The year of 2018 was marked by several reports on the spiralling cost of cyber crime to businesses as well as to the national and the global economy, as the cyber security industry turned to the bottom line as a motivator for decision makers to prioritise defence against cyber criminal activities.
The focus on the cost of cyber crime also highlighted the profits to be made by cyber criminals, who more than ever before have organised their operations along the same lines as conventional business to take advantage of shared efforts and economies of scale.
Given the financial incentives, it is unsurprising that 2018 saw the continued increase of cyber crime globally, with crimes in this category up 63% in the UK alone.
This led the National Cyber Security Centre (NCSC) to conclude that the cyber crime to business had reached its highest level to date and government to urge businesses to take action to reduce the likelihood of becoming victims with the volume, and in some case level of sophistication, of cyber attacks increasing as the lines between cyber criminal and nation state attacks continued to blur.
Another hallmark of cyber crime in 2018 was the rapid rise of cryptojacking as a means of making money for cyber criminals, overtaking ransomware as the most popular cyber crime type. At the same time, 2018 saw increased warnings from security researchers about potential attacks against critical infrastructure.
Unsurprisingly, cyber crime investigations also saw an upward trend this year as UK police reskill to tackle this rapidly growing category of crime, which was identified towards the year’s end as one of the most significant harms facing society by a top cyber cop, who reiterated calls earlier in the year for business to become more proactive about fighting and reporting cyber crime.
In another retrospective of the year, the Cabinet Office said the UK’s National Cyber Security Strategy is “making good progress”, but acknowledged that there is still much work to be done, calling on UK businesses to join forces with government and each other in raising cyber defence capability.
Early in the year, a study by McAfee and the Center for Strategic and International studies revealed that cost of cyber crime was “conservatively” calculated at 0.8% of global GDP, underlining why businesses need to take the economic impact of crime more seriously, especially in Europe where the impact of cyber crime was highest at 0.84% of regional GDP.
According to the report, cyber crime services was a key driver for cyber crime, with flourshing markets offering a broad range of tools and services, lowering the barrier to entry. The report also provided the first indication that ransomware was beginning to wane at the top cyber criminal activity as focus switched to cryptocurrencies.
In April, research showed that cyber criminal operations worldwide were generating annual revenues of $1.5tn through a web of profit that involves legitimate businesses. Another study revealed that the highest-earning cyber criminals were making up to $2m year, while by August, a report found that more than $1m was being lost to cyber crime every minute.
A report from the Office for National Statistics (ONS) in January set the cyber crime tone for the year by showing that despite an overall decrease in fraud and computer misuse in 2017, incidents involving computer misuse and malware against business were up 63%, indicating a shift in focus from consumers to the potentially more profitable enterprise sector.
The first call in 2018 for greater collaboration between government, law enforcement and business to combat cyber crime came in April, when a joint cyber threat report by the NCSC and National Crime Agency (NCA) warned that criminals were carrying out more cyber attacks on UK businesses than ever before.
The report identified the hijacking of business computers for illicit cryptocurrency generation as an emerging trend and contained the first call of the year on business to report all cyber crime. The under-reporting of cyber crime by businesses means crucial evidence and intelligence about cyber threats and offenders is lost, the report said.
In August, we reported that the cyber crime markets on the dark web were thriving, with demand for malware creation three times greater than supply.
In the face of the increased volume of cyber crime, with the four in 10 businesses suffering a data breach in 2017, the UK government urged organisations to focus on improving their cyber defences, especially in the light of the fact that 11% of large firms were found to be failing to take any action to identify cyber risks.
Cyber attacks by nation states used to be a small part of the problem for state authorities to address, but now all organisations are potential targets of nation state attacks, according to former GCHQ head Robert Hannigan.
This is mainly due to the fact that there is a cross over between nation states and criminal groups acting on their behalf, with the same people working on nation state cyber activities by day and criminal activities by night.
Illicit cryptocurrency mining offers cyber criminals lower risk, higher efficacy and greater ease of making money, adding passive exploitation to ransomware extortion, data breach theft and fraud, a report revealed.
Data analysis of the first three months of the year showed that cyber criminals were extending their operations in cryptojacking and other cryptocurrency mining schemes, where perpetrators hijack victims’ browsers or infect their systems to secretly use them to mine for legitimate cryptocurrencies such as bitcoin. This trend continued throughout the year to become the most popular cyber criminal activity.
Cyber attacks on critical infrastructure and industrial control systems, in particular, was a theme throughout the year. In August, we reported that a study had revealed that there was evidence that cyber attackers were specialising in industrial control systems, and that they were fast, efficient and able to move between IT and OT environments.
Accessing the OT environment is the ultimate goal of these specialised attackers, the study found, because these systems operate the pumps, monitors, breakers and other hardware found in utility providers that could be used to control or disrupt services.
Putting cyber crime in perspective, detective chief superintendent Pete O’Doherty, lead of cyber and head of economic crime at the City of London Police, told the information security track of the International Security Expo 2018 in London in November that cyber crime is the biggest evolving crime type in the UK and beyond in terms of volume and complexity.
Days later, a Parliament Street report revealed that UK police forces are under increasing pressure to launch criminal investigations into incidents of social media and computer hacking. The report found that police investigations into cyber crime were up 14% in a year, with officers forced to follow up over 2,500 complaints of Instagram, Facebook, email and website hacking, and bitcoin ransom, despite a rise in violent crime.
Despite the growing threat to business by cyber crime, another recurrent theme of 2018 was the fact that many businesses are still not reporting cyber crimes to the police.
Computer Weekly spoke to the NCA to lift the veil on cyber crime reporting, looking at the who, what, when, where, how and why to help businesses understand the importance and value of reporting to police when they are targeted by cyber criminal activities.
In response to the growing cyber crime threat, the City of London Police, which is the national lead on cyber crime, has introduced several initiatives aimed at enabling an intelligence-led approach to fight cyber crime, seeking to disrupt cyber criminal infrastructure and increase organisations’ understanding of how to protect themselves, with initiatives such as Cyber Griffin, which will see specially trained officers lead a series of community-focused exercises.
The National Cyber Security Strategy is making good progress, but there is much left to be done, according to Mark Sayers, deputy director, National Cyber Security Strategy, at the Cabinet Office.
Speaking at the International Security Expo 2018 in London in November, Sayers said key achievement of the strategy to date include the establishment of the NCSC, continued government investment in building cyber capabilities across UK law enforcement, the introduction of a Cyber Discovery programme for 14 to 18 year olds, the establishment of a cyber accelerator in London, and the strengthening of collaboration around cyber security with UK allies.
Going forward, Sayers said government will increase its focus on helping company boards better understand the cyber risks they face and the action they can take, increase efforts to reduce the cyber security skills shortage, and encourage industry to follow the principles of security by design.