Here we are in the middle of 2016 and the cybercrime wave that has been the hot topic for more than two years continues to rumble on. We are in fact in a bizarre situation where we, as well as commercial competitors, have cybercriminals competing with us. The competition in this case is for data, an item that straddles all industry sectors. Cybercriminals make a lot of money from the data they compromise. It is estimated that currently, cybercrime is costing the global economy around $450 billion annually. Some, like Juniper Research, are predicting those costs will spiral to around $2 trillion by 2019. Once you start describing losses in the trillions, rather than billions, you know you really do need to take stock. Analysts, HPS, have shown that cybercrime is truly a globally competitive business, comparing it to the likes of Apple and Microsoft in terms of revenue generation. Cybercrime is a formidable and successful competitor in today’s data stakes.
With a business model this effective, cybercrime is set to continue as a major threat to normal business operations. Changes in the threat landscape, such as models enabling cybercrime, like ‘Malware as a Service (MaaS)’, make this onslaught of attacks even more likely. We are left with no option but to take this all very seriously. It’s too bad though that the old methods of defense, like anti-virus software, are showing cracks in their armor. With anti-virus vendors like Symantec stating that anti-virus software is only effective against 45% of viruses. We need to move to a new paradigm in our approach to mitigation of cyber threats – the war against cybercrime is now about a simple concept…awareness.
The Biggest Threat is You
Any type of crime, be it real world or digital, has an element of human behavior about it. One of the world’s most famous scams, the Ponzi Scheme, carried out back in 1920 was based on the basic human behavior to accumulate resources – in this case, lots of money. Today, cybercriminal scams also focus on human behavior to elicit knee-jerk reactions. Phishing, a technique based on social engineering, which encourages its target to perform an action that benefits the cybercriminal, is the most successful vector for cybercrime according to a report by Phishlabs. And in 2016 this continues to be the case with the first quarter of 2016 seeing an increase of 250% in phishing attacks. Phishing is a perfect example of the use of human behavior to exact an outcome. Phishing comes in a myriad of forms, morphing into new ones as older ones become recognizable and less effective. The reason why this method is so successful, with SANS Institute, estimating that phishing is behind 95% of all security breaches, is because the successful cybercriminal uses their knowledge of how we tick as much as they use software code. What this means for us, as business owners, IT staff and company employees, is that we need to be much more aware when it comes to security, especially cyber. With the type of cyber-threat climate we face today, we cannot rely solely on technology to get us out of sticky cyber-situations.
Being Security Aware
Being security aware is about creating a culture of security within an organization. In practice this will require everyone, from the board, to the IT department, to the sales team, out into your extended third party vendor system, to understand the implications of the modern cyber security threat.
Security awareness includes understanding the security requirements and impact of common standards and compliance, such as HIPPA and PCI-DSS. However, security awareness is much more than just complying with laws. Security awareness is about knowledge and understanding of what the threat landscape has in store for us, and the techniques used against our organization and ourselves. To be security aware you need to:
1. Know the types of attacks being targeted at your specific industry area (check out our industry series covering six industry sectors, and the types and levels of cybercrime they experience)
2. Use this knowledge to setup the best type of security awareness program to put in place in your company
3. Use special programs, like phishing awareness to train your staff and extended vendor ecosystem in what a phishing campaign will look like. This can include creating mock phishing attacks. Metrics from these mock attacks can also help you to understand where in the organization to concentrate security awareness training on.
4. Recognize that security awareness is an ongoing activity. Cybercrime is not a static practice; it morphs and changes to optimize better outcomes. The fact that cybercrime revenue is up there with the most successful companies in the world is a testament to the cyber criminal’s continuous improvement of their business models.
Being mindful of the benefits of security awareness is a modern way of tackling cyber crime. It allows us to form a concentrated defense system, utilizing the very thing that cybercriminals rely on to bring about a breach – ourselves.