Ask anyone involved in fighting cyber crime on a daily basis about what businesses should know, and the first thing they will say is that no organisation is immune.
The second most frequently raised point is that no business can afford to ignore cyber crime, which is estimated to cost the global economy around $445bn a year.
The losses are both direct and indirect, with many businesses citing downtime or lost productivity as a costly side-effect of some cyber criminal activity.
The reality is that every business connected to the internet can expect to fall victim to cyber crime at some point as criminals expand their ability to steal money directly or to turn stolen data into money.
The problem is that, while most information security professionals are aware of the threat cyber crimes poses to the business, senior executives are often unaware of the scale of the problem.
Despite increased media coverage of high-profile breaches, many top executives still believe their organisation has no valuable data and will not be targeted.
“But just being connected to the internet makes any company interesting to cyber criminals,” says Phil Huggins, vice-president of security science at global digital risk and investigations firm Stroz Friedberg.
“Any company connected to the internet is a resource that can be exploited by criminals because of the data it holds.”
However, there are indications that awareness is growing, with 61% of respondents to PricewaterhouseCoopers’ 2015 Chief Executive Survey expressing concern about cyber threats and a lack of data security, up 13% from 2014.
LESSONS TO BE LEARNED: PART ONE
- Employees are the weakest link due to phishing and social engineering;
- Security awareness training for employees is essential;
- Credential theft and abuse is a common and powerful tactic use by cyber criminals;
- Cyber criminals target organisations with computing resources that they can rent out;
- Extortion, where data is held ransom, is an increasingly common cyber criminal activity;
- DDoS attacks or threats of DDoS attacks are also being used to blackmail businesses.
Cyber criminals collaborate
Another challenge is that cyber criminals collaborate across various groups to combine a wide variety of intelligence and attack methods.
“Cyber-crime operations generally use a combination of all the different exploits available and build a campaign layer by layer,” says Charlie McMurdie, senior cyber crime advisor at PricewaterhouseCoopers (PwC) and former head of the UK police central e-crime unit.
“They will do their research, they will look at open-source intelligence opportunities, they will look at physical vulnerabilities, they will look at what a target company is working on, they will use technical exploits, and they will send in phishing emails to get a foot in the door, so they can engineer themselves into a position they can cause more harm,” she says.
Social engineering through techniques such as phishing emails is a key and common element to all major cyber crime campaigns, which underlines the importance of cyber security awareness training.