The dawning of the digital age has transformed virtually all aspects everyday life, particularly in the developed world. With many increasingly migrating online, we are ever more reliant on the ubiquity of cyber space.
Business habits too have changed and adapted over time, with firms and governments becoming increasingly cognisant of the benefits afforded to them by conducting business online. However, it is inevitable that the practices of criminals will also be modified to the same degree by the advantages of operating in the digital space. Although some analysts believe that the threat of cyber crime may be a ‘moral panic’ stirred up by sensationalist elements of the media, it is clear there has been a marked increase in both the frequency and sophistication of cyber criminal activities. Cyber crime and cyber terrorism have become high profile risks.
Issues relating to cyber security are generating a great deal of global attention. Hacker and activist groups such as Anonymous and LulzSec have made headlines for their attacks on government agencies as well as on large multinational corporations. Alleged state sponsored cyber crime has also increased. Accusations of criminal activity from organisations and individuals, particularly in nations such as China and North Korea, have been on the rise. Furthermore, we have seen startling revelations about government agencies in the West, namely the National Security Agency (NSA) and GCHQ, which have emerged since the Edward Snowden whistleblowing affair. In light of all of these activities, it is fair to say that issues regarding cyber security and crime have never been more pertinent than today. And the risk is increasing.
According to Verizon’s 2014 Data Breach Investigations Report, there has been a marked increase in instances of recorded cyber crime over the last 12 months, with 2013 seeing the largest ever number of cyber crimes on record. As such, 2013 will go down in history as a watershed moment for cyber crime. Verizon’s report covers around 50 companies and organisations, and contains details of more than 63,000 computer security incidents and 1347 confirmed breaches across 95 countries. In light of the increase in recorded cyber crime, it seems likely that the demand for cyber crime services will also continue to increase in the coming years, giving the providers of such services a multitude of opportunities to benefit financially. However, it is also extremely likely that the increased deployment of security services will result in the development and distribution of ever more aggressive and resistant types of malware. With security bugs such as ‘Heartbleed’ gaining international attention, the question of cyber crime, and how best organisations can tackle the problem, will remain pressing issues.
The cyber crime environment is continually changing, with the techniques employed by criminals constantly evolving, much like the efforts of regulators and security firms. Verizon’s cyber crime report, produced by the firm’s security unit, found that around 97 percent of all crimes fall into one of nine categories of security breaches. Point of sales intrusions, web app attacks, cyber espionage, insider misuse, card skimmers, denial of services (DoS) attacks, crime ware, miscellaneous errors and physical theft are all believed to be the most prevalent methods. According to Verizon the outlook is not good. “After analysing 10 years of data, we realise most organisations cannot keep up with cybercrime – and the bad guys are winning,” said Wade Baker, the report’s principal author.
Kit Burden, a partner and global co-head of the technology sector at DLA Piper, agrees. Mr Burden believes that the threat from cyber crime to businesses is both real and substantial. “A good example is the reported break in at the end of 2013 to a branch of a UK retail bank, not to steal money held on the premises, but instead to gain access to a terminal through which funds could be accessed and transferred in a way which side stepped the external network protections and firewalls,” said Mr Burden. “Larger organisations are alive to the threat but their size and complexity of operations means they remain vulnerable; SME’s are more ignorant or lack the funds to sufficiently secure themselves.”
In response to the increase in cyber crime, companies and governmental bodies alike are drawing up and initiating their own cyber crime prevention techniques. In January 2013 the European Union launched its European Cybercrime Centre (ECC), designed to help member states in their efforts to dismantle and disrupt cyber crime networks. The ECC’s major aim is to help countries develop tools to counteract cyber crime and cyber terrorism, and provide training where needed.
Alongside the ECC, the EU is undertaking other means of cracking down on the constantly evolving world of cyber crime. In April, the European Union Agency for Network and Information Security (ENISA), launched the largest-ever stress test of the bloc’s capability to withstand a sustained cyber attack. The Cyber Europe 2014 exercise was organised by the ENISA, and carried out by around 200 organisations and some 400 cyber security professionals from in and around the EU. The EU Cybercrime Coalition was also launched in May with the aim of bringing together more than 20 regional banks to share information with one other. It is hoped that collaboration between firms may help counter the rise of cyber criminals and terrorists. Furthermore, the European Commission (EC) plans to unify data protection within the EU with a single law, the General Data Protection Regulation (GDPR). The EU’s European Council aims for adoption of GDPR in late 2014 and the regulation is presently planned to take effect in 2016 after a transitional period of two years.
In the UK, the cabinet office launched its cyber security strategy which set forth the means by which the government would tackle cyber crime by 2015. The National Cyber Security Programme, launched in December 2011, has invested £650m in funding to support the strategy. In December 2013 the UK government also launched its own updated guiding principles to help prevent cyber crime.
According to Verizon’s report, cyber espionage against individual countries, particularly the US, is on the rise. In 49 percent of cases included in the report, espionage-related hacking was traced back to Chinese and East Asian residents. However, Eastern European hackers are also beginning to rise in prominence. Verizon noted that approximately one-fifth of all espionage attacks launched in 2013 emanated from Eastern Europe.
Clearly, cyber crime and espionage is becoming a global issue, with actors on one continent increasingly able to launch criminal activity on another, often with impunity via networks of proxy servers and VPNs. Given the cross-border nature of much cyber crime, a standardised regulatory response to cyber criminals seems most desirable. However, the development of a catch-all approach to cyber security appears unlikely. The majority of banks and online businesses operate independently of one another, often without the benefit of sharing the intelligence gathered from cyber attacks. The same can also be said of nations – most countries have in place only local, isolated pieces of legislation. Mr Burden does not see a unified response occurring any time soon. “Laws remain very geo-centric and therefore very different. A lot of cynicism prevails around the powers granted to, and exercised by, the US authorities in particular – as highlighted by the Snowden revelations,” he says. “Given the wide differences in culture and legal structures, it is difficult to see how a single legislative approach could be implemented, as desirable as that would clearly be.”
In lieu of a homogenised global approach to cyber crime prevention, unified regional approaches may be more achievable. Although the ECC has only been in existence since February 2013, the EC is already extolling the virtues of the centre in fighting cyber crime. “Criminal behaviour is changing fast, exploiting technological developments and legal loopholes,” said European Commissioner for Home Affairs Cecilia Malmström. “Criminals will continue to be creative and deploy sophisticated attacks to make more money, and we must be able to keep up with them. The expertise of the EC3 is helping us to fight this battle and boost European cooperation. Through several successful, far reaching operations in the past year, the ECC has already earned well deserved fame amongst law enforcement agencies.”
This regional approach may be more feasible. Currently, a number of national authorities across a variety of different regions are attempting to overcome jurisdictional restrictions by coordinating regionally. Efforts in Europe are being matched in both the Association of Southeast Asian Nations (ASEAN) and the Police Community of the Americas (AMERIPOL).
Verizon believes that one of the best means by which companies can mitigate the risk of cyber crime is by utilising big data analytics. The report notes that “by applying big data analytics to security risk management, we can begin to bend the curve and combat cybercrime more effectively and strategically”. Despite Verizon’s enthusiasm for the application of big data analytics to the problem of cyber security, the two have a complex relationship. Cyber criminals can hijack big data and use it for their own nefarious means. As a firm’s digital footprint becomes larger, so too does the level of associated risk. The illegal access of such data could lead to further, more threatening security breaches, and the subsequent reputational damage this brings.
Analytics aside, there is a belief that hard-line legislation should be employed by regulators in future to prevent the spread of cyber crime. National and regional legislation can only go so far; it is also the responsibility of companies to ensure they are compliant with their own internal policies as well as those of the authorities. Mr Burden envisages a more robust regulatory environment going forward. “I believe that the regulators will become increasingly aggressive in applying sanctions to those organisations who fail to effect sufficient safeguards and who cause damage to third parties – such as their customers – as a result. We already see the UK information commissioner going in that direction.”
The question of how companies can combat and check the rise of cyber crime is a complex one. Clearly there is no catch-all, foolproof means by which firms can fully insulate themselves from the risks. Despite technological and legislative advances, it often falls to firms to manage the threat posed by cyber criminals. Companies must ensure they have robust internal controls and compliance methods in place. Regular training schemes and a well defined ‘tone from the top’ can be crucial tools in the seemingly never-ending fight against cyber crime.
© Financier Worldwide