William Francis Sutton was born into an Irish Catholic family living in Brooklyn in 1901. Although the family led a bit of a hardscrabble life, no doubt his mother hoped that one day William would make something of himself. He did. He became one of the notorious bank robbers in American history, and earned a spot on the FBI’s “Ten Most Wanted Fugitives” list. When he passed, the New York Times obituary of “Slick Willie” Sutton said in part: “For most of his adult life, until he last went to prison in 1952, William Francis Sutton Jr. was consumed by two constant, driving ambitions. One was to make as many illegal withdrawals as possible, at gunpoint, from carefully selected banks. The other was to extricate himself from prisons he wound up in as a result of his bank robberies.”
Willie Sutton is credited with contributing one of the more pithy explanations of human behavior. Asked why he robbed banks, Mr. Sutton is said to have replied, “Because that’s where the money is.” The logic behind the statement has found its way into Sutton’s Law, which, as taught in medical schools, basically suggests to first consider the obvious when seeking a diagnosis. One might apply similar logic to respond to a question often asked by corporate executives in companies that are not obvious first tier targets of cyber criminals—“why would we be a target?”
The simple answer is “because you have data that has value to someone else.” There is a thriving criminal economy fueled by data breaches. Many people are at least vaguely aware that stolen personally identifiable information (PII) has value, and may correctly venture that a prosperous black market exists for PII, as this piece by Wade Williamson attests. But the scale and sophistication of the cyber criminal economy vastly exceeds what one might imagine. Last November, The Economist reported on “What lies behind the JPMorgan Chase cyber attack.” JP Morgan was the victim of a breach in which the personal data of over 83 million customers was stolen. What did the perpetrators do with the stolen data? Well, for one, they used it to manipulate stock prices, actually returning to victims whose identities had been stolen and pressuring them into buying cheap and nearly worthless securities, in a classic online “pump and dump” scheme.
The point is, if you have data that has value, and it would be odd if you did not, then you could be a target. Understand that data of value goes well beyond PII. It includes proprietary databases, business plans, market research, product designs, intellectual property, minutes of board meetings, and a host of other sensitive data that provides value to the company and is instrumental to your success.
Writing in the New York Times, Nicole Perloth noted that cybersecurity experts say… “The companies most prepared for online attacks…are those that have identified their most valuable assets, like a university’s groundbreaking research, a multinational’s acquisition strategy, Boeing’s blueprints to the next generation of stealth bomber, or Target’s customer data. Those companies take additional steps to protect that data by isolating it from the rest of their networks and encrypting it.”
In the late stages of his life, Willie Sutton consulted with banks on ways to improve their security. He may now be able to make a posthumous contribution to the cybersecurity posture of other businesses. Look across the range of critical data in your company and ask a simple question, “What would Willie do?”
By Tom Davis, SDI Cyber Risk Practice
February 2, 2016