lolloj - Fotolia
Many businesses are ill-equipped to deal with the threats posed by profit-oriented and highly organised cyber criminal enterprises, a report has revealed.
The Taking the Offensive – Working together to disrupt digital crime report is based on interviews with directors of IT, resilience and business operations at large firms in the UK, US, Singapore, India and Australia.
The vast majority of companies feel constrained by regulation, available resources and a dependence on third parties when responding to cyber attacks, the study found.
Although awareness of the threat has never been higher, a majority of businesses do not comprehend the methods and motivations of the attackers or fully understand the scale of the threat, the report said.
While 94% of IT decision makers are aware that criminal entrepreneurs are blackmailing and bribing employees to gain access to organisations, 47% admit that they do not have a strategy in place to prevent it.
The report revealed that 97% of respondents have experienced a cyber attack, with half of them reporting an increase in the past two years. Some 89% expressed concern about an assault by organised crime groups, with similar percentages seeing terrorist action and state-sponsored hackers as a real danger.
At the same time, 91% of respondents believe they face obstacles in defending against digital attack, with many citing regulatory obstacles, and 44% are concerned about the dependence on third parties for aspects of their response.
Mark Hughes, CEO of BT Security, said the industry is now in an arms race with professional criminal gangs and state entities with sophisticated tradecraft.
“The 21st century cyber criminal is a ruthless and efficient entrepreneur, supported by a highly developed and rapidly evolving black market,” he said.
“With cyber crime continuing to escalate, a new approach to digital risk is needed – and that means putting yourself in the shoes of attackers. Businesses need to not only defend against cyber attacks, but also disrupt the criminal organisations that launch those attacks.
“They should certainly work closer with law enforcement, as well as partners in the cyber security marketplace.”
Paul Taylor, UK head of cyber security at professional services firm KPMG, said it is time to think differently about cyber risk. “We need to ditch the talk of hackers and recognise that our businesses are being targeted by ruthless criminal entrepreneurs with business plans and extensive resources – intent on fraud, extortion or theft of hard won intellectual property.
“Talking generically about cyber risk doesn’t deliver insight. You need to think about credible attack scenarios against your business and consider how cyber security, fraud control, and business resilience work together to prepare for, and deal with those threats.
“If that’s done, then cyber security can become a mainstream corporate strategy as a vital component of doing business in the digital world,” he said.
Re-examining the role of security
The report shows that chief digital risk officers (CDROs) are now being appointed to hold strategic roles which combine digital expertise with high-level management skills.
With 26% of respondents confirming that a CDRO has already been appointed, the report’s data suggests that the security role and accountability for it is being re-examined.
The research also flags the need for budgets to be adjusted, with 60% of decision makers reporting that their organisation’s cyber security is currently financed by the central IT budget, while half of those think it should come from a separate security budget.
One major challenge identified by the report is the funding and scale of research and development (R&D) spending that the criminals can bring to bear on breaching the defences of target companies.
The report quotes a number of security directors of well-known global organisations and lists examples of the many forms of criminal attacks encountered by global organisations, including various types of malware and phishing attacks.
The report also describes the business models favoured by the criminals and the black market behind them, whether they carry out high-end targeted assaults on the finance system or regular attacks on businesses and high net worth individuals, or even the commoditised attacks that affect everyone.
Security enables innovation and profit
The research points to the need to change mindsets and to regard security not simply as a defence exercise, but an enabler that facilitates digital innovation and ultimately drives profit.
“The way forward lies in ensuring that security is central to delivering the strategic goals of the company. That takes us way beyond putting up fences,” the report said.
“The successful company of tomorrow will understand the enemy and collaborate with partners to frustrate the attacker at every step, from breaching a system through to cashing in. The prize is reduced risk and improved performance.”
BT and KPMG said they are engaging with large organisations worldwide to debate the learning points of their joint research and to advise on the changes that need to be undertaken.
Read more about cyber crime
- More than half of UK organisations say they expect to be the victim of cyber crime in the next two years, suggesting it will become the UK’s largest economic crime, says a PwC report
- The chief of the Metropolitan Police Service’s fraud squad Falcon admits the Met’s policing of online fraud and cyber crime has not been good enough in the past.
- Co-operation with business in the private sector is an increasingly important element in fighting crime, according to UK, US and EU law enforcement officers.
- The Metropolitan Police should appoint a senior officer to ensure the whole force is prepared to tackle online crime, says a London watchdog.