Risk managers need to appreciate the different levels of cyber crime to successfully manage this risk
Cyber risk is constantly evolving; attacks are growing in sophistication and frequency. This is evidenced by recent large-scale hacks such as that suffered by UK broadband and telecoms supplier TalkTalk. The new cyber risk landscape has seen also seen an increase of crime from organised criminal gangs are becoming more ambitious.
The key to addressing the risk successfully is appreciating that there are different levels of cyber crimes being committed. Along with the high-profile attacks on large companies, there are small attacks that target individual citizens – all of which pose a serious risk to brand and business.
“Cyber-attacks are becoming far less scatter-gun in approach and are now highly targeted,” says Stuart Poole-Robb chief executive at KCS Group.
“Often, months of social engineering, largely internet-based research on a specific target, is used to prepare for a ‘spear phishing’ attack. Sometimes these use email addresses that are virtually indistinguishable from that of a trusted executive; they may comprise detailed personal information, making the message appear even more genuine.
“Frequently the false communications chain will result in a member of staff divulging security information or making a bank payment to a new account. Sometimes, all the unsuspecting target need do is click on an attachment to open up the entire corporate network to the latest malware, compromising all its confidential data and leaving its financial assets at the disposal of the organised criminal gangs.
“Often, these spear phishing attacks take place late on Friday afternoons when staff are often tired and rushing to get away for the weekend.”
The overall trend feels like Moore’s Law, according to Xavier Verhaeghe vice-president technology solutions EMEA at Oracle. “There is a continuous growth in information and cyber risks, and organisations and individuals try to balance the need for privacy and usability with the overall risk of information theft,” he says.
The risk is driven by firms’ increasing reliance on technology as they become more aware of the potential of being better connected and making more use of data. As operations become more sophisticated, so too do their vulnerabilities – especially now that hackers are prepared to invest serious time and money in order to succeed.
Many experts believe that over the next few years cyber attacks will increase in number, sophistication and specialisation.
“Essentially, it’s a low-risk crime with a low risk of getting caught,” says Vincent Hinderer cybercrime expert at CERT-Lexsi.
“It’s a very appealing area of criminality and we are seeing more and more criminals getting involved, from teenagers through to older, experienced lawbreakers.
“Criminals are specialising in particular areas and offer their services on a consultancy basis to other criminals and this allows relatively inexperienced criminals access to a high level of expertise,” he says.
“For example, we are still seeing attacks that leverage email but these are becoming more sophisticated with a greater degree of personalisation. Criminals are getting better at social engineering; being more believable and finding new ways to get people to click on links or open the attachments that will expose them to Malware.”
This type of attack is made easier because there is much more data now available about people in an open source format online, and criminals can use things like social media profiles to find out about those they are targeting.
“Like the firms they target they have become marketing experts,” says Hinderer.
“They learn from experience which type of scams work, and which don’t, and make their plans accordingly.”
The nature of the threat
Carmina Lees director security business unit, UK and Ireland at IBM says there are three broad areas of online risk:
Malicious insiders such as disgruntled employees who exit the company but still have access to old privileges pose as an insider threat as do inadvertent actors who fall prey to social engineering schemes that grant access to outside attackers.
In 2015, trojans, malware and malvertising have been playing their part affecting many organisations, and continue to do so. The banking industry alone has seen its fair share of attacks such as Dyre, Tinba, Sphinx and Shifu.
Over the second half of 2015, IBM security researchers started to see a huge rise in the number of calls concerning ransomware. This is a piece of malware that prevents or limits users from accessing their system or data. It forces victims to pay the ransom through certain online payment methods in order to grant access to their system.
Attackers have evolved to use encryption to hold data hostage and demand payment for the decryption key. This threat is big money and ‘Ransomware-as-a-Service’ has evolved as a toolkit for attackers to purchase. Ransomware illustrates why patching is a vital activity for businesses to engage in. However, most companies don’t do it consistently, leaving themselves vulnerable to attack.