Cyber crime is on the rise despite IT’s best efforts
Each year more money is being spent on cyber security yet cyber crime continues to rise significantly. It was a $450 billion problem in 2015. It is estimated to reach a staggering $6 trillion by 2021 and $30 trillion by 2030.
Cyber crime affects your organisation – your employees, your business partners, your customers and your shareholders. Above all it affects you. Company directors have lost their job in the past because of cyber crime.
Yet it doesn’t have to be this way. A change in the way we perceive cyber crime and how to address it can significantly reduce the impacts it has on your organisation.
By understanding why IT is struggling to keep up with cyber criminals and why IT needs your help, you can reduce cyber crime to within the risk appetite that has been set by the board of directors and see a correlation between combating cyber crime and a positive impact on the bottom line of your organisation.
# 1. The price of creating a hyperconnected always switched on world
Firstly, e-commerce platforms allowed auctions and shopping to go online. Shortly thereafter banking jumped on the bandwagon to allow us to move money around at the speed of light. Social media then had us further leaning in as a way of keeping in touch with friends, acquaintances, long lost family members and even to keep tabs on our foes. Long gone were the days of writing a letter to a pen pal. The smartphone then added another dimension of being always contactable and always just an email, SMS or tweet away enabling us to blur the lines between work and life balance. Now we are connecting everything else to the Internet from refrigerators to cars, coffee machines to TVs, pacemakers to houses. It’s all going online.
In the next five years, the volume and variety of devices connected to the Internet will increase by a multiple of 10, and with IT struggling today, they will be waving the white flag by 2020.
#2. The cost of gaining tools and skills to become a cyber criminal is continually decreasing
Did you know that most of the tools cyber criminals use are freely available? In addition, the tutorials and the help they need is also available online at little to no cost. This means that it is very easy for someone with few skills to quickly become adept in the dark art of practicing cyber crime.
On an anonymous and hidden part of the Internet known as the Darknet or Dark Web, cyber criminals are sharing ideas and developing new tools. The rest of the world becomes their playground, hence there is no shortage of computers and people to test their exploits out.
Even those that do not wish to invest in the time and effort to attain the skills to become a cyber criminal can purchase ready-made services from the entrepreneurial elite amongst the seedy underbelly of the cyber criminal underworld for less than $20 per hour.
#3. The target for cyber criminals shifted from technology to people
Social engineering is an attack on humans rather than technology and it comprises more than 90% of today’s attacks. All of those phishing emails which look like they have come from eBay, PayPal, ATO, Australia Post, Origin Energy, AGL or various other credible entities with whom you may hold accounts.
This method is so effective that cyber criminals have turned to social engineering as the gullibility, and often lack of awareness in humans, although unpredictable, is yielding high success rates.
Technology is no match for these attacks which prey on people in their weakest moments thinking they have a fine or a package in the mail which has become lost in transit, for example. The trouble is that IT teams are great at solving attacks on technology, but struggle with people. Upon further reflection, IT professionals are usually not people oriented. If they were they probably would have graduated as psychologists rather than computer scientists.
#4. A serious case of herd mentality
Given the rapid pace of technological change, IT teams are navigating uncharted waters and tends to measure success by how well it follows what others in the industry do.
This would be fine, if others had a viable solution to cyber crime. This problem is the sheep like behaviour of following others – the so called “herd mentality”. It is common for IT professionals to attend tradeshows, catch up with peers and ask what others in the same industry are spending their cyber security budgets on. The findings from this ill-informed discovery exercise then influence how your IT team are spending their cyber security budget.
This technique often means that unfit for purpose technologies are purchased which satisfy the curiosity of technical wizards and allow them to be in the club of industry peers whom have all purchased some latest and greatest technology. It also means that purchases made do not necessarily address the risk to the organisation, and are typically not aligned with business strategy. Ultimately, many technology purchases for combating cyber crime produce a poor return on investment.
#5. Organisational silos prevent important interdepartmental communications
When a cyber crime outbreak occurs, it is important to fully understand the impacts to the business. These impacts range from operational to physical, personal, legal, reputational and financial impacts and your IT team does not have visibility of these.
For example, if your organisation had to pay a ransom, IT teams would not know how that unbudgeted expense would impact other projects in the organisation. If reputational damage was caused because of a cyber breach and that caused four clients to seek out competitors, IT teams have no visibility of the average lifetime value of a client. If those same clients who sought out a competitor also took out a class action lawsuit against your organisation, IT teams would have no understanding of the potential legal costs associated with that.
A lot of data needs to come from other areas of the organisation to truly understand the effects of cyber crime, and that means that the silos preventing interdepartmental communications need to be dismantled – a task best suited for executives; not IT teams.