In the 2007 movie “There Will Be Blood” Daniel Day-Lewis plays Daniel Plainview and Paul Dano played two roles, Paul and Eli Sunday, twins.
If you’ve seen the movie, you can skip this next bit. Daniel is an oil prospector and is brought to the Sunday property by Paul. Paul’s twin brother Eli suspects that Daniel wants to purchase their land for the oil beneath the ground. Through the years of the movie, Daniel buys all the land around the area except one hold out. Eli returns to the area to sell the last hold out plot of land, hoping to make some money after having lost everything.
At this point, Eli comes begging to sell the land to Daniel. Eli had humiliated Daniel earlier in the film and Daniel takes this as his opportunity to return the favor. Daniel harangues and bullies Eli, forcing him to renounce his faith, which Eli does thinking he will finally sell this land.
Here Daniel delights in telling Eli that he doesn’t want to buy the land, that he has no need for it. Daniel explains that the land it has been drained because of all the drilling and pumping of oil on the surrounding plots.
Daniel explains that it’s as if he has a long straw and from across the room puts his straw into Eli’s milkshake. Without Eli knowing about it or having any way of stopping him, Daniel drinks his milkshake.
And this is like cybercrime.
Movies and books have painted a picture that cybercrime is done in the wee hours of the morning, lots of screens scrolling with Matrix-like characters in patterns few can understand. Or Tom Cruise descending from the ceiling into a server room with pressure-sensitive floors that will set off an alarm.
In fact, most cybercrime is a lot more mundane.
Most small and medium businesses leave their networks open on the Internet. They rely on their Internet Service Providers to provide “A-Level” security to stop threat actors. In reality, when an Internet Service Provider puts in a modem or router and a business connects a consumer-grade network switch to it, this is like putting a screen door on a submarine. There is almost nothing to stop a cyber attack with this kind of setup.
Likewise, when people are hired at a small business and receive an orientation (if they receive and orientation), rarely does it include things like acceptable user policies related to computer systems and sharing of data on the Internet, use and storage of network credentials like email addresses and passwords and proper password rotation on Internet websites.
The computers on an open network and untrained employees are the weakest links in the security chain in most small and medium businesses.
Information can be sucked up, like through a long straw, without having to run elaborate infiltration operations.
It’s important to have properly secured systems, a network perimeter that allows employees to get their job done while also being safe and secure and regularly training employees on how to spot phishing emails and malware on their machines.
Putting the proper controls in place to keep the bad guys out of our systems are important. Regularly testing the perimeter defenses and updating them as necessary are all part of a good maintenance plan.
However, if we can only focus on one thing to do to keep ourselves safer in our online world, focus on regular education. 5–15-minute videos and trainings once a month go a long way to educating ourselves, our family members and our staff on how to spot Phishing scams and targeted email attacks.
These proactive measures can stop the drainage of information that we want to keep protected.
Like through a long, cyber straw, cybercriminals love to say …
“I DRINK YOUR MILKSHAKE! I drink it up!” – HG
