If 2015 was the year cybercrime came of age, 2016 is already proving to be the year criminals refined their approach to a level of sophistication that has never previously been seen.
Cybercrime is not restricted to a few fraudsters with a degree of computer literacy; neither is it mostly perpetrated by disorganised kids and increasingly it is not the work of individual criminals either. Around 80% of cybercrimes last year came from organised crime – in other words, global mafia organisations have each opened up a digital crime division. The average age of criminals is now 35.
Going high tech
Think of these groups as small black-hat high-tech companies. They employ technology experts and are forever looking for ways to improve their attacks and to open up new avenues. As they become more sophisticated, they are increasingly turning their guns from vulnerable individuals to vulnerable businesses. Here, the rewards are often likely to be greater - and security protocols are still surprisingly lax. This is one of the key reasons why the level of digital crime has jumped so remarkably.
In 2015, cybercrime rose by 19%, according to a study from the Ponemon Institute. Average annual losses now total $7.7 million. One in four companies admitted to have been hit by a cyber attack in the last two years. In 2014, cybercrime was already costing the global economy $445 billion per annum, according to a report from McAfee. However, that number may soon be dwarfed. According to Jupiter Research, cybercrime is well on the way to totalling $2.1 trillion by 2019.
However, attackers are not always after money. Increasingly, they’re looking for data, such as when the Qatar National Bank’s systems were hit, stealing the details of thousands of employees. Hackers are also after state secrets, whilst a new form of insurrection – hacktivism - is becoming increasingly prominent against what they consider to be ethically-challenged corporations.
Complex and sophisticated
Attacks are becoming more complex. A trend that arose in 2015 - and one which is continuing to grow significantly - is the onion-layered attack. Criminals attack via multiple channels – whilst you might uncover one attack, another one will be going on in a different technical area, which you might not spot or be able to deal with because your resources are tied up fighting fire elsewhere. Addressing these challenges requires a high level of expertise - and plenty of resources.
Other common types of cybercrime include:
Ransomware: In February, a hospital in California found itself locked out of its own IT system. Only when a ransom of $17,000 had been paid did it get its computer system back. They’d fallen foul of one of the most common types of online fraud, a piece of software which holds computer systems to ransom once it makes its way through the firewall. There’s no way to get your data back unless you transfer money to the crooks. One piece of software, CryptoWall v3, has so far cost users more than $325 million.
Phishing gets ambitious: There used to be a time when phishing attacks were predominantly used for catching out the technically naïve – now they are going for top level executives with access to a huge amount of data. These emails aim to trick the recipient into divulging passwords and other sensitive information. For example, they may masquerade as your bank, with a convincing query about your account. Just pop in your details, they say, and all can be sorted. You’ll do that at your peril.
These attacks have become more convincing as hackers become more sophisticated. Emails increasingly resemble the familiar branding of well-known companies, instilling a false sense of trust. Embedded links take you to mirror websites, which (to a busy executive or his PA) look very much like the company they purport to be from.
Whilst financial crime threats are growing, companies are still lagging behind when it comes security, especially amongst small- to medium-sized businesses. The problem is that they simply don’t realise that they are targets, and may not understand how attacks work nor what measures they can take against them. Also, they might be put off by the cost of taking action, though any monies invested in IT security systems will be small in comparison with what they risk losing by doing nothing.
Progress is, however, being made. Companies are, broadly speaking, giving a much greater priority to security - and we’re seeing much greater collaboration between corporations and governments too. However, the quality and sophistication of security varies from company to company, and from country to country. What this means is that, like hunters in the wild, criminals will gravitate towards the weakest and most vulnerable individuals and businesses around the globe.
There are things every business – large and small - ought to do as a matter of priority:
- Identify weak spots: Perform a risk assessment of your company. Identify any systems which are vulnerable. For example, is any of your data stored online?
- Manage access: Ensure employees have their passwords deleted when they leave the company. It’s all too easy to forget, and for former employees to retain real-time access to data systems and other sensitive corporate information.
- Educate staff: Breaches often occur simply because an individual employee makes a mistake. Ensure that everyone is up-to-speed on the latest security protocols.
- Back up data: Ensure data is regularly backed up. Store back-ups in a remote location away from the office.
- Plan for the worst: Make an emergency contingency plan of what to do in the event of an attack. Identify ways of ensuring your company is able to continue to operate, and that any losses are minimised.
In many ways, you’re playing a never-ending game of cat and mouse. As new forms of cyber attack arrive, companies will develop tougher defences to repel them. In turn, cyber criminals will come up with ever more sophisticated tactics. As such, data security is an issue which needs to be continuously addressed.
Your IT team should have a much more prominent position within the business with considerable senior management and board level representation, and top level CEOs need to play an increasingly active role in overseeing security processes - good governance always trickles down from the top.
Expert risk management firms should also be on hand to provide high quality advice and regular security assessments concerning the standards of your existing technology systems. The more you learn, and the more you monitor, the safer your company will be.