Cyber crime is a serious strategic risk: prevention deserves the highest priority
August 2016 | SPECIAL REPORT: TECHNOLOGY RISK MANAGEMENT
Financier Worldwide Magazine
The threat of cyber crime continues to evolve and grow, as criminals adapt to new security measures and take advantage of changes to our online behaviour. The only constant appears to be our vulnerability: whatever new steps are taken, by companies or individuals, the criminals always seem to be one step ahead.
The problem is that it isn’t an even contest. Hacking and online fraud is hugely profitable for organised crime, encouraging constant innovation and change in attacks. A notable recent development has been the packaging of sophisticated malware tools into kits that require few specialist skills to use. Now, criminals at the top of the chain can simply licence their tools in return for a cut of the proceeds. With hacked personal data now cheap and plentiful in online marketplaces, cyber criminals have proliferated.
The nature of the internet means that this crime knows no borders: criminal activity can be focused on the easiest and richest pickings, and the perpetrators can be spread across the globe. Crime-fighting agencies have been overwhelmed by the volume of activity, and stymied by the fact that so much of it originates from multiple overseas jurisdictions.
In 2015, 25 percent of large firms and around 15 percent of smaller ones reported network penetration by unauthorised outsiders, while 90 percent of large firms experienced a security breach of some sort (the median number of breaches was 14). These relate only to detected incidents; the real numbers are probably much higher. Many companies are turning to cyber insurance as a means of mitigating the risks of breach, but it is often difficult to define exactly where the blame lies and thus whether a breach is covered. In any case, insurance does little to arrest the growth of cyber crime. It simply shifts the costs elsewhere.
The EU’s forthcoming General Data Protection Regulation (GPDR) is unlikely to do much to reduce cyber crime, either. The GDPR extends responsibility for protecting personal data to almost any business that holds it, no matter their size, including hosted service providers. It may lead to breaches and hacks becoming bigger news, due to increased notification to the Information Commissioners Office (ICO) and larger fines to the guilty parties. Organisations will probably put more resources into security and breach prevention as a result. However, the increased expenditure will probably only divert criminal activities toward softer targets.
New technologies and services, like advanced encryption, two-factor authentication and password managers, will improve the defence against current threats. However, once their use becomes widespread, cyber criminals are likely to repeat the patterns of the past and shift their focus to other, as yet unidentified vulnerabilities. To get ahead of the criminals, we need to change the way we do things.
Everyone should understand that cyber crime is a threat to all organisations, whatever their size or type. It will continue to grow and nothing that the government or the regulators are doing at the moment is likely to curtail it. Therefore, it is up to business leaders to recognise the threat and to ensure that their organisation is adequately prepared and protected. Unfortunately, according to current reports, only 37 percent of companies have any kind of cyber incident response plan, and fewer than 50 percent of company board members have ever requested information about their organisation’s cyber-readiness. Astonishingly, as of 2015, 32 percent of organisations had not conducted any form of security risk assessment at all. This suggests a serious lack of risk awareness and good governance in far too many firms.
Technology has become integral to most business operations, and almost all of that technology is networked. This means that cyber criminals can gain access to sensitive data or intellectual property via almost any part of the business. Lost data can be replicated and distributed at will, so a breach can never be truly resolved, and serious data losses may even threaten business viability. This makes cyber crime a serious strategic risk, and plans for prevention and mitigation deserve the highest priority. However, many business leaders are content to leave cyber security to the IT department, in the belief that technology can fix the problem. This is a dereliction of their duty to shareholders, and reflects a fundamental misunderstanding of the threat, which is primarily linked to user behaviour.
The process of risk management should be the same as for any other threat. The first step is to understand what makes the organisation an attractive target to cyber criminals, and where the main vulnerabilities lie. Tackle these by breaking them down into appropriate tasks and responsibilities, assign those to the right people, and ensure that each has visibility at a senior level. Monitor all actions taken, and once the appropriate measures are in place, ensure they are tested continuously and audited regularly. Ultimately, the aim should be to embed cyber security into all business processes. This won’t stop your company from becoming a target, but it will allow you to withstand the attack with minimal loss.
Matthew Eddolls is head of Risk Change at CoreStream. He can be contacted on +44 (0)20 7100 4378 or by email: firstname.lastname@example.org.
© Financier Worldwide