yber crime’s cost to businesses continues to grow exponentially. In 2015, Juniper Research predicted that the continued reliance on digitisation in our lives will be the catalyst for a $2.1 trillion criminally driven industry by 2019. To illustrate how lucrative digital crime has become, if only 1 percent of targets in a three-month ransomware campaign get infected and of those only a small percentage pay the ransom, criminals will still reap a substantial payout to the tune of tens of thousands of dollars each month. Sadly, crime does pay.
To make matters worse, what we are seeing now is increased collaboration among hacking groups that have the monetary resources and manpower to pull off spectacular heists. Case in point, Trustwave was recently called on to investigate attacks against banks located in post-Soviet states involving an inventive method of using human “mules” to open fraudulent accounts so that cyber criminals could then set overdrafts to those accounts. The result was a simultaneous drain of hundreds of ATMs with losses estimated at $100 million.
What raised eyebrows in both security and financial circles is that the money stolen was done so in a seemingly legal manner: The criminal gang manipulated a legitimate debit card overdraft loophole that kept the alarms at bay until the operation was over and it was too late. Because of its success, you can be sure that more of these attacks are on the horizon and will spread across the globe.
An evolving threat landscape
It’s not just a matter of cyber criminals upping their game in terms sophistication and techniques as the reason we are seeing so many successful attacks – it’s the evolving technology landscape itself. Encrypted browsers and readily available VPN services designed to protect consumer anonymity over the web are also being used to conceal malicious activities. Those elements, coupled with hard-to-trace cryptocurrencies like Bitcoin, have come together to create an environment ripe for the commercialisation of cyber crime. No longer does the theft of millions of credit card numbers require the skills of a rogue programmer with ill intent. Now, anyone with internet access can purchase pre-packaged malware or launch crippling DDoS attacks with a few simple keystrokes.
Despite these evolving threats and the proliferation of high-profile cyber attacks over the last 18 months, many organisations are still disorganised in their approach to protecting data and customer assets. A recent PwC report, The Global State of Information Security Survey 2018, which surveyed more than 9,500 executives in 122 countries, found that 44% don’t have an overall information security strategy and 48% don’t have an employee security awareness training program.
These findings are quite startling. As we have recently seen, when it comes to breaches, ignorance won’t protect a CEO or his or her board from being ousted. Ignorance and eventual public disclosure of poor internal practices will only fuel further speculation and ongoing ridicule that could result in an arduous battle to repair brand perception.
Three paths to safeguarding operations
1. Anticipate non-conventional security risks: First, CEOs must realise that in addition to spearheading innovation, growth and company direction, the responsibilities of cyber security readiness and action now sit squarely on their shoulders. A shift toward proactiveness and more forward-thinking projection is needed. For example, during acquisition planning, acknowledging that you are assimilating unpatched databases, hidden malware and lax security policies in addition to intellectual property and new market opportunities you purchased is crucial to consider and must be present from the start.
2. Establish a cyber security-minded culture: It’s crucial to establish and nurture a security-minded culture across the board, including employees, partners and even outside vendors. You wouldn’t invest $2 million into a new CRM system only to leave out employee training, so why invest in the latest security technologies without giving your stakeholders the tools necessary to maximise that investment? The most advanced firewalls and intrusion detection systems are no match for an administrative assistant who freely gives out passwords or a contractor who clicks on malware because they didn’t know what to look for. Simply put, most of the data being compromised today is because someone got duped – not because a sophisticated piece of malware thwarted defences.
3. Implement security practices from the top down: Finally, a security-minded culture needs to be driven from the top down, starting with the CEO. For this to happen, the CEO must first understand potential threats unique to the organisation. A large retailer processing thousands of credit card transactions will have very different security needs than a healthcare organisation that’s responsible for protecting patient data. One of the most important activities a CEO can partake in is preparing a general threat assessment that involves in-depth interviews with senior management, IT administrators and partners. By delving deep, you will gain a much more realistic understanding of risks, the likelihood of being compromised and breach impact. Once this assessment has been made, tailored contingency plans and ongoing security education can be put into place so everyone tied to the organisation ends up becoming your best security advocate.
While cyber crime will always continue to evolve and adapt to new security measures, it’s critical for businesses to be proactive in their stance to protect company assets. Businesses that make security an integral part of their company culture will be among those best positioned to fend off the next big cyber attack.
Robert McCullen is CEO and President of Trustwave. This article first appeared in Forbes.