Hacking Motivations - Where Following the Money is Going

Was a time, way back when I first got into IT, that the primary motivation for hacking was notoriety, infamy, and the occasional retribution for public flaming.  That said, there were certain financial motivations and corporate espionage aspects in those days also.

And really, the prime motivation for people to do anything is always money. As they say on the innumerable crime procedural dramas, "follow the money."

What is interesting is how things are evolving, or more accurately, being exposed, these days with respect to where following the money takes you.  We always assume hackers are targeting personal financial and health data for the purposes of identity theft.  More recently, cyber-terrorism concerns are on the rise with SCADA attacks coming to the forefront in the US and elsewhere. And these are absolutely valid, as well as the continued and large risks of corporate information being accessed or destroyed for corporate espionage or disgruntled employee revenge.

But consider a BBC Radio 4 documentary exposing how UK private detective agencies are using hacking skills to expose potential news stories that they are bringing to certain nameless major media outlets.  And if you think that activity is limited to those rascals over in the UK, I encourage you to replace your head in the sand immediately to continue your blissful ignorance.

How does this change what we do as security and privacy professionals?  Again I'll go to my standard refrain of the urgency and priority of IT security and privacy policies and governance in each of our organisations.  But what this "new" information gives us IT security professionals is additional support tin our budgetary discussions.  If we want to do our jobs, and do them well, the reality is we are competing for each dollar (particularly this time of the year) with every other IT service related initiative and operational need.  We need to make our business case concise, and tailor our plans to address the highest risk areas first.  If you work somewhere with a relatively low probability for natural disaster or civil unrest, then your local media is going to be busy trying to get stories that make them money.

Can they make money off revealing information about your organisations operations or strategies? Then that is what they will be interested in doing, and don't doubt they are already looking for ways in.