[BreachExchange] The effect of cybercrime on businesses and consumers

Audrey McNeil audrey at riskbasedsecurity.com
Mon Jan 30 18:31:59 EST 2017


https://betanews.com/2017/01/30/cybercrime-effects/

Here we are, at the end of the first month of a new year and where are we?
Well, I guess that very much depends on who you are. If you're a hacker,
then things are looking good for you. If you're a consumer, the evidence
suggests you won't be fooled twice, but is that good enough? And if you're
a business, you've got the same security problems as last year but with
enhanced threats from hackers and careless employees as well as enhanced
expectations from consumers.

So, exactly what is happening in today's security world and what does it
mean for you?

A Billion Dollar Industry

I say that things are looking up if you're a hacker on the back of the FBI
saying that ransomware could be a billion dollar industry soon. They
reported an astonishing rise in the crime with losses of $24m reported in
2015 but losses of $209m reported in just the first quarter of 2016. While
this is, of course, a US statistic, it's a problem that is clearly not
confined to the US with new research from Radware revealing that 49 per
cent of European businesses confirmed cyber ransom as the top attack
motivation for last year.

But this rise in ransomware attacks, in itself, isn't the most worrying
aspect of these developments. What concerns me most, and what I find
entirely unacceptable, is the other main statistic in Radware's research
findings that claim 5 per cent of European businesses are keeping Bitcoins
to pay the ransom in order to regain access to their systems. Is that now a
security solution?

Negotiating with terrorists

Not wanting to steal the US Government's mantra of "we won't negotiate with
terrorists," but isn't paying the hackers exactly that? And isn't that
exactly the reason why ransom attacks are increasing? Do those companies
paying the ransom not see the correlation here? And do they not repeatedly
get hacked because the hackers know they'll pay? Isn't their behavior, in
fact, making it more difficult for them, and everyone else, to secure their
systems?

UK Schools Targeted

In related news in this first month of the year, the UK police department
has had to put out a warning to UK schools to be aware of a scam whereby a
caller claims to be from the Department of Education and asks for the
personal email address of the head teacher using the reason that they need
to send them confidential information.

They then send files containing ransomware and demand payments of up to
£8,000 to regain access to their systems. Films, TV shows and even the
media would sometimes like us to think of hackers as those trying,
benevolently, to expose a truth, but as we can see from this example it's
often just about making profit.

The Case of the Missing 'Network Attached Storage' Device

At the start of the year, we also found out that the UK's Information
Commissioner's Office (ICO) fined Royal & Sun Alliance £150,000 after a
device with the personal information of almost 60,000 customers was stolen.
The device was described as a "network attached storage" device and it was
reportedly stolen by a person who had access to Royal & Sun Alliance's data
server room based in Horsham.

There are a couple of interesting aspects to this story.

Firstly, the data breach at the server room is reported to have happened
between mid-May and the end of July 2015. That's a 10 week period when the
organization didn't know where that device was or that there had even been
a breach.

Secondly, they were fined £150,000 -- that's essentially the ICO charging
Royal & Sun Alliance less than £3 for each person's data that it lost. That
doesn't seem very much, and certainly not enough to warrant the board
taking IT security seriously. And it's also not representative of what the
new EU General Data Protection Regulation's fines for data breaches of up
to four percent of global annual turnover will be enforcing just next year.

Of course, the fine is "up to" four percent, but the fact that Royal & Sun
Alliance can't say when the data was stolen to less than a 10 week period
suggests it's not exactly doing its best to secure its customers' personal
information. Furthermore, if it was in line with the four percent fine
that's coming down the line, it would suggest that Royal & Sun Alliance's
global annual turnover was less than £4m, although it should be noted at
this current time that the maximum fine from the ICO is £500,000.

Where Are We So Far This Year?

So, to sum up, we have companies actively choosing a security strategy of
paying the hackers to regain access to their systems, the FBI saying
ransomware is going to be a billion dollar business, employees not educated
enough to, firstly, not give out personal information over the phone, and
secondly, open and download attachments to what is, effectively, a phishing
scam with a human touch, a huge corporation seemingly not taking the
protection of their customer's personal information seriously, and the ICO
behaving like it's usual toothless wonder self by dolling out a negligible
fine that won't make anyone at Royal & Sun Alliance or any other
corporation bat an eyelid.

What About Consumers?

In terms of how this affects consumers, research from the Office of
National Statistics this month claimed that victims of cyber crime were
unlikely to be victims more than one. The experimental research shows 82
percent of victims were only hit once, with 12 percent reportedly hit twice
and six percent claiming to be victimized three or more times.

Meanwhile, research from Gemalto suggests that consumers, craving
convenience, remain quick to give over their personal details to companies,
but 70 percent of respondents said that organizations are responsible for
securing their data while 29 percent of those surveyed didn't think
organizations were taking that responsibility seriously.

Of course, to a certain degree consumers can take their business elsewhere,
but that is only possible with private companies; we have no choice but to
share our personal information with public services.

Last year, I thought we needed a shift in mindset towards educating
employees about security and not just IT focused employees but everyone
because the nature of IT these days means that everyone can plausibly be a
risk, an insider threat, either by mistake or by design.

But now, it seems like we need a lot more than that; it seems that we need
a total shift in mindset towards the entire concept of security; we need to
go back to the drawing board. It's clear that breaches are still happening,
be they physical or online. It's clear that both organizations and
consumers know that there's a problem, yet rather than progress towards a
solution, it seems, from the first month of this year at least, that we're
going backwards.

Maybe when the GDPR comes into force next year and the first huge fine is
given to a company for a breach companies will finally take security
seriously.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170130/b6b5052b/attachment.html>


More information about the BreachExchange mailing list