Natural curiosity can lead some to open some wrong doors
Company directors underestimate the risk of cyber attacks, largely because they don't believe themselves to be a target. That's according to Shelton Newsham, who spent 20 years in the West Yorkshire Police, including four as leader of the Cyber Prevent and Cyber Protect functions and the Organised Crime Unit of Yorkshire and Humber Police, before leaving at the end of last year to set up a consultancy Newsham Business Solutions Ltd.
In his Cyber Prevent role, he and his colleagues acted as mentors for young people who for one reason or another had come to the attention of the police, with the aim of persuading them to direct their disruptive talents into GCSEs and A-Levels rather than veering off into illegality.
Young people who get involved in cyber crime come in all shapes and sizes and act according to a wide variety of motivations, from securing bragging rights to pure intellectual curiosity. The children he came across with Cyber Prevent were generally boys and mostly aged between 12 and 15, reported by teachers for hacking the school or having an obsession with the dark net, although some were as young as 9 or 10.
If they hear about a web stresser tool that can knock their opponent offline on Fortnite they may just download it
"There's an experimental phase, whether it is born out of frustration or boundary testing, or whether they've just heard things," said Newsham.
"Obviously everything's so accessible now, so if they hear about a web stresser tool that can knock their opponent offline on Fortnite they may just download it."
The availability and ease of use of hacking tools means someone with few if any coding skills may be able to DDoS their school out of revenge, a sense of mischief or simply to raise their social profile. And because cyber space has few of the usual ethical norms, they may not believe what they are doing is illegal or in any way wrong.
"It's about trying to be the best they can be in terms of their peer group and have everybody looking up to them," Newsham said. "So if you can, for a joke, knock the school offline you may do it. In society and sports where people are trying to grow and develop their skill set we have norms and controls, whereas when they're online they don't necessarily have that. That's where the parental support is really, really important."
Some kids are natural coders from a young age; these aren't generally the ones that get into trouble.
"What I've found is some of those actually have quite a good understanding of the ethics around it because it's more likely that they've had more parental support."
For others it's all about self-improvement, experimenting in an environment where they feel comfortable.
"They're not looking at breaking the law, they're really self-testing, challenging themselves. If you've got a gift it may be quite difficult to get validation if your mentality is that you don't like public engagements, you don't like talk to a lot of people - but actually you really like to type code."
These kids can fall prey to cyber criminals who frequent the same chatrooms as they do, unbeknown to their parents or guardians who are frequently oblivious.
"Criminals will look for an opportunity, and they'll go ‘Wow, you can set up an email template that's amazing, can you do this'? And there's validation for them, they feel elevated, appreciated."
Their parents and guardians sometimes feel it's safer that they're in house rather than on the streets
The criminals may then draw them in deeper into their schemes, perhaps offering Amazon vouchers as 'payment'. This situation can be made worse by adults trying to protect the children, unaware of the digital generation gap, said Newsham.
"Their parents and guardians sometimes feel it's safer that they're in the house rather than on the streets. They don't understand that once you're in that bedroom you've got a global audience potentially, and you can go into certain chat groups and be social engineered and coerced into doing things you wouldn't otherwise do."
For parents and guardians, therefore, education as to the nature of the online world is essential for their safeguarding.
Meanwhile, company directors who feel secure in the belief that they are of little interest to a potential attacker would do well to note that money and industrial espionage are only two possible motivations for cyber crime. While a nation state or serious organised crime group might pass them by (although the risk of being a stepping stone in a supply chain attack should not be ignored), "it might actually be an insider threat or an accident - or it could be someone who's just challenging themselves. It's important that businesses understand their threat landscape and that their exposure to this is actually a lot wider than they know."
As with parents of teenagers, Newsham says the right sort of training and awareness raising are critical. Security is most effective when built from the ground up, and that begins at home, he added.
"It's not what the board feel is necessary, because they often don't know. It's about the staff, helping them understand what could be a threat in their home. Because once they start to understand that [mitigation] becomes a normal behaviour then that's going to start embedding security into the company."
Shelton Newsham is speaking at the Computing Cyber Security Festival in July. Book your place now