[BreachExchange] The strategic risk of cybercrime: Prevention deserves the highest priority

Thu Jun 9 19:58:41 EDT 2016

http://www.itproportal.com/2016/06/09/strategic-risk-of-cybercrime-prevention-deserves-the-highest-priority/

The threat of cybercrime continues to evolve and grow, as criminals adapt
to new security measures and take advantage of changes to our online
behaviour. The only constant appears to be our vulnerability: whatever new
steps are taken, by companies or individuals, the criminals always seem to
be one step ahead.

The problem is that it isn’t an even contest. Hacking and online fraud is
hugely profitable for organised crime, encouraging constant innovation and
change in attacks. A notable recent development has been the packaging of
sophisticated malware tools into kits that require few specialist skills to
use. Now, criminals at the top of the chain can simply licence their tools
in return for a cut of the proceeds. With hacked personal data now cheap
and plentiful in online marketplaces, cybercriminals have proliferated.

The nature of the Internet means that cybercrime knows no borders: criminal
activity can be focused on the easiest and richest pickings, and the
perpetrators can be spread across the globe. Crime-fighting agencies have
been overwhelmed by the volume of activity, and stymied by the fact that so
much of it originates from multiple overseas jurisdictions.

In 2015, 25 per cent of large firms and around 15 per cent of smaller ones
reported network penetration by unauthorised outsiders in 2015, while 90
per cent of large firms experienced a security breach of some sort (the
median number of breaches was 14). These relate only to detected incidents;
the real numbers are probably much higher. Many companies are turning to
cyber insurance as a means of mitigating the risks of breach, but it is
often difficult to define exactly where the blame lies and thus whether a
breach is covered. In any case, insurance does little to arrest the growth
of cybercrime, it simply shifts the costs elsewhere.

The EU’s forthcoming General Data Protection Regulation (GPDR) is unlikely
to do much to reduce cybercrime, either. The GDPR extends responsibility
for protecting personal data to almost any business that holds it, no
matter their size, including hosted service providers. It may lead to
breaches and hacks becoming bigger news, due to increased notification to
the Information Commissioners Office (ICO) and larger fines to the guilty
parties. Organisations will probably put more resources into security and
breach prevention as a result. However, the increased expenditure will
probably only divert criminal activities towards softer targets.

New technologies and services, like advanced encryption, two-factor
authentication and password managers, will improve the defence against
current threats. However, once their use becomes widespread, cybercriminals
are likely to repeat the patterns of the past and shift their focus to
other, as yet unidentified vulnerabilities. To get ahead of the criminals,
we need to change the way we do things.

Everyone should understand that cybercrime is a threat to all
organisations, whatever their size or type. It will continue to grow and
nothing that the government or the regulators are doing at the moment is
likely to curtail it. Therefore, it is up to business leaders to recognise
the threat and to ensure that their organisation is adequately prepared and
protected. Unfortunately, according to PwC’s Global Economic Crime Survey,
only 37 per cent of companies have any kind of cyber incident response
plan, and fewer than 50 per cent of company board members have ever
requested information about their organisation’s cyber-readiness.
Astonishingly, as of 2015, 32 per cent of organisations had not conducted
any form of security risk assessment at all. This suggests a serious lack
of risk awareness and good governance in far too many firms.

Technology has become integral to most business operations, and almost all
of that technology is networked. This means that cybercriminals can gain
access to sensitive data or intellectual property via almost any part of
the business. Lost data can be replicated and distributed at will, so a
breach can never be truly resolved, and serious data losses may even
threaten business viability. This makes cybercrime a serious strategic
risk, and plans for prevention and mitigation deserve the highest priority.
However, many business leaders are content to leave cyber security to the
IT department, in the belief that technology can fix the problem. This is a
dereliction of their duty to shareholders, and reflects a fundamental
misunderstanding of the threat, which is primarily linked to user behaviour.

The process of risk management should be the same as for any other threat.
The first step is to understand what makes the organisation an attractive
target to cybercriminals, and where the main vulnerabilities lie. Tackle
these by breaking them down into appropriate tasks and responsibilities,
assign those to the right people, and ensure that each has visibility at a
senior level. Monitor all actions taken, and once the appropriate measures
are in place, ensure they are tested continuously and audited regularly.

Ultimately, the aim should be to embed cyber security into all business
processes.  This won’t stop your company from becoming a target, but it
will allow you to withstand the attack with minimal loss.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160609/26b30974/attachment.html>