I was having a conversation about security today with a good friend and the subject came up of what is the most difficult question in security to answer?
After a few minutes of back and we fourth we settled on the following question:
Who would want to hack us?
This question is nearly always asked with the person asking it implying they aren’t important enough to be hacked.
As security professionals we mostly do a terrible job at answering this question. Normally we end up answering with something vague like “hackers”.
(This is what a hacker looks like.)
When we answer back with a vague answer like “hackers” we dont make the threat real to the person asking the question. They will care and think about hackers as much as they do the nebulous bad guy who might break into their car and steal their 3 Doors Down CD.
The best way I have found to answer this question is by asking a question back.
Here are a few questions I always try to ask back when someone asks me who would want to hack us?
Have you ever had an employee leave on bad terms?
Have you ever made a competitor mad?
Is there anyone that would enjoy you having negative publicity?
Everyone can think of an answer to one of these questions and it plants a mental image of someone who would actually want to do their company harm and not a guy with a ski mask.
How do you answer the question: Who would want to hack us?