In the wake of numerous online breaches and cyber-attacks, cybercrime seems rampant. The implications of a cyber attack are both financially and emotionally costly for governments, businesses and consumers alike.
Whilst many countries now have legislation to deal with cybercrime, which often aspires to having an extra-territorial reach, it still seems difficult to deal with this global threat.
Cybercriminals carry out their actions well beyond the reach of the national law enforcement agencies in the target country, with nations forced to rely on goodwill and the Budapest convention to solicit the co-operation of others in dealing with this scourge of international commerce.
The recent Game Over Zeus and Cryptolocker attack has arguably marked a momentous milestone in cyber-crime given the sheer scale of co-ordinated action taken by law enforcement and technology firms in the US and Europe, including the FBI and the UK’s own National Crime Agency, notably working together with counterparts in Russia and the Ukraine.
Game Over Zeus had infected over 1 million computers worldwide, with estimated losses exceeding $100 million. All too many of us were familiar with Cryptolocker’s extortion attacks.
As we celebrate the successes of this operation, we should be careful – cybercriminals have demonstrated an ability to reconstitute their operations, develop new tools, and rebuild botnets – so a high-profile takedown can never be a complete solution merely a respite. It is also worth remembering that the alleged mastermind behind Zeus, Evgeniy Bogachev, remains at large and possibly beyond the reach of law enforcement.
By sharing intelligence on breaches cross-border, cooperating internationally in investigations and encouraging greater willingness to prosecute, businesses can reduce the extent and volume of attacks. But countries also need to go one step further and work together to ensure that cybercriminals have nowhere to hide, recognising that cybercrime hurts all.
What is leading to this increasing volume of attacks? Put simply, crime follows the money, and the world has become digital. The rise of e-commerce has led to greater dependency on the internet; a diverse range of applications with possible vulnerabilities to exploit; but most of all a greater potential return for criminals investing in cyber attacks.
The British Retail Consortium estimated that online retail sales topped £25 billion in 2011. Getting a handle on the scale of cybercrime is notoriously difficult, but the BRC suggested a total cost to retailers of £205m.
Cybercrime can be more than just online fraud, and the broader theft of intellectual property and commercially sensitive information can have a much wider impact on the economy. The recent study from the US Centre for Strategic and International Studies, placed the cost to the UK as around 0.45% of GDP – or in excess of £6 billion.
One thing is clear: the scale and impact on the economy is growing – and it is becoming a very lucrative business.
Unfortunately, it is also an efficient business which has taken economic principles to heart, and built a black economy with global reach.
Criminals are now paid to research vulnerabilities, develop and tailor sophisticated malware to their criminal masters needs, build and rent out botnets by the hour, penetrate systems and collect user credentials, and then launder the credit card and bank account information gathered. Behind all this are some very bright criminal minds who seem beyond the reach of the law.
Organised crime is also agile. Two years ago mobile banking was nascent, and the mobile phone market seemed untouched by the malware that plagues our personal computers. The environment is changing as criminal groups begin to target very sophisticated malware at our mobile phones.
Retail banks have lived with the growth of e-crime for many years, and have become quite astute in developing fraud detection systems that try to frustrate the ultimate goal of criminals – monetising the bank account and payment card information they collect. These banks have also set aside their commercial differences to pool and share information on threats, and work effectively with their law enforcement organisation.
It isn’t just banks who are at risk: it is a far larger community of retailers and service providers, all of whom do business online. Criminal groups are also targeting the weakest links in our security, whether it is an individual’s home computer or mobile phone, or the third party supplier who struggles to secure their system against a rapidly changing threat.
There is no silver bullet, and no absolute security. Cyber defence depends on a mix of approaches: getting the security basics right (the government’s recent Cyber Essentials scheme will help); education and awareness of users and customers; more effective collection and sharing of intelligence on attackers; community action to co-ordinate our response to cybercrime; and international efforts to disrupt and ultimately bring to justice the groups who perpetrate these attacks.
These are easy things to say, but difficult to achieve. While there have been examples of good practice, there are many more cases in which companies remain a soft touch for cybercrime, whether they are the ultimate target or not.
The retail sector has, historically, been the sector that spends least on cyber security as a percentage of its IT budget – just 6% according to last year’s Information Security Breaches Survey from BIS. Perhaps, in a post Target world, there will be greater attention to cyber security in this sector, and most importantly a greater willingness to work as a community to counter cybercrime.
As new EU data protection regulations are brought into law, businesses can expect both a legal requirement to disclose compromises of customer data and greater fines attaching to the failures in security, which led to the breach.
Now is the time for boards to focus on the issue of cybercrime, to develop a clear view of what it means for their business, to get the basics right and to be prepared for an incident – not if, when.
Cybercrime is a fast-evolving and thriving business. For consumers, businesses and governments to keep pace and protect themselves from attacks, they need a community response which recognises that anyone may be the weak link in the security chain.
Sourced from Mark Waghorne, senior manager, KPMG cyber security team