McAfee’s 2014 report “Net losses: Estimating the cost of Cybercrime” conservatively estimates a loss to the global economy of $375 billion. The report goes on to assert that the figure is most likely to be far higher given that most cybercrime incidents go unreported, due to them only coming to light after the event if they do come to light at all. With Intellectual property theft being a primary motive for cybercrime a fraudster could steal product specifications, research results, pricing and customer data without the company being aware until a rival product beats them to be the first to launch. What’s more companies may be reluctant to admit to being hacked for fear of loss of good reputation. The report also points out that indirect costs like loss of sensitive information and opportunity costs are difficult to put a figure on. Because hackers see cybercrime as low risk and low cost, and few cyber criminals actually being caught and prosecuted, the report warns that most companies and governments underestimate their level of risk and the rate at which the problem is set to grow.
So, what does this mean for businesses in the UK? Last year the Guardian reported losses from online fraud as running at £670m a year in the UK alone. Online fraud covers a whole range of attacks ranging from identity theft to online banking hacks. The internet has changed the way we do business and our customer/client, partner and supplier data is frequently held is distributed databases or is accessed via online portals. Further to this the growth in remote and home working, and the advent of Bring Your own Device (BYoD) means that data is shared between sites, on multiple devices, distributed via email or on cloud based storage systems like Dropbox.
Who is at risk ?
As a starting point, any organisation that forms part of a supply chain or has employees has a responsibility to deploy best practices for online security. Generally speaking larger compliance driven organisations will have more rigorous security procedures in place, but irrespective of size or sector every business leader would agree that employee safety, protection of intellectual property and financial information are fundamental.
Whilst many small to medium businesses may not see themselves as obvious targets for organised cyber criminals, recent information released by Action Fraud suggests that these, along with schools and charities are increasingly at risk due to the fact that their security protocols may not be quite so rigorous as those of larger enterprises with a Chief Information Security Officer on staff.
Getsafeonline.org, an internet security awareness and free advice initiative. Created between the government, Ofcom, and a number of major companies including Barclaycard and Paypal, Getsafeonline.org runs a Cyber Essentials scheme whereby is outlines the five essential technical controls as below :
- Boundary firewalls and internet gateways – these are devices designed to prevent unauthorised access to or from private networks, but good setup of these devices in hardware, and software feature is important for them to be fully effective.
- Secure configuration – ensuring that systems are configured in the most secure way for the needs of the organisation.
- Access control – Ensuring only those who should have access to systems to have access and at the appropriate level. Access and Configuration changes should be logged.
- Malware protection – ensuring that virus and malware protection is installed and is it up to date.
- Patch management – ensuring the latest supported version of applications is used and all the necessary patches supplied by the vendor been applied.
These are the very basics, and you should also ensure that staff are educated and instructed to deploy strong passwords on any device and to not store sensitive company information on remote devices. It is good practice to review firewall, telephony and other server logs and watch out for irregular activity.
Ultimately cyber criminals are out there, and as hacking tools become more sophisticated and readily available, it would be remiss of any of us to believe ourselves to be immune from either an organised malicious online attack or a small time opportunist hacker looking to make a quick financial gain. The bottom line is that organisations need to make life difficult for them in the form of strong encryption across the network.