In the first part of this piece, we discussed how cyber crime will balloon into a $2 trillion problem by 2019, according to industry projections. It’s an intimidating number to look at, and it attests to the leaps and bounds that cyber criminals have made in developing, refining and deploying increasingly powerful attacks. We frequently read headlines about businesses temporarily crippled by cyber attacks. These intrusions hit enterprises across all sectors, and it’s anyone’s guess who the next victim will be. Cyber crime is an industry that thrives on the element of surprise. And with hackers more covert than ever, many organizations will find that by the time they discover an intrusion, it’s far too late.
As outlined in part 1, there are several key factors that help explain the continuing surge in cyber crime. First of all, the widespread use of connected devices among individuals and organizations creates a situation where mobility is a prime target. Rather than defend their mobile devices, many people and businesses simply take the risk – which is a massive one. Then there’s the issue of cyber crime becoming increasingly sophisticated. Once a practice that was characterized by isolation – the typical image of the hacker was that of a detached person working alone – cyber crime is now a sophisticated industry.
“Years ago, the typical hacker was a teenager operating from a home PC and the attacks were mostly limited to pranks and vandalism,” stated Business Insider contributor Greg Martin. “Today, these attacks are increasingly carried out by two types of highly dangerous groups: organized crime rings, which make millions each year by stealing from or extorting businesses, governments and consumers, as well as by selling the malware itself; and state-sponsored hackers who target businesses, governments and critical infrastructure as part of a geopolitical confrontation or outright cyberwar, or for cyber-espionage purposes in order to give one country a military or economic advantage over another.”
As Martin points out, cyber crime is more than a criminal practice – it’s becoming a highly sophisticated industry. This means that if authorities nab a cyber criminal, or a strain of malware, there will always be another one to fill in the gap.
Fighting back against cyber crime’s growth
The sophistication of hackers coupled with the lack of proactive defense on the part of organizations and individuals has created a computing climate of constant attacks. But this is not a trend that needs to continue. At this point, the $2 trillion figure is a projected number – it is by no means written in stone. What is just about certain is that cyber crime is a sector that will continue growing. But the extent of that growth – and its impact – depends largely on the actions of individuals, businesses and other intended targets of hackers. By following several key practices, these people and business entities can help limit the growth of cyber crime and protect themselves in the process. Here are some of the defensive steps that should be taken:
- Come up with a comprehensive security policy: Hackers dream of disorganized targets. A business that doesn’t have a cohesive set of security policies automatically makes a great target, since there’s bound to be areas of vulnerability that cyber criminals can exploit. After all, most hackers aren’t searching for the hardest wall to breach. Instead, they’re hunting out the window that was left open. For businesses, generating a cohesive set of security standards is a vital first step in keeping the bad guys out.To be clear, a company cyber security policy is one that reaches every facet of the business – not just the parts that administrators deem high-value risks. Far too many hacks have occurred because IT leaders ignore this exact fact. In the case of the Target breach, for instance, it wasn’t Target’s central administrative hub that was initially compromised – it was an HVAC company that provided services to the major retailer. The cyber criminals attacked the HVAC company because its network was far easier to breach. And yet by busting into that network, the hackers were able to use that access to worm their way into Target’s system and commence an attack of unprecedented scale. This is the kind of horror story that affirms the importance of a set of security standards that leaves no stone unturned – and no window left open.
- Regulate corporate access to ensure only the right people enter the right platforms: When it comes to enterprise cyber issues, much of the time the threats can come from within. This doesn’t necessarily mean an employee-turned-hacker. In the case of the Target hack, for instance, the intrusion had an insider component, since the criminals who carried it out did so by targeting a business that existed under the Target network umbrella. But there are other insider attacks that are more overt, with employees helming intrusions into the network of their own business. For example, AT&T is currently dealing with a incident in which staffers in various countries swiped personal information from hundreds of thousands of AT&T customers, then giving that information to cyber criminals. This is an episode that is costing the company $25 million.In other situations, an inadvertent staffer error – like, say, the sending of an email containing private business data to an unintended recipient – can also be the source of an insider incident. As far as limiting issues like these, businesses are advised to ensure that only the right people have access to the right platforms. If there’s an administrative portal for IT workers, for instance, this shouldn’t be something that staffers in the customer relations department have access to. For business administrators, it’s important to ensure that entrances to various platforms are regulated in a way that limits the potential for an insider breach.
- Implement authentication solutions that go beyond the password: Passwords are far easier to guess than identities are to steal. When corporations defend access to their business networks with an identity-verifying wall for those attempting entry, they’ll take huge strides toward curbing the potential for outside intrusions. Back in 2004, it was Bill Gates who said the password would die. While his projection may not have been fulfilled, there is still much significance to it, since, as a means of network protection, the password is more vulnerable than ever before. As we’ve seen in the headlines, many recent breaches have involved the leaking of enterprise databases containing the plain text of users’ passwords.The inherent vulnerability of the password has fuelled the need for better account guarding. With regard to that, technology like biometrics, security keys and authentication tokens are beginning to pave the way for network access that’s based more around verifying identity than knowing a password. In the corporate world, this is the kind of development that has the potential to significantly reduce instances of cyber crime. When businesses adopt these emerging tools, they take a big proactive step toward better business guarding.
- Know that industry compliance isn’t enough: It’s one thing to be compliant, and other thing entirely to be secure. With the latter you have the former, but not the other way around. Industry standards like the Payment Card Industry Data Security Standard (PCI) – which came out with its third iteration of standards back in January – are necessary rules for businesses to follow. Determining industry compliance centers around things like penetration tests carried out by officials to assess if a business is up to par. But while industry compliance standards have been getting tougher as the threat atmosphere grows more potent, merely meeting compliance isn’t the key to safety. And for a business that suffers a major hack, having the excuse that, “We’re industry compliant though!” simply isn’t going to cut it.
- Get network-wide Web security software: Most cyber attacks that hit businesses don’t happen with highly sophisticated malware. Instead, they occur with malicious strains that can be easily guarded against. Hackers know that many organizations out there don’t have even the most basic virus guarding mechanisms in place, and they take advantage of this fact by leveraging attacks that are simple and commonly used. In 2014, a vast array of industrial sectors were hit by cyber attacks, from governments and schools to IT organizations and financial businesses. But though these attacks differed in size and industry target, many of them were the same types of things – such as malware and distributed denial-of-service (DDoS) attacks.These are the types of attacks that can be kept at bay via the deployment of a Web security package. When a business takes the proactive step of rolling out security software, it significantly limits its chances of attack. That’s because such software performs a whole host of functions that are key for businesses to retain strong security across the board. When a business implements a truly robust maximum security package, it can ensure that many different things are happening. Among them, dangerous websites are being blocked, social networking privacy is being maintained, files are being safeguarded, and email accounts are being protected from phishing schemes. Through the rolling out of a single line of defensive software, a whole range of attacks can be prevented. But when businesses ignore this step, they considerably increase their risk of attack.
These steps don’t constitute a comprehensive plan. Rather, they’re only a few of the many elements that combine to create safe computing. There are many cyber criminals working hard out there to circumvent our security measures, which is why we need to make a strong and consistent effort to keep them at bay.