Last year, the global price tag of cybercrime reportedly reached $113 billion per year, with reparations per victim averaging around $300—that makes 378 million victims yearly, or a little over 1 million users a day.
Unfortunately, the future doesn’t look much brighter. Experian’s newest white paper reveals that companies are attacked on average about 17,000 times a year. Clearly, no tool or solution can protect against all attacks, meaning it’s only inevitable that companies will be penetrated and user data will be compromised.
In addition to these alarming statistics, the stories of high-profile hacks and breaches flooding the news further help prove cybercrime’s growing severity is self-evident. At the same time, however, cybercrime is much more than a large retailer’s data being compromised. Cybercrime comes in many different shapes and sizes.
In observance of the fifth and final week of the National Cyber Security Awareness Month, it is necessary that we develop a better understanding of cybercrime’s different forms, some of the worst threats, as well as what we can do to defend against them.
Cybercrime and Today’s Threats
“Threats that users face from normal usage of the Internet include account hijacking, identity theft, bank and credit card fraud, loss and abuse of personal health information, ransomware, blackmail, scam attempts, stalking and bullying, child soliciting, child abuse, and critical loss of privacy,” said Claus Cramon Houmann, IT Director at a bank based in Luxembourg.
But it gets worse. The many ways in which cybercriminals perpetrate misdeeds against users are proportionate to the number of devices now connected to the Internet, adds Irfahn Khimji, CISSP and Senior Security Engineer at Tripwire: “Everything is online these days, from your phone, to your watch, to your car, to your garage door opener. While there are so many ways to make one’s life easier, there are so many vectors of attack for an attacker.”
To be fair, it wasn’t always this way.
A decade ago, criminals were interested in compromising an end-user’s computer, explains Mark Stanislav, Security Project Manager at Duo Security. “Today, however, the focus is to pilfer passwords for important accounts. As the de-perimeterization of the Internet continues due to the current era of mobile and cloud computing, data will become more exposed than ever.”
Stanislav goes on to explain that businesses today, due to the advent of the cloud, are more willing than ever to use services, such as Salesforce.com, Google Apps and GitHub—at the expense of some control over their data.
This, in turn, leads to some egregious instances of cybercrime.
First, there are attacks against the end-user regardless of what system they might be using. John Walker, CTO of Integral Security Xassurance, Ltd, is familiar with this form of cybercrime: “When we consider the implications of end-user system compromise or takeover – whether on PC or smartphone, and with the realization that the threat could be Operating System Agnostic [OSA] – you don’t have to be a rocket scientist to realize where the threat may be coming from.”
Not surprisingly, the nature and frequency of the types of cybercrime explained above can at times make us feel overwhelmed. Like Tim Erlin, Director of Product Management at Tripwire, stresses, “We have seen an unprecedented series of high profile breaches over the last 12 months, starting with Target and continuing with more organizations.”
When information security professionals and practitioners examine the most serious threats, they can’t help but have this context in mind. “It’s tempting to look at the situation, consider the attacks and breaches we haven’t detected, and descend into an abyss of self-repeating Fear, Uncertainty, and Doubt,” said Erlin.
Clearly, cybercrime is pervasive but that doesn’t guarantee each and every attack will succeed. We as information security professionals need to overcome FUD and implement measures that will protect our networks against cybercriminals.
To defend against attacks, we need to focus on two anti-cybercrime measures in particular: authentication and awareness.
One way to defend against cybercrime is to strengthen our companies’ authentication protocols. This includes implementing two-factor authentication. Stanislav expands upon this recommendation: “Two-factor authentication is the most affordable and effective security control to protect the wealth of data behind a user’s account. With options involving mobile applications, SMS, hardware tokens, and many other choices, two-factor authentication is a huge hurdle for your common attacker and can dramatically reduce the risks threatening critical data.”
More advanced authentication measures might also be beneficial. These could include technologies that are focused on prevention, adds Houmann. “A deterrent for performing malicious actions online could be to implement authentication protocols that use time- and location-aware metrics, thus empowering websites/services to record who did/said what, where, and when to whom.”
Such tools could address the rising prominence of cyber bullying and web-based child abuse.
Security solutions are beneficial, but to truly protect ourselves against cybercrime, we must ultimately realize that cybercrime is an intrinsically human affair where one individual tries to trick and exploit another.
With this in mind, we must focus on user education by implementing security campaigns in the workplace, as Walker suggests: “Whilst the installation of some security application or tool may serve as part of a mitigation strategy, nothing is as strong as educating end-users about threats they may face online. The cybercrime threat is persistent, and the solution we need to reduce the danger to users, their systems, and data assets is obvious: we need a security campaign that includes all staff persons and not just the IT department.”
We should also aim to educate our peers, including children, about cyber threats at home. Khimji is a strong proponent of this idea: “We teach our children to watch out for suspicious activity while walking home from school. Similarly, we should teach them, and remind ourselves, to watch out for suspicious activity online.”
Finally, we can and should enhance our own workplace awareness by focusing on increasing the visibility of the networks we monitor. Erlin explains: “Organizations should ensure they have full awareness of what’s on their network, and what’s happening on their hosts. That visibility can alleviate fear. Uncertainty and doubt both come from a lack of proof, and opportunity to question decisions in the face of an incident. Tools that help demonstrate a clear state are valuable in removing uncertainty. Being able to prove that you aren’t breached is as valuable as detecting that you are. There’s no substitute for preparation, and the right time to prepare your breach response is before you need it. You can remove in-the-moment doubt from your response through preparation, and don’t forget to include a public communications plan as well.”
Cybercrime Prevention Depends on Us
Cybercrime may come in many different forms. But in support of the overall message of NCSAM, an educated user, in conjunction with some strong security controls, can go a long way towards defending against each and every one of them.
- Hacker Myths Debunked
- Safer Online Surfing: Security Tips for Non-Techies
- 3 Common Scams Your Non-Techie Friends Are Still Oblivious About
- A Guide to Securing Your IT Products
The Executive’s Guide to the Top 20 Critical Security Controls
Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].
Images courtesy of ShutterStock.com.