And that’s exactly why we’re so vulnerable to cyberattacks, says Jake Moore, an ESET Cybersecurity Specialist and a white hat hacker with 14 years of experience in digital forensics and cybercrime investigations. He never lacks the motivation to scrutinise and test how small businesses perceive and handle cybersecurity. In most cases, the answer is: rather poorly.
Let’s start from the other side. Since you’re constantly trying to make the lives of hackers harder, for many of them, you must be a very attractive target. Have you ever been hacked?
That’s right! But no, I haven’t been hacked. Or at least I don’t think so. But someone did try to duplicate my Instagram account and started sending out messages to people, reportedly being me. But guess what – one of the people the attacker messaged was a colleague of mine. And he had a great conversation with that guy, stringing him along, which was hilarious. I got all the screenshots of the conversation. Although I have never fallen victim to a cyberattack, I always think I could. I’m extra careful, being cautious with links I click on as well as with the email attachments and so on.
Sounds like a “hope for the best, expect the worst” approach?
Absolutely. Sometimes my wife even thinks I’m rather rude on the phone, but I’m just being cautious with unsolicited calls and wary of the worst-case scenario. If only more small businesses thought like this too! But unfortunately, they tend to think nothing can happen to them, which is a bit outlandish. Everyone’s a target, after all. Small companies sometimes believe cybercriminals would rather go after the big players, but in fact, hacking 100 small businesses can be way easier to accomplish than going after one massive corporation.
For 14 years, you worked for the Dorset UK police force, specialising in cybercrime investigation. Were you also solving cases related to SMBs?
Quite often, I used to be in touch with loads of sole traders as well as businesses that had less than 50 employees. Mostly, they had no idea how vulnerable they really were. They often thought they didn’t have the money to implement a cybersecurity solution, even though there are cheap or even free ways to protect a company. When I gave them basic advice like recommending using two-factor authentication, they often asked: “What’s that? That sounds expensive.” They were just leaving the windows wide open to attacks. For many of them, this was a fatal error.
In your recent piece, you wrote about how you went undercover – masked as a TV assistant producer, Jack – to hack the network of a luxurious golf club. And you succeeded; the staff even left you alone with the company devices, potentially allowing you to exploit the whole network. What should have been done differently from their side?
First, they should have asked for some sort of ID, especially if I was going 'behind the counter' so to speak, wanting to stick a USB drive into their machines. This is a basic security no-no. But since I visited the golf club a week before to introduce myself, saying how lovely their course was, which was obviously very flattering for them, they thought they already knew me and trusted me. Also, I did not expect to see a Windows XP machine (the XP operating system has been unsupported since 2014), which was even connected to the point-of-sale machine. Another no-go. Such machines can even be remotely attacked. The devices should have been on the latest operating system. Many small businesses have their devices running on outdated systems since they think when it’s not broken, there’s no point fixing it – but in fact, it’s a huge vulnerability. This golf club stores huge amounts of data, mostly of very wealthy people, and this data could potentially be worth more than a financial attack. And therefore, it’s very tempting for hackers.
Are such cyber-physical attacks a common strategy of cybercriminals?
Especially before the pandemic, I read a lot about criminals attempting to get into databases physically. Sometimes they pretend to be a workman, or a postal worker. Now it’s not that easy anymore since there are fewer people in the offices and it is harder for the hackers to hide. But I do feel that when people start returning to the office, such attacks might resurface more often, with cybercriminals putting face masks on, using a valid reason to hide their identities even better. Cyber and physical security need to be considered all at once. Preventing the attack from happening is a far better strategy than dealing with the aftermath.
Some companies rely on cyber insurance.
Unfortunately; that’s because the idea that they have this security blanket can lead to neglecting prevention. It’s not like having your car insured and getting your cash back once an accident happens. Cybercrime doesn’t work this way. If one digital copy gets stolen, it can multiply around the world and go everywhere, so even if you have the costs of the attack covered by the insurance company, you can still lose businesses and livelihoods. This is the reason why you shouldn't only rely on cyber insurance. The optimal strategy is to stop the cause before it even takes effect. I would put more money into preventing the attack from happening, rather than focussing on the cost analysis of insurance. Some insurance companies even pay the ransom in case of a ransomware attack – thereby directly funding the whole business cycle of ransomware.
Mr. Robot teaches cybersecurity
The human factor is often named as the biggest enemy of cybersecurity. But with so many potential mistakes people can make, is it even possible to train everyone so well that all risky behaviour is mitigated?
I think it’s at least possible to raise the number of people who are aware of the attack factors. Businesses are never going to be 100% watertight. I accept that. There will always be people making mistakes. But now, far too many people are vulnerable. My guess is that only a fraction of people in most companies are cyber-aware. You wouldn’t believe how many people still use the same password for several accounts!
Is it possible to educate people without scaring them?
That’s the line I’m trying to find when writing my articles and planning awareness activities. I made the decision to come across as humorous, because I think if the content’s funny, people will carry on reading it, and if I manage to throw in a little education too, then my job is done. When I started teaching security, people said they were already bored of hearing the same instructions again and again. But I asked myself: have they read a real personal and catchy story? Probably not. So, I started writing them. When people come and say they read my article and started caring, that makes me so proud. Education must be fun, entertaining, short. Six-hour long cybersecurity instruction videos just don’t work.
Do you think the popular series Mr. Robot could also be a good source of educational material?
A brilliant one! I loved it and it’s very true: people could learn from it a lot. They might realise how easy it actually is to hack a device. And that not all hackers sit in a basement with a hoodie on – it can be any one of us.
You’ve white-hacked several businesses. Was there a role model that stood out and could be considered completely immune to your attempts?
Honestly? No. Every single time, I got exactly what I wanted. But I have a dream: I’ve always wanted to (ethically) rob a bank. I even asked the Bank of England, pleading if I could attempt to do something with their network. They said “no way.” So, I asked if I could at least steal a pen.
...And did they let you?
No, they told me to put it back where it belonged. Anyway, I haven’t given up. Because one day, I want to write a blog with a title saying: This is how you rob a bank.
Jake Moore, ESET Cybersecurity Specialist and Spokesperson
Jake previously worked for the UK Dorset Police for 14 years, primarily investigating computer crime in its Digital Forensics Unit on a range of crimes from fraud to missing children. During this time, using techniques allowed under the law, he learnt how to retrieve digital evidence from devices in order to help protect innocent victims of cybercrime. He then became a cybersecurity consultant for the police force, delivering tailored advice to the public, schools and local businesses with the goal to help the community and build on their existing security knowledge. He’s also a passionate surfer. Is there some parallel between surfing and cyberspace, the two fields he’s so passionate about? “You can never, ever second-guess either of them. No matter whether in the cyberspace or in the sea: always expect the unexpected.”