“Think of [cybersecurity] more as safety and security in roads and cars.

The car hasn’t really

changed in the last 30 years, but a lot of security is built in, and it’s not sexy until the

moment it saves your life. You’ve got bits that are hidden – airbags – and bits there to remind

you to be safe like seatbelts…Some of it is about good behavior and good attitude, some of it

is about physical security to remind you there is a risk, and some of it is baked in to save

you.”

– Sian John, Senior Cybersecurity Strategist at Symantec

Technology has become more than a supplement to a company’s operations, and in many

cases, the assets living on their network are their core operations. This is compounded by

the fact that hacks are becoming commonplace due to the rise of mobile usage and internet

of things, as well as the growing ecosystem of cybercriminals.

What Is a Cybercrime?

Put simply, a cybercrime is a crime with some kind of computer or cyber aspect to it. It can

take shape in a variety of formats, and from individuals or groups with different motivating

factors. Cyber threats are fundamentally asymmetrical risks in that small groups of

individuals can cause disproportionately large amounts of damage.

Categories of Cybercriminals
Financially motivated organized crime groups: Most of these groups are located in Eastern

Europe

Nation-state actors: People working directly or indirectly for their government to steal

sensitive information and disrupt enemies’ capabilities. They are generally the most

sophisticated cyber attackers, with 30% originating in China.

Activist groups, or “hacktivists”: Are not usually out to steal the money. They’re out to

promote their religion, politics or cause; to impact reputations or to impact clients.

Insiders: These are the “disillusioned, blackmailed, or even over-helpful” employees

operating from within a company. However, they may not engage in cybercriminal activities

intentionally; some might simply take a contact list or design document without realizing the

harm it could cause.

DISTRIBUTED DENIAL OF SERVICE (DDOS)

A DDoS attack attempts to disrupt a network’s service. Attackers send high

volumes of data or traffic through the network until it becomes overloaded and

stops functioning. The incoming traffic flooding the victim originates from many

different sources, potentially hundreds of thousands. This makes it impossible to

stop the attack by blocking a single IP address, and makes it difficult to

distinguish legitimate traffic from attack traffic.

PHISHING

Often posing as a request for data from a trusted third party, phishing attacks are

sent via email and ask users to click on a link and enter their personal data. It

often involves psychological manipulation, invoking urgency or fear, fooling

unsuspecting individuals into handing over confidential information.

There are a couple concerning factors. First, phishing emails have become

sophisticated and often look just like legitimate requests for information. Second,

phishing technology is now being licensed out to cybercriminals, including on-

demand phishing services and off-the-shelf phishing kits. Perhaps most concerning

is the fact that dark web services have enabled cybercriminals to refine their

campaigns and skills. In fact, phishing emails are six times more likely to be

clicked than regular consumer marketing emails.

MALWARE

Malware, short for “malicious software,” is designed to gain access or damage a

computer. Malware is an umbrella term for a host of cyber threats

including Trojans, viruses, and worms. It is often introduced to a system through

email attachments, software downloads, or operating system vulnerabilities.

PHYSICAL CARD SKIMMERS

These attacks include physically implanting on an asset that reads the magnetic

stripe data from a payment card (e.g., ATMs, gas pumps, POS terminals). It’s

relatively quick and easy to carry out an attack like this, with the potential for

relatively high yield—and so is a popular action type (8%).

Cybersecurity Consequences and Costs

Costs to Firms

Three years ago, the Wall Street Journal estimated that the cost of cybercrime in

the US was $100 billion. Other reports estimated that the figure was as much

as ten times higher than this. In 2017, the average cost of a data breach is $7.35

million, compared to $5.85 in 2014. Costs include everything from detection,

containment, and recovery to business disruption, revenue loss, and equipment

damage. Beyond monetary concerns, a cyber breach can also ruin intangibles,

such as a company’s reputation or customer goodwill.

Interestingly, companies with the highest levels of business innovation often

have costlier attacks. A “business innovation” could be anything from an

acquisition or divestiture to entry into a new geographic market. A company

acquisition or divestiture was shown to increase the cost of cybercrime

by 20% while the launch of a significant new application increased the cost

by 18%.

Cybersecurity Challenges

Factors Contributing to the Rise in Cybercrime

A “CORPORATE” BREED OF CYBERCRIMINALS HAS EMERGED

There is now an entire ecosystem of resources for cybercriminals to leverage. “Advanced

criminal attack groups now echo the skill sets of nation-state attackers. They have extensive

resources and a highly-skilled technical staff that operate with such efficiency that they

maintain normal business hours and even take the weekends and holidays off…We are even

seeing low-level criminal attackers create call centre operations to increase the impact of

their scams,” said Kevin Haley, director at Symantec.

SECURITY OF THIRD-PARTY VENDORS

If a third party gets hacked, your company is at risk of losing business data or

compromising employee information. For example, the 2013 Target data breach

that compromised 40 million customer accounts was the result of network

credentials being stolen from a third-party heating and air conditioning vendor.

A 2013 study indicated that 63% of that year’s data breach investigations were

linked to a third-party component.

INCREASED USE OF MOBILE TECHNOLOGIES BY CUSTOMERS

Due to a growing number of online targets, hacking has become easier than ever.

In consumer banking, usage of mobile devices and apps have exploded. According

to a 2014 Bain & Company study, mobile is the most-used banking channel in 13 of

22 countries and comprises 30% of all interactions globally. In addition,

consumers have adopted mobile payment systems. For banks competing with

fintech startups, customer convenience will remain important. They may have to

weigh the potential fraud losses with losses from a more inconvenient user

experience. Some institutions are utilizing advanced authentication to confront

these added security risks, allowing customers to access their accounts via voice

and facial recognition.

PROLIFERATION OF INTERNET OF THINGS (IOT)

Internet of things (IoT) is devoted to the idea that a wide array of devices,

including appliances, vehicles, and buildings, can be interconnected. For example,

if your alarm rings at 7:00 a.m., it could automatically notify your coffee maker to

start brewing coffee for you. IoT revolves around machine-to-machine

communication; it’s mobile, virtual, and offers instantaneous connections. There

are over one billion IoT devices in use today, a number expected to be over 50

billion by 2020. The issue is that many cheaper smart devices often lack proper

security infrastructure. When each technology has high risk, the risk grows

exponentially when combined.

Cybersecurity Solutions Require a Multi-pronged

Approach

There isn’t a “one-size-fits-all” solution to cybersecurity. However, in general,

solutions should include both sophisticated technology and more “human”

components such as employee training and prioritization in the boardroom.

Actionable Threat Intelligence

REAL-TIME INTELLIGENCE:
Real-time intelligence is a powerful tool for preventing and containing cyber

attacks. The longer it takes to identify a hack, the more costly its consequences.

A 2013 study by the Ponemon Institute revealed that IT executives believe that

less than 10 minutes of advance notification of a security breach is sufficient time

to disable the threat. With just 60 seconds’ notification of a compromise, resulting

costs could be reduced by 40%.

COMPLEMENTARY ACTIONS:

1. Enacting a multi-layered defense strategy. Ensure that it covers your

entire enterprise, all endpoints, mobile devices, applications, and data. Where

possible, utilize encryption and two- or three-factor authentication for

network and data access.

2. Performing a third-party vendor assessment or creating service-level

agreements with third parties: Implement a “least privilege” policy regarding

who and what others can access. Make it a habit to review the use of

credentials with third parties. You could even take it a step further with a

service level agreement (SLA), which contractually obligates that third

parties comply with your company’s security policies. Your SLA should give

your company the right to audit the third party’s compliance.

 3. Continuously backing-up data. This can help to safeguard against

ransomware, which freezes computer files until the victim meets the

monetary demands. Backing up data can prove critical if your computers or

servers get locked because you wouldn’t need to pay for access to your data.

4. Patching frequently. A software patch is a code update in existing

software. They are often temporary fixes between full releases of software. A

patch may fix a software bug, address new security vulnerability, address

software stability issues, or install new drivers.

5. Whitelisting software applications. Application whitelisting would

prevent computers from installing non-approved software. This allows

administrators to have much more control.

 Anti-hacker Insurance

For an organization to determine how much cyber insurance it needs, it should measure its

cyber risk. It must understand how their assets are impacted by a cyber attack and how to

prioritize them.
  Bug Bounty Programs

Another new idea in the industry is something called a bug bounty program, where

an organization pays outsiders (“friendly hackers”) to notify it of security

flaws. Companies ranging from Google and Dropbox to AT&T and LinkedIn have

already adopted this practice.

Don’t Forget the Human Component

1. An “IT problem” becomes a strategic business problem. For many CEOs

and CFOs, hacking can be frustrating because they don’t understand the

enemy. According to Richard Anderson, chairman of the Institute of Risk

Management, “There are still a lot of people sitting astride larger companies

who still regard it as something the geeks look after, rather than it being a

business issue.” However, as the statistics have demonstrated, this could not

be further from the truth.

A Deloitte white paper suggests creating a dedicated cyber threat management team and

creating a “cyber risk-aware culture.” It is also recommended that organizations designate a

chief information security officer (CISO). For example, neither JPMorgan nor Target had

CISOs when they were breached in 2014 and 2013, respectively.

 2. Back to basics: Employee training. Data breaches are often the result of

humans’ psychological weaknesses. It’s therefore critical to educate your

employees about the warning signs of security breaches, safe practices

(being careful around opening email attachments, where they are surfing),

and how to respond to a suspected takeover.

Parting Thoughts

A common rebuttal to the increasing attention to the dangers of cybersecurity

is, “What, then? Are we just supposed to stop innovating for fear of attacks?”  The

answer is, not exactly. However, it could be helpful for companies to view

cybersecurity as a matter of ethics. That is, cybersecurity should not merely be a

matter of technology, but one of morality as well. After all, is it ethical to create

and sell technology that leaves consumers vulnerable? With Silicon Valley’s

“growth or die” and sometimes short-sighted culture, this is likely an unpopular

attitude.

However, there is precedent in other sectors. For example, the American Medical

Association and American Bar Association require professionals to follow their

respective ethical codes. Doctors must pledge the Hippocratic oath, one of the

oldest binding documents in history, which mandates that doctors vow to protect
their patients. Similarly, lawyers follow a Model Rules of Professional Conduct,

vowing to protect and respect their clients.

We’d all do well to remember that though technology may come and go, right and

wrong never changes.