Business needs to take cyber crime very seriously, said Troels Oerting, head of Europol’s European Cybercrime Centre (EC3).
“At some time or other all businesses are likely to be hit by cyber crime as the world becomes increasingly online,” Troels Oerting told Computer Weekly.
“Companies that do not think information security is important should reconsider, otherwise they could end up going out of business.”
The threat of cyber crime is much greater than most people think, he said, because much of it still goes unreported.
“We know of a lot of cyber crimes that are very costly to business that are not reported to the police,” said Oerting.
“We also see losses through fraud and other crimes of more than €9m in some months, but these are going unreported.”
Oerting believes the main reasons for not reporting cyber crime is to avoid reputational damage, and because many businesses do not think it will make any real difference.
“This is one of the reasons Europe’s proposed directive on network and information security (NIS) will make it mandatory for companies at a certain level to report security breaches,” said Oerting.
READ MORE ABOUT CYBER CRIME
- UK helps found international cyber crime taskforce
- Microsoft partners with financial services industry to fight cyber crime
- Service model driving cyber crime, says Europol report
- Cyber crime a top fraud concern for UK business
- Russian cyber crime kingpin sought after worldwide server raids
- UK National Cyber Crime Unit open to business
- UK to help lead world fight against cyber crime
- Labour to call for crackdown on cyber crime
Benefits of sharing attack data
This will ensure that shareholders will be informed if a company’s intellectual property has been stolen. It will provide more data about the type and level of cyber threats to businesses.
“While even competitors in certain sectors such as financial services already share this type of data, threat information is not widely available to enable companies across all sectors to know what they are up against,” said Oerting.
He believes the NIS directive will encourage more organisations to share information about data breaches and cyber crime, as well as help them understand they need to be prepared.
“Businesses are more likely to share information if they realise they are not alone in being targeted by cyber criminals, and that attacks of this kind are now a normal part of business,” said Oerting.
“The focus should not be on sensationalising data breaches and hanging people out to dry, but rather on finding easier and better ways of enabling businesses and people to transact more securely.”
By sharing more information about breaches and attempted breaches, Oerting said businesses could play a key role in helping cyber crime fighters such as EC3.
While such co-operation would be of mutual benefit, he said it could form part of corporate social responsibility programmes.
“We need to know who is behind the cyber crimes hitting businesses, so that we can identify and investigate the key players and set about disrupting their infrastructure,” he said.
“We need to be able to make it more difficult and less attractive to be a cyber criminal, by increasing the cost and risk of industrialised, services-based cyber crime."
Tackling cyber crime as a service
According to a recent EC3 report, the cyber crime support industry is becoming increasingly commercialised, with specialists developing products and services for use by other cyber criminals.
Consequently, a key strategy for EC3 is to focus on taking down the top 100 malware producers who are enabling thousands of others with their services model.
Due to this model, a growing number of people of with lower level skills can carry out extremely sophisticated cyber criminal operations.
“While banks and some big companies have the resources to be very good at cyber security and successful in protecting their data, mid- to small-sized companies tend to struggle,” said Oerting.
“Security officers find it difficult to persuade boards to allocate money and attention to information security as it cannot be translated directly into revenue for the business.”
The second reason boards tend to be unwilling to allocate additional resources to information security is that they believe they are unlikely – or too small – to be of interest to cyber criminals. “In both areas, they are mistaken,” said Oerting.
Security efficiency and reputation
He believes security does not necessarily have to be very costly, and businesses should be looking to achieve efficient security.
“That has nothing to do with cost, it is about having the right procedures at the right time for a particular company,” said Oerting.
“It is also about not being overwhelmed by a security supplier that wants to sell you a solution that far exceeds your needs and taking care to avoid unnecessary complexity.”
In summary, Oerting said that, as organisations increasingly become custodians of personal data, they should take threats to that data very seriously – and take appropriate steps to keep it safe.
“When people hand over their data, there is an expectation that it will be protected, which is a responsibility that should also be taken seriously,” he said.
Oerting believes businesses that invest in the right processes, procedures and technologies will be rewarded in the longer term – but failure to do so could have devastating consequences.