29.10.2020
What impact does your cyber security behaviour have on others? What does the protection of your personal laptop have to do with the availability of a retailer’s online shop? Adrian Wiesmann, Head of IT Security with PostFinance, answers these questions in his blog post for Connecta 2020.
“I’m just a small fish, no-one’s interested in me”. I’ve often heard this kind of thing in the past, particularly from people who failed to use a strong password or who haven’t kept their systems up-to-date. But it’s a short-sighted view. It implies that third-parties aren’t involved and that your own actions don’t have an impact on others. And that’s not true.
There are a huge number of scanners connected to the Internet. Scanners are computers that constantly trawl the entire Internet, on the hunt for vulnerable servers. Once a vulnerability is found, attempts are often automatically made to exploit the identified flaw. Behind these scanners are frequently shady individuals who regularly harness the personal computers belonging to the “small fish” to carry out their activities. The owners of these computers probably aren’t even aware that a criminal is remotely controlling their system and using it for illegal purposes.
The misuse may not even have a noticeable impact on the PC’s owner. But if a large number of these remotely-controlled computers are brought together in a botnet, they are absolutely dangerous and harmful. Botnets are the tool of choice for DDoS attacks. These are attempts to overload servers (e.g. for an online bank or shop) to prevent customers from accessing them. The reasons for carrying out such an attack are varied (reputational damage, blackmail etc.) and yet the impact will always involve financial losses for the victim.
That brings us back to the “small fish”. Your personal laptop – poorly protected, or perhaps without the latest security patches – is a minor target in its own right. But in the context of a botnet-driven attack, it is part of a bigger network – and that’s why it’s part of the problem. Let’s take another example. An SME’s online shop may be small, but costs are still incurred for maintenance and ongoing patches. The temptation is certainly there to at least partially cut back on these expenses. But if shop operators fail to keep their security measures up-to-date, they’re leaving the door ajar for criminal enterprises and unintentionally giving them access to their online shop’s server. Criminals can then exploit these flaws – to log customers’ credit card details during the payment process, for example. This information is then used to ransack the victims’ accounts. Suddenly the little online shop becomes a launchpad for a larger attack.
You cannot completely solve the problem. As soon as something has value, there will always be attempts at fraud. But we can address the problem by taking specific measures. The protection of your own systems and processes needs to be planned right from the start. In today’s interconnected world, you need to look beyond your own interests and also consider those of your partners and customers. Consistently taking this approach, you’ll not only save yourself money and hassle in the long run, you’ll also be protecting your partners and customers. Customers who feel safe and appreciated will show their loyalty and continue to purchase from your online shop.
Adrian Wiesmann is Head of IT Security at PostFinance Ltd. He enjoys motivating audiences with provocative blog post titles. Adrian likes to understand how things work. He even takes things apart to do so, looking at the individual parts carefully. His partner then puts them back together.
