Our competitor has worse security, so we're doing well aren't we?

Posted on 2021-02-23 by Matt Strahan in Business Security

In business you have a day-to-day competition that feels very “survival of the fittest”. Your competitors come up constantly in meetings. You note their movements and announcements and try and match their moves. Companies don’t exist in a bubble, they exist in a constantly moving industry and competitive landscape.

It’s no wonder then that when we talk about risks for a business after performing penetration testing or testing their compliance against ISO27001 or NIST we’re asked “how does this compare to the industry we’re in?” This is a valid question, don’t get me wrong, but I sometimes wonder, what difference does it make?

How businesses are targeted

Let’s pretend we’re one of the bad guys now. How do you target companies?

We kind of think of the bad guys as an almost ethereal threat, but really they’re just people doing their jobs. They often work 9-5 and have offices to go to where they launch their malware attacks and phishing attacks. With my pretend bad guy, I’d be coming into the office, getting some coffee, and complaining to my coworkers about how I was kicked out of a network the other day before I could properly encrypt everything and ransom off the data.

When choosing my targets, I might even have KPIs to meet so I’ve got to be efficient. How would I make my choice as to targets? For me it’d come down to:

  • Are they vulnerable?
  • Can it be monetised?

Finding vulnerability nowadays might be able to be mostly automated by the bad guys. They launch their phishing attacks and put out malicious software. Even spear phishing can be automated pretty effectively. To do this my evil company has a development team and partner relationships to make sure I’m spending as little time managing the phishing as possible.

What does that mean on the defenders’ side? It’s like the joke with the two people running away from the bear. “Why are you lacing up your shoes?” one asks the other.” There’s no way we’re going to outrun that bear!”

“I don’t need to outrun the bear,” the other says, “I just need to outrun you.”

Why would they care what industry you’re in?

In none of my pretend black hat role playing would I go “who specifically is this company I’m targeting?” Apart from monetisation potential it wouldn’t really matter who the company is or who the competitor is. Why would I care?

This is where organisations on the defensive side sometimes misstep. Obviously you care if you’re specifically targeted or not, but the people targeting you probably don’t. If you suddenly can’t compete in your industry they don’t feel it’s their problem and they won’t cheer if you suddenly get a competitive advantage because of cyber attacks on your competitors. While the specifics of your industry could be everything for you, to the attackers they don’t really matter.

In the cyber crime market you’re not competing within your industry, you’re competing against every company in the world to not get compromised. It doesn’t matter if everyone in your industry is good or bad or somewhere in between. If your company falls into the “insecure” side of the internet then you’re at risk.

Comparing yourself to the industry

How then should you use the security status of your competitors? Probably not as a target, since after all you don’t want to make the same mistakes your competitors make. It can be, however, a bit of a motivator. It’s a good argument to go up to your board and say “look this is what our competitors are doing!” It can be used to convince boards to unlock the funds required to appropriately secure the organisation.

At its best cyber security can be a differentiator in your industry. Customers can recognise if you make an effort to lift yourselves above the rest of your industry by demonstrating good cyber security practices. Pushing through the “industry standard” can be a way to lift yourselves up.

About the author

Matthew Strahan is Co-Founder and Managing Director at Volkis. He has over a decade of dedicated cyber security experience, including penetration testing, governance, compliance, incident response, technical security and risk management. You can catch him on Twitter and LinkedIn.

Photo by Victoire Joncheray on Unsplash.

If you need help with your security, get in touch with Volkis.
Follow us on Twitter and LinkedIn