Cybersecurity for the Pragmatic Criminal

Let’s start with the new cybersecurity reality —no organization is too small to be a target for cybercriminals. While large enterprises often have robust security measures in place, mid-sized and smaller companies are increasingly finding themselves in the crosshairs of pragmatic criminals seeking the path of least resistance. In this blog post, we’ll explore the mindset of these bad actors and what steps organizations can take to fortify their defenses.

The Criminal’s Perspective

Contrary to popular belief, cybercriminals aren’t necessarily motivated by a desire to take down the biggest targets. Instead, they’re rational actors driven by efficiency and return on investment. Their goal? To achieve their nefarious ends with minimal effort and maximum payout.

As Mike Pittenger, a renowned cybersecurity consultant, puts it, “Criminals are evil, but they’re pragmatic. They’re rational actors trying to achieve their goals in the most efficient way possible.” This mindset means they’ll often target low-hanging fruit, such as organizations with lax security controls or untrained employees susceptible to phishing attacks.

The Low-Hanging Fruit

So, what constitutes low-hanging fruit for these criminals? Pittenger highlights two primary attack vectors: phishing and known vulnerabilities.

Phishing attacks are a favorite among cybercriminals due to their low cost and high success rate. By impersonating trusted entities or enticing users with too-good-to-be-true offers, criminals can trick employees into divulging credentials or installing malware.

Known vulnerabilities in open-source software and operating systems present another tempting target. With thousands of vulnerabilities disclosed annually, criminals can simply scan for unpatched systems and exploit them with readily available proof-of-concept code or exploits.

Building a Cybersecurity Program

To combat these threats, organizations must take a proactive approach to cybersecurity. Pittenger recommends starting with a comprehensive assessment to identify existing controls and areas for improvement. Industry standards like those from NIST can provide a valuable framework for this process.

Once vulnerabilities have been identified, organizations should prioritize patching and employee security awareness training. Phishing simulations and regular reminders about best practices can transform employees from potential liabilities into a human firewall against threats.

As the program matures, organizations should consider implementing endpoint detection and response (EDR) solutions or managed detection and response (MDR) services. These tools can detect and respond to threats that have bypassed initial defenses, providing a crucial layer of protection against advanced attacks.

Conclusion

Today, complacency is the greatest risk for cybersecurity breaches. By understanding the pragmatic mindset of cybercriminals and taking proactive measures to address low-hanging fruit, organizations of all sizes can fortify their defenses and protect their valuable data and systems. Remember, the first step is assessing your current state and building a solid foundation for a comprehensive cybersecurity program.

Protect and defend with multiple layers of cybersecurity

Defend your business with All-In-One Cybersecurity®.

Explore layered
security

Learn more about Defendify’s three key layers and All-In-One Cybersecurity®.

How can we help?

Schedule time to talk to a cybersecurity expert to discuss your needs.

See how it works

See how Defendify’s platform, modules, and expertise work to improve security posture.

Take the first step toward comprehensive cybersecurity with a free Defendify Essentials package

Gain access to 3 award-winning cybersecurity modules. Nothing to install. Nothing to pay for.