Cybercrime is on the rise. Even without diving into research and statistics, we know this to be true. Barely a day goes by without some cybersecurity incident affecting business or government stealing the headlines – so when we do take a look at the figures, we should be neither shocked nor surprised to observe the graph lines climbing.
Last year, a report from the Center for Strategic and International Studies (CSIS) in partnership with McAfee revealed that worldwide cybercrime cost an estimated $600 billion per year. That’s up from $500 billion in 2014 – and the rise is showing no signs of slowing down. “Cybercrime is relentless, undiminished, and unlikely to stop,” writes report author James Lewis, Senior Vice President and Director, Technology Policy Program, at CSIS. “It is just too easy and too rewarding, and the chances of being caught and punished are perceived as being too low.”
Why? Because cybercrime is a low-risk crime with potentially high-profit pay-offs. “Cybercrime remains far too easy since many technology users fail to take the most basic protective measures, and many technology products lack adequate defenses,” continues Lewis. “Cybercriminals, meanwhile, use both simple and advanced technology to identify targets, automate software creation and delivery, and monetize what they steal.”
Future projections suggest that the picture is only going to get worse. In January 2019, a new report from Accenture – Securing the Digital Economy: Reinventing the Internet for Trust – forecast that companies globally could incur $5.2 trillion in additional costs and lost revenue over the next five years due to cybercrime. The report notes that cybercrime in all its guises poses significant challenges that can threaten business operations, innovation and growth, and the expansion into new products and services. The high tech industry faces the highest risk in terms of potential costs and losses ($753 billion), followed by the life sciences ($642 billion) and automotive ($505 billion) industries – though practically all sectors have tens if not hundreds of billions of dollars hanging in the balance.
(Image source: accenture.com)
So, what can organizations do? Well, you can’t stop cybercrime – but can you can take measures to protect your organization against it. Here are five ways to fortify your cybercrime defenses.
- Expect Attacks, and Prepare
It’s an old adage – but if you fail to plan, then you plan to fail, and all CIOs, CISOs, and CEOs at all organizations should know that their business is a target, and will be targeted by cybercriminals sooner or later.
In fact, over two-thirds of businesses already operate under this assumption. 79% of the 400 IT and security professionals who took part in the Unknown Network Survey in 2018 said that their companies had been hit by a breach over the past year, and 68% expected to be impacted by a further breach in the following twelve months. However, despite this, the survey also revealed that the majority of organizations knew very little about the nature of the security breaches that actually took place. Fewer than half (48%) felt fully confident they would know if a breach had even occurred, only 42% felt confident they could identify what data was accessed during a breach, and just 39% felt confident they could identify a breach’s source.
(Image source: helpnetsecurity.com)
Organizations need to be making regular and thorough analyses of the cybercrime threat landscape to develop what Barclays Bank Managing Director of Cybersecurity Paul Gillen calls “situational awareness”. Gillen says that organizations need to be analyzing the threats that are particular to their business, and be building an armory of the most appropriate cybersecurity tools ahead of time – instead of waiting until the horse has bolted before they lock the stable door.
“I think taking matters into your own hands is vital,” says Gillen. “If you’re thinking about cybersecurity after you’ve had a breach, you’re already in trouble; you’re panicking and in a frenzy, so you’re not able to take advice in, and it’s not the time to start. Being threat-centric is very important. Identifying where you do business, what sector you’re in and what the threat to your sector is beforehand will stand you in good stead. You can’t protect against everything; to use Frederick the Great’s famous saying: ‘He who defends everything, defends nothing’. But knowing what your most valuable IT elements are, who is using them, what the access is, and then using the best possible security possible around them is an important step.”
- Train and Educate Your Staff About Cybercrime Threats
Ok, so organizations need to be prepared – but what does it really mean to be a good boy scout when it comes to protecting your business against cybercrime?
Well, first, it means training and educating your staff on cybersecurity. Untrained and uneducated staff represent the weakest points in any cyber-defense system – even one that is otherwise well tooled-up and strong. Organizations need to realize that they are just one stupid password or one careless click on a phishing email away from a serious data breach – and all employees need to be hyper-aware of this, too.
The CSIS and McAfee report estimates that computer internet users face 80 billion malicious scans each day. There are also 33,000 phishing attacks and 4,000 ransomware attacks daily, with about 780,000 records lost to hacking. The threats are real, they are persistent, and they are everywhere.
(Image source: mcafee.com)
The most common vector of attack is still email, meaning staff who lack education on how to identify phishy-looking correspondence are leaving their businesses vulnerable. What’s more, even if staff aren’t acting carelessly or are otherwise ignorant, today’s workers are nonetheless extremely busy – and cybercriminals are exploiting this with phishing emails purporting to come from senior management enticing employees to “act urgently”. All staff need to be trained on cybersecurity risks – including how to recognize phishing scams, the importance of using strong passwords, the dangers of unsecured networks, and all other elements of information security – in order for the business to be as firmly protected as possible at all times.
- Get the Basics Right and Regularly Update Your Systems
Protection against cybercrime doesn’t necessarily require the most sophisticated defenses – just good practices that are adhered to stringently. CSIS and McAfee stress that uniform implementation of basic security measures – such as regular updating and patching – remains critical in protecting businesses against the most common threats of cybercrime.
The truth is that it is a struggle – even a hassle – to keep all operating systems, software and programs updated all the time, and it can even be something of a financial burden for companies to contend with. But the risks are too great to take your eye off the ball for an instant – and the costs of a breach too severe to be stingy with budgets. Old and outdated systems are chock-a-block with security vulnerabilities, which can and will be exploited to carry out cybercrime attacks. Time must be invested to have them routinely updated – and money invested in robust defensive technologies such as strong firewalls and the latest security software.
- Separate, Encrypt, and Backup Your Data
Do banks keep their vaults out on the street? Of course they don’t. They’re behind layer after layer of security – locked doors, thick walls, checkpoints, security cameras. Data should be treated in the same way. It needs to be hidden, out of sight, and out of access – even to employees. There needs to be layers between your systems. The more walls, checkpoints and locked doors you can put your data behind, the safer it is.
Even so, an effective data protection strategy will only be effective if that data can still be rendered useless should a cybercriminal manage to wriggle through your defenses. Organizations can achieve this by encrypting all sensitive data, including customer and employee information, and all other business data. And again, whatever software is used to perform the encryption must be activated and regularly updated on all company devices and systems.
Then, after encryption comes backup. Cloud solutions are available for this in the form of Backup as a Service (BaaS) and Disaster Recovery as a Service (DRaaS) solutions, which organizations should be investing in – not least to protect against the growing cybercrime of ransomware attacks.
- Prioritize Security by Design
Security can no longer be an afterthought. Patching security holes and addressing vulnerabilities only after they’ve been exploited will never be as effective as designing systems to be as secure as humanly possible from the very start.
This may require additional investment at each stage of a product or service’s development, but when you consider the costs of a breach – loss of productivity, revenue, and reputation; costs of fines, lawsuits, and recalls – security by design investment costs pale to near insignificance in comparison.
CEOs today already recognize the importance of security by design. In fact, 83% of Accenture’s survey respondents for its Securing the Digital Economy report agreed that organizations must accept the trade-off between time to market and ensuring secure, sustainable growth – and they always choose secure growth, even in the face of pressure for short-term performance.
Protecting your business against cybercrime never ends. It is an ongoing commitment an organization must make at all levels and at all times. Employees must be adequately trained, security investments must be made, and all data must be locked away, backed up and encrypted. Above all, a true culture of security must be fostered – protecting against cybercrime doesn’t just mean avoiding the perils of cyberattacks, but ensuring the resilience of the entire business. As such, one of the best strategies an organization can formulate is to bring a CISO to the board. This will provide the opportunity to educate fellow board members, and enable the entire organization to become more security-savvy, and far better at managing risk.
The last word goes to Omar Abbosh, Chief Executive of Communications, Media & Technology at Accenture. “Internet security is lagging behind the sophistication of cybercriminals and is leading to an erosion of trust in the digital economy. Strengthening internet security requires decisive – and, at times, unconventional – leadership by CEOs, not just CISOs. To become a cyber-resilient enterprise, companies need to start by bringing CISOs’ expertise to the board, ensuring security is built-in from the initial design stage, and that all business managers are held responsible for security and data privacy.”