Tag Archives: data security policy

Data Security Policy & Understanding The Why? Motive Means & Opportunity (MMO)

Creating a data security policy

The danger when you are creating a data security policy, like so many decisions in life is that we get ahead of ourselves. While we love to advise you on strategies for data protection and even recommending products to address data security issues.

It is vital when creating your data security policy that we take the time to look closely at your business processes and to explore from the prospective criminals perspective the opportunities for exploitation within your business.

In our experience it is an informative exercise to apply a methodology we have taken from real world policing known as MMO.

Data security policy formulation using the fundamentals of real-world crime detection.

Paul Wilson works for us in our Telesales department; Paul is over qualified having spent his previous career in the Met Police and latterly working for Securicor on the Hazardous Chem Compliance team.

Paul has a traditional background in real world Crime and Crime prevention, it was interesting that in a recent conversation the application of the Policing investigative fundamental, namely Means, Motive & Opportunity (MMO) and how it still applies in the Data Security realm came to the fore.

It is worth taking the trouble to gain an insight into why crime happens in both the physical and Cyber realm, as by understanding this we can create a more effective Data Security Policy Strategy Document, good strategies always start by understanding the why?

By understanding that first any aspiring Cyber criminal will need a motive, your company has something that the criminal wishes to acquire. Usually your data which can be exchanged for money.

Secondly the potential criminal will need the means, they may possess a strategy for duping individuals within an organisation into getting access to the network (Social Engineering) or they may be able to deploy software either in a targeted way or using a scatter gun approach, to gain access to your network.

Thirdly they must have the opportunity, this can be exploiting human failure. For example through gaining intelligence on vulnerable individuals within the organisation, once identified they can be duped into letting the criminal onto the network.

This is commonly achieved as a result of receiving a targeted email (Spear Phishing) and downloading malware by clicking a link. In another scenario the victim could receive a phone call and by responding in-appropriately, for example disclosing information or passwords or even give access to a computer.

Alternatively the criminal may take advantage of a deficiency in your network defences, incorrectly setup Firewalls unpatched software etc.

A good way to understand the principles of M.M.O.  is to break them down into three topics.

Initially we shall concentrate on the M that is Motive.

M Stands for Motive


M could also stand for Money as financial gain is probably the largest motivator and stands behind the majority of our motivations.

Motivations. (External Actors)

Money – Adware infections on browsers route you to sites that are paying to be put in front of you ahead of for instance, googles search results, the makers of Adware are often paid by the click by advertisers.

Money – Ransomware will encrypt the files on your computer, you pay a ransom usually in un-traceable BitCoin to hopefully regain access to your documents.

Money – DDoS Your computer is infected and becomes part of a Botnet; your computer along with tens of thousands of others is used to create enormous DDoS (Distributed Denial of Service) attacks on large companies, such as Banks, Airlines, Tour Operators in fact any business that is dependent on doing business on the web.

Effectively crippling customer facing websites they make it impossible for the business to transact with its customers. Botnets are often rented out to criminal organisations who perpetrate the DDoS attacks demanding payment to end the attack and restore service. Often large organisations have strategies in place to mitigate DDoS attacks.

Small and medium size businesses and even sometimes the large ones will pay the criminals off as the ransom is smaller than the loss of income experienced for example downtime on a booking system and costs of mitigating the attack.

Money – Hacking & Advanced Persistent Threat Often DDoS attacks are used as a diversionary tactic as cover for hacking activities, the IT dept are running in circles dealing with the DDoS and miss the fact that someone is hacking into the corporate network. The target is often corporate secrets, credit card data or even just your customer database.

All of these have a value on the dark net and can be sold on and you become headline news as the victim of the latest data breach.

Money – Spam Spam is just a nuisance right? The answer is no, every piece of spam received is a potential risk to your network, your user is one step away from an infection and infections lead to exploits, from hacking to Ransomware and everything in between.

Money – Phishing & Spear Phishing These are sophisticated versions of Spam specifically targeted at individuals within an organisation with a specific goal in mind. That maybe breaching the network or maybe scamming the financial director into making payments to fake suppliers or even in response to say a request from someone posing as your CEO to wire funds.

Motivations. (Internal Actors)

Money – Data Theft One of your employees is selling your data to your competitors.

Revenge – Sabotage One of your employees is disaffected and destroying or selling your data

Money – Data Theft One of your employees plans to move on taking your data with them to start their own business or to take to their new employer.

Stupidity –  The open door One of your employees clicks on a Phishing email or allows someone access their PC as a result of a fictitious call from Microsoft (See Social Engineering).

So now we understand that there are real motives and objectives behind the vast majority of the compromises and events we see.

What can we do to mitigate them? This is where we introduce the subjects of Means & Opportunity.

My next Data Security Strategy Blog will discuss the second M Means