Analyst Coverage: Fran Howarth
Most people would agree that the internet and the world wide web is generally a force for good. The free flow of information, ideas and commerce have taken a basic tool for sharing research data and propelled it in to being a vital part of every day life. However, like all aspects of life there is a darker side, and so it is with the internet. Criminals and malcontents are always looking for new ways to build income or conduct their activities and the internet gives them, on a plate, opportunities that few could have imagined.
Cyber has now captured the public’s imagination as the term to use when referencing a whole host of activities taking place on the internet:
- Any crime that takes place within cyberspace is now deemed to be a cybercrime
- Interstate information battles are now deemed to be cyberwars
- …and terrorists are now able to conduct cyberterrorism from the comfort of their own homes
The scale of cybercrime is difficult to assess. What is certain is that for many people it is a real and present problem, but remains under-reported to the authorities for reasons of embarrassment, ignorance or a lack of faith in the authorities to investigate any possible offences. Some organisations have attempted to gauge the problem; in 2008 the ACPO (UK-based Association of Chief Police Officers organisation) National Strategic Assessment stated “Online fraud generated £52 billion worldwide in 2007” (ACPO 2008) and in 2004 the global cost of malware and viruses was estimated at “between $169bn and $204bn” (BNAC 2007 British-North American Committee, Cyber Attack: A Risk Management Primer for CEOs and Directors.)
Security governance, polices and controls are a big part of securing an organisation from cybercrime. SMEs need help and guidance in understanding the Security Paradox – see Bloor’s EMEA Study of this by downloading the paper from the list in the right hand column.
For commercial websites that trade across the internet, criminal hacking and cybercrime can be catastrophic. A relatively basic denial of service attack can be the equivalent of having all of a trader’s their real-life stores closed down in one go. This means that all employees of a company should be aware of the possibility of cybercrime, not just the CEO or Security officer, and should address it in systems design, call the attention of appropriate authorities to it if they meet it, and so on. This implies the existence of appropriate policies. procedures and awareness training.
Denial of service attacks can range in their level of sophistication from destruction of physical internet connection points through to the flooding of websites with extraneous data that overwhelms web servers, forcing them to close down. These attacks can be coordinated using hijacked networks of computers, called botnets, which, in turn, are forced to send high levels of spurious data to target websites. There are steps that designers can take to mitigate such attacks but, in reality, a significant attack can be difficult to manage, and often the best course of action is to take down the servers and hope the attackers go away.
As well as financial attacks the theft of intellectual property is rampant and provides a real and present threat to corporate and nation state competitive advantage. Whilst the major enterprises have the resources to address this the SME community (i.e. 75 – 750 employee) is hugely at risk and needs support and education. For example, from recent Bloor publications, us brands targeted in online attacks ; glengarry glen ross – old fashioned inside threat; the rsa cybercrime trends report 2012; and, intellectual property theft: Protecting Data Against Cyber Criminals.
Malware continues to grow, including the evolution of more sinister variants such as Stuxnet, which hit the media headlines when reports emerged of that malware finding its way into Iranian nuclear plants. In 2012, HP Research estimated that cybercrime costs had risen by nearly 40 Percent, and that attack frequencies had doubled in the previous year. This means that systems should be designed from the ground up to be secure and manage the malware threat, as far as is possible.
Cybercrime is set to grow over the coming years. It is only by ensuring users and organisations understand the threats through education and are equipped with technical preventative measures that this threat can be reduced. This issue can only increase in importance as more criminals realise the benefits of committing offences on-line. Education (of users) is an important part of any vendor’s message but awareness needs to be balanced against business risk.
Cybercrime targeting smartphones is set to increase as criminals realise that these devices have a direct link to a user’s bank account. The rise in malware including trojanised applications reflects this. The perfect storm of social media, smartphone adoption and malware will continue to cause issues into the future; see “The BBC Interviews Nigel Stanley on Phone Hacking” here.
- Security is a human problem
- Evolving uses of the kill chain framework - using threat lifecycle management to defeat insider threats and ransomware
- Managing Cyber Business Risk - with Content Assurance and Cyber Insurance
- Cybercrime, Cyberwars, Cyberterrorism and Hacktivism
- The Security Paradox - An EMEA Study