Being brought up in a rural community in on the Worcestershire / Gloucestershire border, life had a less frantic pace than the images of life and business that permeated into our living room from the TV. It was quiet, it was peaceful. To live here you had to learn something. You had to learn how to be patient.
The benefit of patience was illustrated to me by one of our relatively close neighbours. Andrew was a quiet unassuming man living most of his life under the radar of others. I’d deliver the paper to him, he’d be doing his garden, helping out at the village fete he seemed perfectly happy in his day to day village based life. One day the beautiful house that was opposite his little bungalow came up for sale. He went to the estate agents, and bought it, there and then. No quibbles, no arguments, paid the asking price and within 6 weeks moved in. Apparently when he first moved to the village this was the house he wanted, but it wasn’t for sale, so he lived opposite. He knew that one day it would come on the market, like every house always does. He worked hard, saved up and come the day he was ready. He played the long game. He knew what he wanted, he devised a plan, he executed it perfectly and I have to assume, lived a very long and happy life there. The lesson? Patience pays.
A cyber criminal, a successful cyber criminal, is patient. They are not a hacktavist or a hacker, they are not the ones that are motivated by disruption or the advancing of a political, or ideological ideal. They are an old fashioned planner but with access to technology. They are calm, unassuming with a high level of technical skills. You can even have a sneaking respect for them. In an age of personality and where instant gratification is the reward for extroverted attitudes, the patient individual can be overlooked, almost dismissed. You dismiss these criminals at your peril.
This style of cyber criminal was recently discussed by IBM, on their security intelligence pages, they said “The slower actors attack your network, the greater the chances that they’ll fly under your radar. The criminals can take weeks or even months gathering information before launching their attacks in bits and pieces over time. This is how many of the big breaches play out”. These cyber criminals have one simple aim – to attack your organisation. They are totally unencumbered by the multitude of tasks that anybody in business is wrestling with. They don’t’ have to worry about all of the issues that a modern company, or manager has to deal with. They have the ‘luxury’ of being purely focused on their ‘work’, not customers, not support, not looking for new suppliers or renegotiating contracts, they have no HR issues to deal with and no new marketing strategy to develop, implement and monitor.
These criminals have exactly the same 168 hours in the week that you do – but you are so busy! Nobody I know (who is in full time or part time work) has enough time, always busy, always running around. When I see them the conversation usually starts with a list of activities that they have completed, like hurdles round a race track, just got over this one, then that one, then there is another approaching just around the corner. To be busy is a badge of honour in our current climate, it signifies importance, success, drive, motivation and more. The patient individual can often be overlooked. Just consider for a moment if there was somebody in your open plan office that was just sat there; looking out of the window; and you (or your boss) confronted them and said “What are you doing” and their response was “I’m thinking; patiently”, well their days would be numbered.
The average cyber crime takes around 200 days to discover, according to many reports. Although the trends are decreasing by about 10% per year, it still means that crimes remain undetected for over 6 months. That means that many businesses have suffered crimes that they are not even aware of today! They could have suffered loss from criminal activity last August and still not discovered it. That means that today, right now, as you read this thinking that everything is ok, one patient quiet cyber thief is already enjoying the fruits of their ill gotten gains that were obtained from under your technological nose last summer!
In order for companies to tackle cyber crime, to prevent these patient stealth like assailants from helping themselves to somebody else’s’ hard earned cash and reputation, they need to develop a long term, multi facetted approach to cyber security. They need to develop a cyber aware culture within their organisations. They need to install complex end point monitoring and resolution software and to stay on top of the ever changing threat landscape, they need to develop a longer term cyber strategy, they need to play the long game. I’m sure they will all do that, but only when they have the time.