Most hackers don’t do it for financial gain

Which is more frightening: The idea of a cyberattack designed to cripple your business and pull in big bucks or the idea that hackers are just launching these attacks for the hell of it? 

According to a survey of self-identified hackers by Thycotic Software, hackers more often fall into the latter category. The survey found:

  • 51% of hackers chose to hack for fun or thrill-seeking, but
  • only 18% did it for financial gain.

And hackers didn’t have much fear of being caught. A full 86% said they never really expect to face any consequences from law enforcement for their actions.

Whom hackers target

It should come as no surprise that phishing is seen as a good way for these hackers to attack companies. The report found 99% of hackers believed this simple tactic is still an effective means to get information from targets.

The report also went one step further, asking hackers which type of employee they would target via phishing in order to get sensitive information from a specific company. The results:

  • 40% said a contractor
  • 30% said IT administrators, and
  • only 6% said an executive would be their top target.

Bored, skilled and fearless

So this leaves IT fighting a formidable opponent: attackers who are just looking for some fun and have little to no fear of being caught.

Although hackers might target IT pros specifically, chances are they won’t get too far. Most IT pros are sharp enough to spot even advanced phishing tactics. Changing administrative credentials and passwords regularly could be a good method for preventing attacks, however.

And although they aren’t the top target according to these hackers, it can never hurt to remind executives about spearphishing tactics.

But the group that may need the most reminders: contractors. These partners can put your systems at serious risk, as they did in the Target attack of last year. And their security is mostly out of your hands.

Some steps you can take:

  • survey them about their security measures and insist on minimum requirements for protection
  • offer guidance on security matters if you’re concerned about their vulnerability, and
  • have clear contracts that define the risk for cyberattacks – and who is responsible for cleaning up after them.