A lot of smart professionals appreciate that governments and companies need to be concerned with cybersecurity; yet don’t feel personally at risk. Many people respond with some variation of the same question. Why would a hacker attack me? The thought process of these “netizens” is totally understandable. However, it’s based on a miscalculation regarding the cyber threats that exist. It’s easy to appreciate the basis for our netizens’ perspective: I’m not rich and famous, so hackers wouldn’t target me. Nevertheless, this underestimation increases the risk to your personal cybersecurity.
First, Why would a hacker attack me? is the wrong question. It’s similar to the idea of security through obscurity. (Spoiler: It doesn’t work.) The problem is that lots of cyber threats are going after large quantities of victims, rather than targeting individuals. Think of it this way. When tuna swim in a schools, the relative obscurity provides protection for the individual tuna from predators like sharks or killer whales. However, that obscurity doesn’t provide any protection from fishing trawlers, that are trying to net as many tuna as possible. Odds are that hackers aren’t targeting you specifically. It’s much more likely that they are seeking to compromise, or pwn, as many systems as possible. Thus the question you should ask is, Why do hackers attack people?
Like most professional criminals, typical cybercriminals are in the business of illicitly making money and often building a reputation.
Second, hacker isn’t the term we should be using, so let’s be more specific. We’re really talking about cybercriminals, who are seeking to compromise all these computers systems (including yours). So we can further refine our question. Why would cybercriminals attack people? The short answer is… to make money. Like most professional criminals, typical cybercriminals are in the business of illicitly making money and often building a reputation. Cybercrime offers organized crime groups greater potential reward with less risk. A cybercriminal organization, in someplace like Romania, Russia or Syria, can steal millions of dollars from people and companies across the globe with reduced risk of ever being arrested.
Since cybercriminals are probably generally (rather than specifically) targeting you, how would they make money from compromising your system? Let’s divide their methods into three broad categories: 1) steal your money, 2) steal your information to sell to other criminals, or 3) use your computer to attack other innocent victims. These goals can largely be accomplished with malware delivered to your systems via malicious Internet links, spam or other nefarious means.
Steal Your Money
This goal is relatively intuitive to people. After clicking on a link or opening a file you shouldn’t have, the bad guys are alerted that another victim has been caught in their net. There are numerous ways in which your money could actually be stolen. Cybercriminals could access your bank account and transfer funds out. They could make fraudulent charges on your credit card. They could use your personally identifiable information (PII) to apply for new credit cards or loans in your name. They could encrypt the important files on your computer and extort a ransom from you to unencrypt them (like the May 2017 WannaCry ransomware attacks). Whatever the attack method, your financial loss is their gain.
Steal Your Information
Instead of personally utilizing your stolen PII themselves, cybercriminals can sell your information in underground markets. Cyber breaches of third-party organizations, such as retailers, healthcare organizations, or government entities, are often the cause of your PII being compromised. However, cybercriminals have successfully used phishing campaigns (i.e., sending spam) like this one and malware like Beta Bot to steal PII directly from end users. Why would cybercriminals sell your information, rather than exploit it themselves? Likely because they stole more PII than they can personally exploit or (more likely) PII exploitation is not that particular cybercriminal’s specialty.
Zombify Your Computer (or Other Devices)
Cybercriminals can use malware to zombify your computer, then enlist your computer in their botnet (i.e., a zombie computer army) to commit crimes around the world without your knowledge. As the Internet of Things (IoT) brings more and more devices online, the number of devices in your home that can be drafted into botnets is increasing dramatically. Imagine your smart thermostat or Wifi-enabled baby monitor being used to rob a regional bank in Belgium or breach a government ministry in Singapore. The largest botnet to date was BredoLab, which included the combined resources of 30 million infected computers. Cybercriminals also rent out their botnets to other criminals (or worse).
Whether we’re talking about stealing your money, stealing your information, or zombifying your devices, cybercrime is largely a volume business. Rather than sitting in front of a keyboard trying to attack your computer, cybercriminals are casting wide nets made up of malware, spam, malicious links and other nefarious means to compromise as many systems as possible.
Whatever the attack method, your financial loss is their gain.
There are plenty of cyber threats facing netizens, but now it’s time for the good news. While cybercriminals may want to attack your computer, they’re not specifically targeting yourcomputer. That means you can dramatically reduce your personal risk by improving your cyber hygiene. Just as good personal hygiene reduces the likelihood of your health being compromised, good cyber hygiene reduces the likelihood of the health of your systems being compromised.
Stay vigilant.