My apologies for the delay with Monday Morning Tonic, but I spent time cancelling our trip to Florida and rearranging the rest of our holiday plans. We did this because, as Trump says, we Canadians are abusive people. We are some of the only people on earth who get angry when a despot tries to use their economic power to force them to join their nation. Hopefully, with this issue, I can disabuse you of the notion that cybersecurity is for babies.

MAIN COURSE: The booming industry individuals and business organizations ignore

In the last few years running my consultancy firm (we did full lifecycle services for Microsoft Power Platform) I had no less than four small clients who aggressively ignored my observations that they were eminently hackable and that they needed to upgrade their cybersecurity. Here are their defensive putdowns of my observation:

• “How are they ever gonna find us?”

• “We’re just small potatoes nobody cares about us”

• “All that stuff about cybercrime is just the media causing attention to something that’s not very big”

• And my favourite, the IT manager who told me that’s why “they have nothing in the cloud because they run a tight on-premises ship, and he can defend them against all potential problems”

Of course, because I’m using this as a story, you already know what happened. All four of them were hacked, two of them to a very significant degree, including the overly confident and completely overwhelmed IT manager.

As a side note, this guy was the reason I conceived a possible advertising campaign for cybersecurity companies: A picture of his aging homey face contrasted with a photo of 50 of the brightest looking young people standing on the steps outside a cloud computing data centre with the caption - Who do you want to defend your company against cybercriminals?

Some of this blind ignorance is based on Hollywood being decades out of date with hacking, endlessly repeating two tropes about cybercrime. The first one is a hacker who is a troubled teenaged genius, often “on the spectrum”, who hacks for curiosity, challenge or just plain ordinary do-gooding. In the latter, the audience comes to support the hero as they prevail and bring down some evil organization.

The other one is bad actors (which goes without saying in most of these movies) for autocratic tyrannical nations or shadowy sinister trans-national organizations (like this actual hack from the beginning of this year). Again the audience is manipulated to be on the side of the hacker.

In both of these scenarios the hackers are individuals going after one chosen target through wile and wit. I’m here to tell you these “narratives” are mostly incorrect. But as I outline in the following article, maintaining this belief leads to persistent dysfunctional behaviour. Cybercrime is an industry, and a growth one at that.

To convince you of this truth, I submit this article as Exhibit 1, a huge story from last week, ignored by most because of the enthralling heat generated by DeepSeek’s product release. An international task force shut down two large operations that were cybercrime one-stop shops. I can just imagine their digital marketing pitch:

Actual offerings seized by the authorities from these cybercrime-as-a-service operations included:

• Stolen Data: Marketplaces for stolen login credentials, personal identification documents, and databases containing sensitive information, such as social security numbers.

• Hacking Tools: for credential-stuffing attacks (e.g., OpenBullet, SilverBullet), AI-based tools to scan for vulnerabilities, and phishing scripts for personalized attacks.

• Cracked Software: Pirated software licenses and tutorials on bypassing software protections.

• Training forums: hacking tutorials, coding discussions, and social engineering techniques

I think that answers the question, “how did they find a little old me?” Criminals use proven automation backed by professional support, not quirky geniuses.

SPECIAL DISH: When you next get a virtue signalling email about a hack, demand far more accountability

I live on a small island where the naïve view is that we are completely insulated from outside criminal elements. But just before Christmas I got an email from one of the local arts groups that they had been hacked, getting many subscribers’s personal and payment information. The clause in the email that infuriated me the most was this:

“Security is of the utmost importance, and we thank you for your patience and support as we resolve this issue.”

I have had variations of this through the years, as business organization after business organization gets hacked and my information is put at risk. It clearly isn’t of utmost importance or you wouldn’t have been hacked. It is time for us to push back on this meaningless virtue signalling. For public businesses, I believe that we should expect to see CIOs, CTOs and even CEOs being fired when this happens. But boards and shareholders are letting them off scot free.

Mind you if business leaders were honest it wouldn’t play so well:

Legacy and social media are no better. I read dozens of articles covering cyberattacks over the past three months and it is clear that the journalists, even supposed technical journalists, had no idea of what to ask about regarding these attacks. No questions about the victims’s ongoing cybersecurity strategies or quality of their cybersecurity software. They are more like the naïve customers I mentioned in the first article, aghast in their astonishment, all hand-wringing. We should expect more from them as well.

In fact, many business organizations are woefully unprepared, preferring to get cybersecurity insurance and hire expensive after-the-hack clean up consultants instead. Hiding behind insurance covers the dollars but not issues like customer and stakeholder trust.

Cybersecurity should be the bottom foundational rung of every business organization’s Maslow’s IT Need Hierarchy. It needs to be rock solid before you had achieve great digital successes. Here are some of the crucial actions that are required

• Hire specialists to do comprehensive cyberthreat assessments periodically

• Have continuous infrastructure upgrades as the weakest hardware link (you know Bob’s back office computer he refuses to let people upgrade) is often the source of the hack

• Have continuous education as the weakest stakeholder (see next section) is often the source of the hack

• Implement top quality security prevention products with true best practices

• Check on all third party software products being used for their cybersecurity plans

These measures do work. Last spring there was an attempted attack on the province of British Columbia’s government infrastructure. The province is in the middle of a multi year program to upgrade their cybersecurity. Although they were breached, the incursion was quickly found, and the threat was minimized.. These are the business organizations that deserve our respect.

We all like to live in a mostly digital world but it comes with costs that must be borne by all of us. As the cliché say, “you can pay me now, or you can pay me much more later”. Our local little arts group had to cancel lots of events while they “rush implemented” a new booking and event management system.

MENU MISTAKES

Let me get this straight. Some of the people protecting the USA from other countries are clueless enough to just connect directly onto Chinese servers so they could play around with the latest AI thrill? What could possibly go wrong? This makes cybercrime of the foreign actor variety mere child’s play. Again no genius required

Thanks all of you who read, especially to those who made it this far. Be back on Thursday with a couple of tidbits. Starting to get more feedback which is much appreciated

Share

Leave a comment