Hunters of the data treasure

Companies in the focus of cybercriminals

As digitization continues, the volume of data in the economy will multiply in the future. Legislation has therefore ensured that data protection also enjoys a high priority in digital data processing. In addition to protecting trade secrets, companies must give high priority to the security of personal data. Violations of the GDPR can have particularly serious consequences: If a data loss occurs, the affected parties must be informed. In addition, such a security incident can be fined by the supervisory authorities. The law thus demands nothing less from companies than a constant ability to provide information and ongoing, reliable control over all the data they process.

However, the growing volume of data has brought to light another industry that has made it its business to thwart these plans. With digitization and global networking through the Internet, all of any company's data is - in theory - accessible to unauthorized parties. This has spawned a large international black market for data and helped cybercrime to become more professionalized. The motives and strategies of cybercriminals targeting corporate data are varied. Here are a few examples:

  • Contract hack

    In this case, cybercriminals put their skills at the service of paying customers with bad intentions. The motivation behind this is usually industrial espionage or a damage campaign against competitors. Individual services, such as the hacking of a specific cell phone, can already be booked on the darknet on a fixed-price basis.

  • Collecting valid data records

    In this case, there is usually an immediate interest in turning them into money as quickly as possible, either by reselling them or by misusing them oneself. This applies, for example, to credit card or bank data.

  • Collecting data records for further use

    Captured data records do not necessarily have to be complete - personal data is valuable because it can be resold in a collected form. The buyers, in turn, can use them to set up further spam campaigns. Authentic company letterhead or names of actual employees can be extremely useful for other targets in further fraud attempts. It is also conceivable that incomplete data records, for example mail addresses, are initially left until they can be completed by hacking or purchasing further data.

  • Extortion of money by means of ransomware

    Important data records of a company are encrypted with an infiltrated malware. The decryption algorithm is supposedly provided after payment of a ransom in the form of a link to a C&C server. It is strongly advised against making the payment, as it is by no means certain whether the criminals even have decryption software or whether it can be successfully downloaded by those affected. Likewise, it remains unclear whether hackers also duplicated and stole data sets during the ransomware attack.

Regardless of the industry, product manufactured, service offered, or size, their very existence as a "digital data processing center" makes companies a generally interesting target for hackers.

Keeping pace with a diffuse threat

In an effort to achieve the most lucrative data yield possible with a hack, cybercriminals in recent years have focused primarily on "big fish" such as banks, insurance companies, energy providers, retail chains or gaming platforms. As a result, a digital arms race developed: Companies with high brand awareness or critical infrastructures increased their defenses with increasingly sophisticated IT security mechanisms, while attackers developed their techniques accordingly.

The chances of success for cybercriminals at such highly equipped companies are now significantly lower. But the maturity of their attack techniques opens up opportunities to compensate for lost loot at high-profile targets through broad campaigns. Hackers are therefore increasingly looking for their victims on the periphery - in businesses that are still at a rather early stage of their digitization and whose IT security standards are still lower, including, for example, craft businesses, hotels or smaller, owner-operated stores. They, too, are affected by the legal requirements of data protection. In times when data was still stored in files and IT systems were not yet connected to the Internet, one could be relatively certain that data was safe: It was in PCs, in locked filing cabinets in a building to which only authorized persons had access and which was monitored by a gatekeeper or even a security service. The level of control over the data, and also the perceived security, was likely to have been exceedingly high in such scenarios.

IT security: checks can help

Unfortunately, this approach cannot be fully applied to IT infrastructures. There is always the possibility that unauthorized persons have gained access or have intercepted data. So does the fact that no irregularities are apparent actually mean that nothing has happened? Or could data have been stolen without it being noticed? Even assessing how likely such an incident would be is a complex undertaking for companies. They face a diffuse threat of different intentions and other unknown variables. For what reasons might cybercriminals attack infrastructure? Is there anything that should be of particular interest to them? How sophisticated might the attackers be? What attack vectors would they prefer? What damage could the company suffer and how expensive could regulation be in the event of a data security incident?

The field of hypothetical attack scenarios is exceedingly large. However, in order to be able to assess the security of the company's data, there is ultimately only one central question: Is our IT security capable of withstanding both unspecific and targeted attacks? A security audit can provide answers to this question. The entire IT infrastructure is checked as part of an automated check. Artificial intelligence tests the possibilities of numerous conceivable attack scenarios and then makes suggestions for improvements to close possible gaps. In addition, such software can determine whether data from the company is already circulating on illegal marketplaces. Companies thus regain control over the data they manage. This enables them to fully comply with their legal obligations as data processors - and offers their partners, their customers and themselves something that is becoming increasingly important: Certainty about the security measures taken to protect data.

Thomas Haak

August 6, 2021



Might be also interesting

Managed Security Service Provider: Geschäftsmodell für die Zukunft.


MSSP: a future-proof business model

Numerous managed security service providers are currently emerging. But what makes this business model work, and what should you as a reseller, system house or MSP pay attention to when making the switch? You can learn all about it in the article.

September 1, 2022
Neue Distributionspartnerschaft mit Fokus MSP

Press announcement

Partnership with Fokus MSP

Since 20 July it is official: Fokus MSP is a further distribution partner! Together we want to simplify the consulting and procurement process for MSPs, IT service providers and system houses.

July 20, 2022
Neue kritische Sicherheitslücke in Confluence von Atlassian

Security vulnerability

Critical vulnerability in Atlassian Confluence

Atlassian published a security advisory for the vulnerability CVE-2022-26134, which is a critical unauthenticated remote code execution vulnerability in Confluence Server and Data Center.

June 3, 2022