number so infinitesimal it’s hard to estimate. Hackers and crackers do what they do because 1) they enjoy it and 2) it’s profitable. There’s always another vulnerability to exploit, more data to steal, more sensitive information to sell, more business processes to interrupt, and another way to spend a day ‘working’ in the comfort and privacy of their own home. Furthermore, for every hacker that gets out of the business, whether due to law enforcement efforts, legitimate job opportunities or plain old boredom, there’s any number of brand new cybercriminals entering the fray every day to take their place.
To win the war against hackers your organization needs to be as proactive and relentless as they are, constantly searching for new vulnerabilities and new ways to disrupt your own organization so you can find them before hackers do. The overall cybersecurity situation on the internet is not going to improve, so you need to improve within it. That is the art of cyberwar.