The growing threat of cybercrime, from inside an organisation as well as outside, calls for robust counter-measures. Jessica Twentyman investigates online crime
Forget what you think you know about the cybercriminals who prowl corporate networks looking for customer data and intellectual property to steal. These days, they’re less likely to be introverted teenage malcontents skulking in darkened bedrooms and more likely to be hardened criminals, operating as part of an organised gang.
That’s the verdict of criminologist Michael McGuire, of the John Grieve Centre for Policing and Security at London Metropolitan University. In a recent report, Organised Crime in the Digital Age, commissioned by security specialists BAE Detica, Dr McGuire says around 80 per cent of digital attacks may originate in the world of organised crime and almost half (43 per cent) of perpetrators are over 35 years old.
What’s more, they’re not as tech-savvy as you might imagine, because the widespread online availability of off-the-shelf tools for conducting cyber-attacks – often referred to as “crimeware” – means the barrier to entry for this kind of activity is lower than it has ever been.
As the real and online worlds converge, both the frequency and the variety of offences are increasing
“Digital crime is evolving, fast. As the real and online worlds converge, both the frequency and the variety of offences are increasing,” says Dr McGuire. The spectrum of activity and players, he adds, is “broad, bewildering and constantly changing”.
It’s also costing British businesses dearly, with costs running into billions of pounds each year, according to new research conducted by management consultancy PricewaterhouseCoopers (PwC).
In its 2012 Information Security Breaches Survey, which canvassed 447 UK firms, it found that, on average, each large organisation withstood some 54 significant digital assaults in 2011, while one in seven had their networks successfully penetrated by unauthorised parties. Small and medium-sized enterprises (SMEs), meanwhile, reported an average of one assault per month.
The average cost of a major security breach at a large firm was between £110,000 and £250,000, a figure that drops to between £15,000 and £30,000 for SMEs.
“Large organisations are more visible to attackers, which increases the likelihood of an attack on their IT systems,” says Chris Potter, information security partner at PwC. “They also have more staff and more staff-related breaches which may explain why small businesses report fewer breaches than larger ones. However, it is also true that small businesses tend to have less mature controls and so may not detect the more sophisticated attacks.”
Poor rates of detection are a widespread problem, agrees John Yeo, director of Trustwave SpiderLabs, a company that, among other IT security-related activities, performs post-breach forensic investigation at businesses that have fallen foul of cybercriminals.
In 2011, the company performed 300 data breach investigations at companies in 18 countries. “One of the more common misconceptions is that a data breach is very readily apparent to the victim organisation,” says Mr Yeo. “The reality is quite different: in only 16 per cent of the 300 investigations we performed last year was the victim able to self-detect an intrusion.” The remainder – a whopping 84 per cent – had to rely on their customers, a regulatory body, law enforcement agencies and credit card processors to alert them to the breach.
If the majority of companies don’t even know their systems have been breached, then better approaches to data protection are clearly needed. “But the fact that headlines tend to be dominated by news of highly sophisticated attacks on very large multinationals means that many SMEs simply don’t realise they’re a target,” says Greg Day, chief technology officer at IT security specialist Symantec. As a result, many managers in companies of this size are genuinely bewildered when the worst happens, he adds.
For many organisations, the answer will be to invest in intrusion detection technology that monitors networks and systems for suspicious activity and policy violations, alerting the IT team to these and enabling them to take prompt action.
“Traditionally, companies have tended to design security infrastructure from the perspective of outside in – building a strong perimeter and then applying layers inwards with the aim of stopping bad things from happening,” says Rik Ferguson, director of security research at IT security company Trend Micro.
“Today, that mindset needs to change. Organisations need to build security infrastructure from the inside-out, with the understanding that bad things will happen and they need real-time intelligence that will allow them to react quickly and effectively when it does,” says Mr Ferguson.
That means focusing on the data that an organisation is trying to protect, rather than infrastructure. “So with this in mind, encrypting data should be your first step and restricting access to it should be your second. Secure the perimeters of individual servers and then build further layers out from the centre, rather than in from the edge,” he says.
But data protection isn’t just about technology. It’s about employee behaviour, too, as PwC’s 2012 Information Security Breaches Survey found. In the survey, a substantial 82 per cent of large organisations (and 45 per cent of small businesses) reported security breaches caused by staff, and 47 per cent (20 per cent of small businesses) said staff had lost or leaked confidential information.
That’s not to say that employees are sharing data with others out of malicious intent, although a few undoubtedly are. As the survey shows, much of this data leakage is associated with the rising culture of employees using their own mobile devices for work – the so-called “consumerisation” of IT.
Some 75 per cent of large organisations (and 61 per cent of small businesses) allow staff to use smartphones and tablets to connect to their corporate systems, and yet only 39 per cent (and 24 per cent of small businesses) apply data encryption on these devices.
“With the explosion of new mobile devices, and the blurring of lines between work and personal life, organisations are opening their systems up to massive risk,” says PwC’s Mr Potter. Smartphones and tablet computers are often lost or stolen, and the data they hold then runs the risk of being exposed to unauthorised parties, he warns. Plus, “mobile devices can literally drill straight through your security defences, if you’re not careful.”
What’s needed, he says, is greater effort in educating employees about data security risks. In PwC’s survey, more than a half of small businesses (54 per cent) and over a third of large businesses (38 per cent) don’t have any kind of programme for educating staff about security. Only 26 per cent of respondents that do have a security policy believe staff have a very good understanding of it, while 21 per cent think the level of staff understanding is poor. In fact, three quarters (75 per cent) of organisations, whose security policy is poorly understood, suffered staff-related security breaches in the last year.
“It’s vital to tell your staff about the risks. If you don’t, your own people could inadvertently become your worst security enemy,” says Mr Potter. “Setting out your security is essential to ensure staff know what risks to look out for, how to handle data appropriately and what to do if a breach occurs.”
A duty to disclose?
The vast majority of IT security breaches go unreported and, when big companies like electronics giant Sony or security specialist RSA have been forced to “go public” about a successful attack on their systems, they’ve quickly become targets of widespread public criticism.
But when new European Union (EU) data privacy rules come into force in two years’ time, other, much smaller organisations may face a similar fate. A draft regulation published by the EU in January 2012 proposes to force all organisations to report data breaches within 24 hours of realising they’ve happened – not just to the data protection authority in the country where that organisation has its main European operations, (in the case of UK organisations, the Information Commissioner’s Office), but also to every individual whose data has been compromised.
These new rules, moreover, will apply not only to European businesses, but also to any business serving European customers and any data collected on European consumers.
And the costs for non-compliance will be substantial – the 118-page draft regulation contains a proposal to fine companies up to 2 per cent of their annual turnover if they are found to be in violation of the rules.
Right now, the proposed rules are still in the early stages of a long, bureaucratic process and may undergo some changes before they come into force. But it’s worth noting that the EC is acting by Regulation, a top-down set of rules that will be imposed uniformly across its 27 member states, rather than by Directive (as was the case when the existing data rules were laid out in the 1995 EU Data Privacy Directive), whereby individual nations have the chance to make their own adjustments. This suggests that the new obligations are very unlikely to be watered down during the intervening period of consultation.