What The Godfather can Teach Us about Cybersecurity
It’s time for some tough love. And who better to get that from than The Godfather himself.
(take a deep breath…and the cannoli)
This article explains why you’re wrong if you think your business is not a target for hackers.
(sorry, but please understand…)
You are not unique. Your business is not special.
(I mean no disrespect)
The point is that it’s not really ABOUT you at all.
(this will make sense in a second)
A cybercriminal’s business is based on data and Internet connections. Think: computer language – ones and zeroes. They don’t care if you’re in Savannah, Georgia, or across the world in Perth, Australia. They build programs to take email addresses bought off the dark web and try to crack the passwords for access. They use data from breaches and public social media to impersonate and exploit. They listen for announcements of vulnerabilities or bugs, which companies publicly disclose, and then they search for affected machines and servers to attack.
Now, please don’t misunderstand. The industry you’re in, how much money your business makes, and how much information is available about your company, employees, or business partners can absolutely be important factors. But those are data points. Those are pieces of information that get you sorted onto certain lists or into certain databases.
What’s important for you to realize and accept (so you can more effectively deal with it) is that it isn’t personal.
Like that scene in The Godfather, “It’s not personal, it’s strictly business.”
Cybercriminals are not moody teenagers sitting in dark rooms making lists of people who have wronged them. (There may be plenty of people like that in the world, but that’s a different conversation.)
Hackers target businesses because that is their job. That is how they make money.
Ransomware, for example, has become such a profitable enterprise that there are criminals who offer Ransomware-as-a-Service to other criminals. That means there are ready-made packages of phishing emails and computer scripts for attacking your servers and entry points to gain access to your business. They can also include the ransomware programs that will steal chunks of your data to try to sell back to you later or programs that corrupt your backups before locking you out and demanding a ransom.
And if that isn’t horrifying enough, there is discussion among experts of ransomware cartels now. Ransomware cartels are groups of criminals that join together to share resources – such as their techniques, malware programs, and data breach information – in order to reach more victims and increase their profits. Then, like any successful business, they reinvest the profits from their successful attacks to enhance their tactics and automate for more efficiency.
What does this mean to you?
“Don’t ever take sides with anyone against the family.”
This evolution in cybercrime tactics and collaboration puts every one of us and our businesses at greater risk. And in Godfather terms, it means we need to circle the wagons and protect the family—our businesses, our employees, our customers, and our vendors. Plus all the people connected to us through our networks, which includes anyone in your address book or linked through a social network.
Take a moment if you will to think of the 533 million Facebook users whose personal information was leaked in 2019 and made available in a public database. This included emails, phone numbers, full names, and locations.
Now think of the LinkedIn information on more than 500 million users that was recently in the news for being listed for sale on a popular hacker forum. LinkedIn says it wasn’t the result of a breach and that the information was scraped off a bunch of different websites. It did not contain sensitive information such as credit cards or social security numbers, and we don’t know exactly how old the information is. But analysts were able to verify that the data was associated with LinkedIn accounts and that it included personal information such as emails, phone numbers, job titles, and other work information.
So now these are the questions you face as a business owner charged with protecting your employees, clients, and proprietary information:
- Do you know for certain that you and all of your employees, past and present, were not exposed in these breaches or any others?
- Do you know for certain that they didn’t use their work email or list their company on their profile?
- Do you know for certain that they have separate passwords for all their logins?
The point here is not to scare you but to open your eyes to the actual risk involved in our incredibly connected world. Because even when data breaches don’t include passwords, we humans have shown that we don’t create strong ones to begin with.
According to NordPass, the top two most common passwords in 2020 were “123456” and “123456789.” Both with millions of users and both crackable in less than 1 second. (To make sure you don’t have any passwords on this list, and to see how quickly they can be hacked, view the whole list here. Then learn how to strengthen your passwords here.)
So now realize that just one former employee’s email address that was not properly offboarded from your system and a weak password can let criminals into your network…
Or one current employee who is successfully spear-phished because of data from one of these leaks clicks on a malicious link…
“[They’ll] make you an offer you can’t refuse.”
One of the trickier aspects of successful ransoms is that the criminals are willing to wait. We want to think of them as old-timey burglars stumbling around in the dark and making their presence known, but that’s not today’s reality.
Nowadays, a cybercriminal will infiltrate and quietly do damage behind the scenes in your network. Once they have access, they can often change permissions and move around at will, altering settings in your programs without tripping any alarms. They can begin stealing your business information. And they can change your backup settings so that if you only rely on logs and not manually checking the files, everything will appear to be working as normal.
But once the last real backup is expired, they hit you with the ransom notice. And recent trends have them demanding money from you in 2 separate ransoms – 1 to get access to your own systems back and 2 to have the information they’ve stolen returned to you. As of Spring 2021, a 3rd ransom is beginning to appear in which you pay for their silence. This last one is a threat to your business reputation where they say they will tell all of your vendors and clients what has happened unless you pay them not to.
You have no guarantees on any of it except their word. The FBI and other government agencies encourage businesses not to pay ransoms because it only shows other criminals that it works. But it will be your call to make.
When your business is shut down and you can’t get into your own company programs, you might pay a ransom like Colonial Pipeline did.
When you’re back in operation and they have shown proof of the data they have stolen from you, you might pay to have it returned.
When you consider the loss of trust and business that would follow from criminals reaching out to your vendors and customers with private information from your business, you might pay to keep them quiet.
“I heard that you were a serious man, to be treated with respect. But I must say no to you.”
Don Vito Corleone says this to Sollozzo, ‘The Turk,’ when they meet to discuss a merger of sorts. Don Corleone may be a criminal, but he draws the line at dealing in narcotics, which is the ‘opportunity’ Sollozzo offers. Corleone’s own advisor tells him drugs are the “thing of the future” and that they risk all they have now if they don’t “get a piece of that action.” But the Godfather considers it a dirty, dangerous business and won’t participate even though he knows this will likely kick off a mafia war (which it does).
Now, crime boss Don Corleone should not be anyone’s example of a moral compass. But his words here could help you if you find yourself in a similar sticky cybersecurity situation.
Ideally, you will take steps now to prevent such circumstances. Because again, cybercrime isn’t personal. It’s business.
Phishing, spear phishing, ransomware, etc. are crimes of opportunity. So make your business a less attractive target. Say no to those who would attack your family. And let us know if we can help be your consigliere. Â
It’s time to go to the mattresses against cybercriminals.