• October 15, 2015

Cybercrime Explosion: More Reasons to Think Like a Bad Guy

Fifteen years ago, there was MafiaBoy, the 15-year-old Canadian student who brought Yahoo, Amazon, Dell Inc., E-Trade, eBay, and CNN to their knees. Today, cybercrimes range from the highly visible and sophisticated attacks on Sony, Home Depot, and Target, to the massive breaches of U.S. government databases. The latter exposed the personnel records and security clearance files of more than 22.1 million individuals, including federal employees, contractors, and their families and friends.

Cybercrime has evolved radically over the last couple of decades. This evolution has taken place not so much in nature as it has in scale and sophistication, driving costs to accelerate exponentially. Last year, the Center for Strategic and International Studies pegged the annual worldwide costs of cybercrime at more than $445 billion, or 0.8 percent of global GDP. The global average cost associated with each breach is $7.6 million, while the typical dip in market capitalization after a security incident is running at 30 percent.

Gartner estimates the world will spend $79.9 billion on information security in 2015. That number will grow to $101 billion in 2018. Will it be enough?

Sophistication Heightens Intrusion Costs

Cybercrime can cost an enterprise dearly in terms of labor, productivity, and overhead. On average, it takes an average of 31 days, and 69 percent of breaches are reported by third parties.

But the costs often run far deeper. Losses can encompass confidential competitive information such as compensation packages, market strategies, intellectual property, and trade secrets. These costs are directly correlated with the time span between breach and detection. Breach detection is running at a median of 205 days, but some remain undetected for years.

Cloud, mobile devices, the Internet of Things — our digitally interconnected, technology-laden environment manages virtually every facet of our lives. It unleashes a full spectrum of criminal opportunities. Wireless connections expose vulnerabilities in contactless payment systems, local networks, cars — even insulin pumps. Mobile phones can be hacked and used as listening or image capturing devices. Key-logger malware, disguised as legitimate apps, can be unwittingly downloaded to mobile devices to steal personal banking information or employee credentials.

Hacking kits are freely available for downloading, with more sophisticated tools offered for sale or rent. Operating systems and application codes are routinely scoured for vulnerabilities by cybercriminals with discoveries sold off to the highest bidder.

Dynamic Defenses

Every organization should assume it’s a target and assess its position in the threat landscape in terms of partners, vendors, customers, and competitors. Proactive response plans, as this source points out, should consider a number of questions including:

  • What is the threat landscape?
  • Who are the threat actors?
  • Is the organization under breach and unaware of it?
  • What assets are in need of the most protection?
  • Does the enterprise have strong authentication strategies in place?
  • Have insider threats from employees and third-party vendors been thoroughly assessed?

Common misconceptions focus cybersecurity exclusively on the IT domain. But far more than a technology issue, cybersecurity is a business issue. It involves awareness and behaviors throughout the enterprise, as well as financial, legal, and regulatory issues. Now more than ever, cybersecurity must be a key element of enterprise culture.

Like this story? Learn more about how to protect your enterprise from security threats.