Cybercrime has been reported as the greatest threat to every company in the world. This post focuses on cybercrime as an "industry", not on cybersecurity itself.
There are 2 types of internet related crime:
- Advanced cyber crime or high-tech crime. These are sophisticated attacks against computer hardware and software.
- Cyber-enabled crime. These are traditional crimes that now leverage the internet for execution . e.g. financial crimes, terrorism, crimes against children.
In the past, these crimes were done by individuals or small groups. Today it is reported that highly complex cyber criminal networks are networking individuals from across the globe in real time to commit crimes en masse and en scale.
The average global cost per each lost or stolen record containing confidential and sensitive data was $154. The industry with the highest cost per stolen record was healthcare, at $363 per record. “Cost of Data Breach Study: Global Analysis” | IBM/ Ponemon
There are 5 challenges with the management of cybercrime.
- Consumer vulnerability - It is reported that 99% of computer users are vulnerable to exploit kits / software vulnerabilities thanks to Oracle Java, Adobe Flash or Adobe Reader. This means that it takes just one wrong click on an infected banner or a Facebook link to give access to a hacker.
- The business model - Cybercriminals have anonymity, low cost of operation and cheap ease of access for execution via social media. As a result, hackers see low risk from cyber crime, with the added benefit that as companies move up the value chain from manufacturing to services and R&D IP-based research, so too will their ROI. Unfortunately, this only gives criminals more incentive to hack. Unless we see a change in the business model - particularly around the alignment of incentives, the loss from cybercrime will continue to increase. Attacking is much easier and cheaper than defending.
- Time to detection - Cisco defines “time to detection,” or TTD, as the window of time between a compromise and the detection of a threat. The average time to detect an incident is a global average of 146 days. In Europe, the Middle East, and Africa it's 469 days. In the Asia Pacific companies take an average of 579 days (TRTWorld, 2016). The longer it takes to detect, the longer the attacker is embedded into the system.
- Regulation - The new global privacy regulations (GDPR) is one example of regulation driving the transparency of Pii losses from large companies. Another is the harmonisation of corporate governance and disclosure standards across the Asia Pacific. These types of initiatives ensure a minimum level of transparency and reporting from the companies. This is a critical incentive for both companies and the safety of their customers and their investors.
- Lack of a complete data picture - Most cyber crimes go unreported and few companies come forward on the losses. Companies need to be transparent with authorities, so that governments, vendors and not for profit agencies can begin systematic efforts to collect and publish data on cyber crime to help boards and their senior leadership teams, make informed decisions on cyber security, risk management, and policy. It's very difficult to adequately assess the risk when you have incomplete data.
There is no doubt that people are the weakest link in any cybersecurity strategy. For more insights on this, check out my next post on the 9 takeouts from our cyber breach simulation at the Thomson Reuters 2nd ASEAN Regulatory Summit.