I was recently at a cybersecurity conference where several presenters covered the various types of attackers: insiders, hacktivists, terrorists, state-sponsored hackers, and fraudsters.
I've seen this list so many times, and at all types of industry gatherings, that my eyes immediately glaze over when conference presenters start ticking off all the species of malicious actors.
But this time something tickled my brain: Would someone who falls for a social engineering attack or who has lousy computer security qualify as an "insider"? Or is malice required? What is it about knowing attackers' motivations that could actually help cybersecurity experts improve computer defenses? Would we build different security tools for a hacktivist and for nation-state attackers? I don't think so.
It seems that checking off the usual lists of bad guys is mostly about scaring audiences into taking security seriously. And there's much to be concerned about when more and more "faceless" enemies are stealing our private data on a daily basis.
Yes, it helps when it comes to selling security products and maybe it'll help executives justify bigger security spending. But when it comes to improving overall cybersecurity, it's not helpful to focus on categorizing attackers. Rather, we should spend more time carefully considering what we're trying to protect and for whose benefit.
Simply, thieves are after valuable data. It doesn't matter if the thieves will use their information directly, or whether they’ll sell it to a third party, it's the cybersecurity industry's job to put up barriers so that no one piece of information is stolen and used to extort even more data.
It might sound incredibly overwhelming and expensive to protect data against all types of attackers. But many successful techniques for improving security cost little to no money aside from the personnel hours needed to set them up.
For example, employing network segregation, setting appropriate user privileges, and applying software updates can be enormously helpful. The latest versions of the major operating systems now include tools for encrypting data on disk. And many online services offer two-factor authentication for no extra cost.
There is a caveat to my argument to stop focusing on attackers. I'm excluding forensic or legal investigations. After an attack, determining whether the culpable person is an authorized user within your company is a perfectly sensible thing to do. And helping law enforcement to identify and apprehend criminals is good civic behavior.
Before an attack, however, attackers' motivations are not helpful. Whether someone intends to give away access to the crown jewels or is talked into it by a criminal, the result is the same: The information is now out of your control, and will likely be used for nefarious purposes.
It's my hope that security experts will worry less about the types and motivations of cybercriminals, and more about specific ways to improve our defenses.
Lysa Myers is a security researcher at ESET where she aims to provide practical analysis of security trends and events. Follow her @LysaMyers.