Ashley Madison: Could It Happen To You? Part 1
I’m not talking about being caught having an affair.
I’m talking about the hack that caught Ashley Madison completely by surprise.
For those of you who don’t remember or were not paying attention, Ashley Madison was a website that connected people in couples with other people also in couples.
If you wanted an affair or to cheat on your spouse, Ashley Madison was the website for you. It promoted infidelity for those who wanted it.
Of course, since affairs (and by extension infidelity) are a very private issue, Ashley Madison promised users that privacy was one of their top priorities, and their data was secure.
This changed when the website was targeted by hackers, and all the user data was made public.
For the first time ever, people could check the user data to find out who was using the website. This was a life-changing event for everyone who was outed. Relationships were ended and some individuals could not continue bearing the reality that they couldn’t be trusted.
Your business’ data may not be anywhere near as shocking or life-changing as Ashley Madison’s, but it raises the question: could you be next?
Why would anyone hack my company? No one knows me!
It’s true that Ashley Madison was quite a high profile target. There was also a noticeable result when the data was leaked. Those are some of the top reasons hacker groups target companies.
But to think that your company is off the map is a very risky thought.
For starters, you don’t know if that’s true. Many businesses start with the intention of growing and being dominant in an industry. If you believe you are a main player in your industry, there’s a good chance you have already been deemed a potential target by a hacker group.
Second, hackers start somewhere, and they always want to improve their skills. Targeting low profile companies and businesses is the perfect way to gain experience without drawing a lot of attention to yourself.
Finally, your data might be more private than you think. As we discussed before, for your data to not be important, no one has to care if it is released. As long as someone cares, your data needs to remain confidential.
But I never hear about other small businesses getting hacked!
That’s true. But here’s something to think about if you believe that.
Many people were using Ashley Madison to cheat on their significant other, and for obvious reasons without their partner knowing.
Even though the other party did not know their partner was cheating on them, it did not mean it wasn’t happening.
Just because you don’t know about it doesn’t mean it doesn’t happen.
And just like an affair, many businesses are not very keen on telling other people, especially rivals, that they were hacked.
But there is nothing to gain by hacking my company!
When we look at hacking and the resulting fallout, we always believe the reasons a company was hacked was because of their high profile, the chaos the hack would cause and the losses a company would have to endure.
This mindset makes us think hacks like these are motivated by factors such as greed, arrogance, superiority and sometimes revenge. This is not wrong.
However, that’s not the only reason people hack.
Let’s look at a golf course, and the people on the course on a given day. Assuming there’s more than 10 people (which there usually are), we have a lot of individuals playing golf.
To think that everyone is there for the same reason is obviously not true.
Some are there to learn how to play, some are there to observe. Some are trying to be the best in the world and some are just playing for fun. Some people are there because it’s their job, some are trying to make business deals and some are trying to impress their significant other.
Everyone is doing the same activity with different motivations. It’s true for almost every activity.
I can’t tell you all the reasons why someone (or a group) would hack your company. But to think they won’t do it because you aren’t high profile or that you are not a good source of chaos is a more damaging thought than you think.
But I don’t see hackers infiltrating my company data. Wouldn’t I know if this was happening?
Yes and no, for both the statement and the question.
You’d be surprised, but not every hack is the theft of company information. Some hackers are just content to crash your computer every time you do something, or fill your screen with pop-up ads.
A lot of hacks are done through viruses or misleading links rather than someone directly infiltrating your company network (though it is possible to hack without viruses, it’s just significantly harder).
First, in order to do any hack, you need company information, which only an insider could give or a virus can retrieve (or someone can just “walk in” and grab, if your security is that poor).
Second, it takes a while to work through a process where you can steal company data. Many people never see this part occurring, mainly because nothing has actually happened yet.
Finally, the only time you know you’ve been hacked is when you’ve become a victim. Until then, you haven’t been hacked yet.
And of course, if you did know it was happening, it wouldn’t be a hack in the first place.
But companies aren’t hacked every day! Why aren’t security companies doing something about it?
Remember you don’t know that companies are not being hacked just because you haven’t heard about it.
But it’s true that if it was happening at such a high frequency, there’s a good chance security companies like Norton, McAfee and AVG would be doing something about it, or have already done something.
The truth is they have, but it can’t counter everything.
Obviously no one would be buying or using any sort of computer security of anti-virus if it never worked. The reason you are NOT seeing attacks is because with an effective anti-virus program, most of the attacks never reach you, or are detected and removed immediately.
This could not be possible if security companies weren’t working hard to protect against current attacks and anticipate future threats.
Of course, just like any threat, you don’t know it’s a threat until it happens. New viruses are being created by hackers every day, and even the best anti-virus can only anticipate so many before it misses one.
This is why you sometimes hear the “well XYZ anti-virus didn’t work” complaint. It’s not so much it didn’t work (unless it’s a shady brand) but you just ran into a threat that was not seen as a virus. Yet.
Once a company knows it’s a threat, updates are sent out to improve the anti-virus. But somebody has to be targeted first, then security companies can deal with it.
Even if security companies can prevent threats, that’s just from viruses hackers create. If your network infrastructure was poor to begin with, hackers won’t even need viruses to hack into your system.
And again, if someone in your company is working with the hackers (intentionally or unintentionally), no defence is going to work.