Situational Cyber Crime Prevention
I just made chilli, and to be honest, eating it was the highlight of an otherwise unfulfilling week. It’s been a challenging to get into the swing of having the household to look after, now that Mrs SecurityGeezer has gone away for the summertime, leaving me here with Jasper and Nacho to psycho-analyze. It’s also been a bit of a challenge to get things done in the office. The last year has been spent getting some additional fitout work done there, and it’s just sort of dragged on a little, so now that we’ve imposed a deadline on ourselves, there’s been a lot of little things that have needed to be sorted.
Do you know how difficult it is to find a conference room table in glass that’s longer than 2.4m? Sheesh…
But what is also a somewhat exasperating is the market we’re in. It amazes me that we can work in this industry and this region for all these years, and with the wealth of experience accumulated within the walls of our organization we still frequently look at each other and shrug our shoulders, wondering what on earth will happen next. Life seems to consist of a constant cycle of meeting people you don’t trust but whom you have to take tiny leaps of faith, being introduced to dead-cert opportunities that turn out to be anything but, and working your way through a minefield of products and manufacturers that either don’t work or don’t understand the market.
This is a really nice infographic that popped up on a blog I follow, showing the 300 biggest data leaks in a lovely blobular representation. It feeds neatly into a topic I’ve been discussing a lot lately.
You look at this image and it’s obvious that lots and lots of data has been lost by lots and lots of organisations. These are just the biggest ones, so in amongst the blobs really there are millions of tinier blobs that represent the data loss that’s going on in companies all over the world all of the time. But who’s letting it happen? Security??
No – and this is possibly the most important point I can make in this or any other of my blog posts. Whilst organisations compartmentalize loss prevention into an isolated “Security” response, they will continue to fail to prevent the big blobs from appearing on this infographic.
When supermarkets “lose” tins of beans, it’s because beans that were part of the business’s inventory become not part of the inventory. That can be through theft or errors or damage. Beans that were on shelves move from the shelves to somewhere else. How do you prevent it from happening? Reduce theft by applying strong security methodologies, reduce errors by applying strong accounting methodologies, reduce damage by applying strong management methodologies.
When businesses “lose” data you cannot rationalize the situation down to a few simple scenarios. Imagine the business in question is a supermarket, and it loses the data on all of its online delivery shoppers. Same business – totally different problem – totally insoluble through simply implementing strong security, strong accounting or strong management, because the data wasn’t sitting on a shelf.
The uncertainty inherent in many of the more traditional crime prevention concepts resulted in the Situational Crime Prevention methodology developed by Ronald V Clarke. The idea here is that you can’t easily understand the motivations of a criminal, so you cannot outwit him by predicting his behavior. Instead, crime can be prevented by simply removing the opportunity for crime. Remove the asset. Limit access to the asset. Create an environment that discourages the commission of crime or places significant obstacles between the criminal and his quarry.
The end result of Situational Crime Prevention can often be displacement rather than prevention – but from the victim’s perspective, there is nothing wrong with displacement, because at least the victim is somebody else.
I’m proposing a similar set of countermeasures and crime preventing techniques that I’m calling Situational Cyber Crime Prevention.
Over coming blog posts I’m going to explain some of the principles of this approach.