Cyber crime is not just hogging the headlines: it’s posing a looming threat to the entire commercial landscape. Director asked the experts to provide essential pointers for UK business leaders
It took humanity over 2,000 years to progress from the Caesar cipher – a rudimentary form of encryption used by Roman statesmen – to the Morris Worm, the first ever malware to be distributed via the web in 1988.
It’s taken us considerably less time to get to a point where, according to a McAfee report of June 2014, cyber crime costs the world economy more than $400bn (£260bn); to put that into perspective, the global aid budget comes to about $100bn a year.
Cyber crime hasn’t crept up on us – it’s roared into our rear-view mirrors like a juggernaut, progressing as exponentially, and as rampantly, as that very same digital revolution we tend to marvel at but which has actually created a situation whereby the vast majority of us barely understand the tools that have become central to our entire modus operandi.
You know you have a cyber crime problem when the national body in charge of fighting it – Britain’s National Crime Agency – is itself targeted by hackers, as happened in September. And yet, according to a new study from identity protection experts CSID, more than half (52 per cent) of the country’s smaller firms “are not taking any preventative measures to protect themselves against cyber crime”. They need to either act quickly or end up playing an expensive and onerous game of catch-up, according to Nigel Jones, director of the Centre for Cybercrime Forensics at Canterbury Christ Church University.
“It’s taking leaders a long time to realise this is actually a business issue and not a technology issue now,” he says. “It should have been at the top of companies’ priority lists for years. The problem is, the people at the very top of organisations typically have a background predating cyber crime. So they’ve got no inbred knowledge about the threats and dangers.”
There’s more than just privacy and money at stake: companies’ entire bond of trust with their customers, partners and investors is at risk. “I simply cannot understand how any business would not have cyber-threat down as a major risk to its welfare, unless you’re a farm in the Hebrides,” as Jones puts it.
And so, here are 10 things UK business leaders need to know about cyberspace’s dark underbelly, according to the experts…
1. It’s a boardroom issue
“Recent high-profile enterprise cyber attacks, such as that involving Ashley Madison, should serve as a warning to corporations across the globe of the impact cyber crime can have to the bottom line,” says Andrew Elder, president of EMEA at Intel Security. “With the breach significantly damaging Ashley Madison’s hopes of a future IPO, the incident highlights the severe impact an attack can have on a company’s finances or, indeed, future financial plans.”
For Elder, simply rebuffing opportunistic cyber crime tactics doesn’t go far enough anymore. “Companies need to embed cyber-security decisions into normal risk management process,” he says. “Measures should be designed to not just stop an attack, but so that systems are back up and running, and data security restored as quickly as possible once an attack has been detected.”
This issue is no longer the IT department’s remit, Elder maintains. “It’s crucial that CFOs, CEOs and other executives take an active role in understanding the level of risk they’re exposed to and establishing a meaningful and effective strategy,” he says. “This includes taking stock of the value of the company’s data assets and implementing mitigation strategies appropriately proportioned to the level of risk involved. The financial future of a corporation – or that of its customers – can hinge upon the security of the information stored.”
2. It’s an amorphous beast
You know how the digital revolution has turned your laptop into a portable recording studio, casino or film-editing suite? In the same way, software is available which enables small-time cyber-criminals to mix it up with the big boys. Therefore, aeons-old crimes such as blackmail, sabotage and terrorism are now jumping on the digital merry-go-round along with plain old identity theft and pilfering.
“Whether it’s hacktivists like the vigilantes behind the theft of Ashley Madison customer data, or nation-state hackers and extortionists, the motives of today’s blackhats are now as diverse as the attacks they dish out,” says Prakash Panjwani, chief executive officer at WatchGuard. “Sophisticated attack vectors used in ongoing nation-state hacks and large-scale private sector breaches are making their way downstream into the civilian hacker community.”
The motive(s) behind any given attack are not just varied but often elusive. “Three years ago, the British Pregnancy Advisory Service [BPAS] were hacked by somebody who threatened to release data of people who had made enquires with them,” says Michael Frisby, dispute resolution partner at cyber crime law specialists Stevens & Bolton. “BPAS – a charity, bear in mind – got fined £200,000 by the Information Commissioner’s Office for allowing it to happen.
“That was about moral objections to what they were doing. Think about Ashley Madison, though: it may have been down to moral objections, or they may have hacked it with a view to extorting money later on – maybe they were thinking, ‘Well there won’t be much public sympathy for them, which makes it not so risky – maybe it won’t even come out into the open.’”
3. It’s not just about computers
A report earlier this year by US application security company Veracode warned that the Internet of Things (IoT) and cloud software services represent a severe cyber security risk, because connected devices aren’t being designed and produced with data security in mind. Five billion items on the planet are expected to be connected by the end of the year, and 25 billion by the end of 2020.
“Businesses now require a multi-layered approach to safety and security in order to manage the IoT turning devices into payment tools,” says Ajay Bhalla, president of enterprise security solutions at MasterCard, which has just opened a ‘DigiSec Lab’ in a secret location in England, where a team of experts tests and certifies all payment devices used in the multinational financial services giant’s network.
Then there’s the issue of people using their own hardware for work: half of consumers surveyed by international software security group Kaspersky Lab, in conjunction with B2B International, recently said that they used their personal devices for work, with only one in 10 seriously concerned about safeguarding work-related information accordingly. The bring-your-own-device era causes a “blurring of the lines between employees’ personal and professional worlds”, according to Gert-Jan Schenk, vice president of EMEA at San Francisco-based mobile security company Lookout.
“Employees are accessing and sharing sensitive information via personal devices, no matter the security policy in place. Phones without passcodes, documents sent to personal email, logging onto unverified WiFi, jailbroken devices not being updated – these are just some of the ways even the most secure systems become wide open to attacks.”
Another growing threat involves Voice over Internet Protocol (VoIP) technologies such as Skype, which criminals are hacking in order to earwig or commit ‘toll fraud’.
“Basically a hacking team gains access to an unsecured VoIP network and sets up automated dial-ups to £5 per minute numbers – a pretty nice earner that leaves the [victim company] with a bill which can run into the tens of thousands,” explains Paul German, CTO at VoIP security firm VoipSec, adding: “The security best practices applied to web traffic should also be applied to voice traffic – and the latest generation of cloud-based, freemium voiceover firewall products can be downloaded and installed within minutes.”
4. Small and medium-sized firms are a prime target
Despite holding reams of lucrative data, many SMEs have very modest IT security budgets – a recent PwC survey found that companies with revenues under $100m actually cut security spending by 20 per cent in 2014, compared to a five per cent increase in security investments by larger companies – making smaller organisations an attractive prospect for hackers.
“For more ambitious criminals, it’s their supply chain link to much larger companies that makes SMEs attractive, and therefore in need of enterprise-level defence,” says Panjwani. “The businesses you pass on the high street are now a prized target for cyber criminals. According to a 2013 survey by the National Small Business Association, 44 per cent of SMEs admit they have been victims of a cyber attack. Without knowing it, a retailer could well be hijacked and become an unwitting proxy through which new attacks are routed. The truth is that small businesses represent roughly nine in 10 of all the merchant data breach compromises.”
On the bright side, he adds, various fightback tools are out there and affordable. “Many SMEs limit their network security to [technologies] which only block limited network attacks and are days or even weeks behind new zero-day malware variants,” he says. “Software patches and upgrades are free or relatively low-cost, take no special technical expertise to install, and are one of the most important basic security steps for businesses of any size.”
5. Vigilance needs to be institutionalised
“The best way to mitigate risk is to assume an attack is already occurring by adopting an approach to security that addresses the entire attack continuum – before, during and after,” says Terry Greer-King, director of cyber security at Cisco UKI. The “holistic approach to security”, he says, must be grasped by everyone under the roof. “It’s important to ensure policies are well documented and clearly understood by each employee and every user. In doing so, employees themselves will be educated and motivated to adhere to the organisation’s security processes and be able to accept responsibility on an individual level.”
Simon Kouttis, cyber security manager at IT recruitment consultants Stott and May, agrees. “Businesses should bring security requirements into their strategy from the start, rather than retrofitting it,” he says. “If cyber security is in line with wider business objectives, and this approach is also applied to recruiting, businesses will be proactively hiring those who align with long-term goals.”
Nigel Jones adds: “Cyber crime is now a part of organised crime – and organised criminals are good at recruiting the right people who have the technical ability to do the job. You have to ask whether businesses and governments are recruiting the right sort of people in the same way.”
6. There’s a huge collateral legal threat…
“The most obvious risk when you’re holding people’s personal data is the regulatory risk under the data protection act,” says Frisby. “We’ve advised clients who haven’t even registered themselves under the act, as they’re supposed to. Then there’s the risk of being sued – if you’ve entered a contract under which you’re in possession of confidential information and you fail to take basic steps to protect it and the client suffers, they can sue you for breach of contract. You have a duty of care.”
Another issue that’s not considered as much as it ought to be, according to Frisby, is the personal risk that directors run if their businesses are not adequately protected. “They have fiduciary duties to the company which would extend to taking steps to make sure there’s protection from cyber-attack in place, and if they don’t do that they’ll be answerable, ultimately, to the shareholders,” he says.
7. …and insurance is no safety blanket
There’s no uniformity of policy coverage yet, says Frisby, “so you have to look carefully at different policies and make sure the cover is right for your business. The other element is that this is an international threat: there is no reason to assume that because you’re an English company the perpetrators are in England. There are issues about where damage has been done and where loss arises when events are outside the territorial limits of most insurance policies. What are the exclusions and limitations of your policy?”
A path of precedence, Frisby says, is only just being laid. “The policy wording being used at the moment hasn’t been tried and tested in the courts, so we’re left uncertain as to what it actually means – it’ll come out in cases in due course. Wherever there’s novelty in life, there’s uncertainty.”
8. Traditional encryption is a defence – but no panacea
Strong encryption remains a core part of any company’s anti-cyber crime arsenal: but don’t think of it as an unassailable virtual moat. “For many years, encryption was seen as a silver bullet – simply turn it on and your data is magically secured,” says John Grimm of data protection solutions provider Thales e-Security. “But information systems today are more global than ever, and attacks are increasingly sophisticated.”
As a result, says Grimm, smarter encryption strategies need to be in place. “Data classification is a crucial piece of the puzzle,” he says. “Data protection can be complex and businesses should avoid the temptation to try and boil the ocean by according the same level of protection for data that is less sensitive as they do to the ‘crown jewels’.”
9. Other defences are (increasingly) available
“Many of us are familiar with static biometrics such as fingerprint and retina scanning, thanks to the former being embraced by smartphone giants and the latter becoming the norm at a number of international airports,” says Neil Costigan, CEO at BehavioSec.
“In contrast, behavioural biometrics is, for the most part, yet to make its way into the consumer conscience. This technology sits in the background of a device, using sophisticated machine-learning tools to build up a profile of the user’s behaviour – analysing traits such as the angle at which a person holds a device or their typing speed. This moves away from a reliance on asking consumers for ‘something they know’, towards non-invasive, frictionless verification.”
10. It can create jobs
Yes, more good news. Any emerging problem creates vocational opportunities, and cyber crime is no exception: it seems that cyber resilience teams will be a definite fixture on the payrolls of future companies (negotiations are currently being finalised in Brussels, the outcome of which is likely to be that many companies will – by the end of 2017 – be required to appoint a dedicated, independent data protection officer).
“Technology is evolving faster than we can generate individuals with the skills and experience we need,” says Kouttis. “The agile nature of business, along with remote working technology, has left more companies open to the risk of cyber attacks, with fewer qualified professionals to deal with that increase. We’re now experiencing the problems caused by a historic skills shortage in Stem [science, technology, engineering and mathematics] subjects, although this is now rightly back on the educational agenda. There needs to be a creative approach too – the roles you need long-term might not exist yet.”
Cyber crime, with all its implications and permutations, is clearly one to keep an eye on – in the long term.
Cyber crime by numbers
£2bn The amount that Britain will spend over the next five years on “offensive cyberwarfare capability”, according to the Sunday Times.
$300 The price an online bank account worth $150,000 can be purchased for from online criminals, according to a new book on the subject of cyber crime – Cyberphobia: Identity, trust, security and the internet, by Edward Lucas.
61398 The unit number of the 2nd Bureau of the 3rd Department of the General Staff, the Chinese People’s Liberation Army, which employs thousands of people, almost certainly in order to hack into western companies’ systems.
46 The percentage of financial services professionals who, in a study by the Depository Trust & Clearing Corporation (DTCC), cited cyber risk as the biggest threat to the financial industry. Eighty per cent listed it as one of the top five.
1.2bn The number of username and password combinations a Russian crime ring were found to be hoarding last year. They had also accumulated 500 million email addresses from 420,000 websites.
Cyber crime glossary
Six of the best from the rich lexical tapestry being woven by digital dastardliness…
Ransomware Malware that blocks users from their systems until they pay a fee
Hacktivism Ideologically motivated attacks
Bot Invasive software robots that perform automated tasks
Resurrection module A plug-in with the aim of making viruses invincible
Digital Pearl Harbour The notion of one nation cyber-attacking another
Blackhat The bad guys, basically, as with the old-school westerns
Cyber crime: more reading
Information about Canterbury Christ Church University’s Cyber Essentials Scheme can be found at canterbury.ac.uk