You may know computers but you dont know computers like the BAD GUYS know computers

As a small managed service provider (MSP) and managed security service provider (MSSP) we often get ask by our clients what is the best way of protecting their data.

This question is definitely like asking how long is a piece of string?  

In a large number of SMEs the role of looking after computers and users usually falls to the guy who knows computers. In most cases he is the salesperson who is seen to know computers because they are gamers. Or he is the person who has their own website, so they must know computers.

In most cases this is bad thinking. From a revenue perspective you take that person away from making money. From a technical perspective they probably only know a little more that everyone else in the organisation. Definitely not enough to think strategically.

The biggest problem is the title of this post - you may know computers but there is no way that you know anything like the level of expertise that is constantly and regularly demonstrated by the bad guys and the sudo bad guys.

There is a hierarchy of knowledge and capability when it comes to the digital criminal. Even downloading a movie, album, song or piece of software through a torrent constitutes criminal activity, but today, we are not talking about this.

There are three levels of digital criminal, and the difference between the three can be clear or as muddy as possible.  

The largest type - bored teens

First and the most prolific are the bored teenagers. Usually called "script kiddies", the 12 - 25 year old who have questioning minds and want to see how things work and once they understand this how they can do something that no one else has thought about.  

They get most of their information from chat rooms, google, YouTube and message boards. The information is out there, all you have to do is look!

They "hack" more for the bragging rights than to go down the criminal path. These people eventually, hopefully and mostly lead into your school systems doing degrees in programming, network administration, robotics and AI.  

These are the ones in it for the fun and enjoyment of the digital world, in most cases their expertise far outstrips their pursuit of money. In this pursuit they also become pawns.

The script kiddies make up 85% of the bad guy hierarchy.

Fighting for the rights of zombies

The next 14% are the hacktivists. The people who perceived to have been wronged by someone. They have come through the ranks of the script kiddies and have a cause.

Freedom, capitalism, economic exploitation, loss of rights and environment all come to the fore.  This group is a lot more savvy. They play the game and they play it exceedingly well.  

Anonymous is a classic example of hactavism at the grass roots level.

The top or bottom of the pile

But, when it comes to the bad guys, the top 1% make the rest pale into insignificance. 

These are the true criminals, the leaders in the criminal enterprises. The elite, the ranger or SAS force of the hacking community. In most cases they are good at what they do.  

In this group are some good guys, the white hats, the penetration testers. These are the ones who see that using their skills for good is an ethical good fit.

The bad guys have a distinct advantage. They have money, time, capability but most important a total disregard for you and everything you stand for.  

They are classic narcissists!

How do you protect your organisation?

In most cases you have to start with the fundamentals and invest some money in getting them understood by your organisation. 

What are the fundamentals for protecting your organisations data?

• Patch everything
• Next Gen Firewalls
• Anti Virus
• Passwords
• Backups
• Paranoia
• Training and education
• Awareness
• Get in some professional help and support

So the next time you say "we are too small to be a target" think about those script kiddies, could they get in?  

Think about those hacktivists, what has your organisation done to upset them? Are you protecting against that?

More importantly what have I got that the top 1% want and am I protecting it correctly