Earlier this year, newspapers reported that for the first time, the U.S. had filed criminal charges against five Chinese military officers. This was the first time Washington singled out a foreign government, alleging they hacked into the computer systems of five American businesses, seeking for information and trade secrets.
This high-profile event is but one in a series of hushed combats that inflame the cyber-world. On the other side of the Atlantic, Europol has recently reported on Internet organized crime. In their comprehensive threat assessment, state hacktivists were reportedly sided by more traditional organized crime groups – albeit boasting a strong digital penchant – and other e-commerce related fraudsters.
One legitimate question arises: is this impacting on my business? Isn’t this well above my day-to-day activities and endeavours? The unfortunate answer is: no one can call himself off the scene. In fact, history tells us that over the past decades the digital underground has evolved, matured and turned into a thriving criminal industry, costing global economies in excess of USD 300 billion per year.
“Crime-as-a-Service” is on the rise, and we count as of August 2014 at least 39 specialised criminal digital marketplaces thriving on the Darknet. These markets impose several considerations:
Distributed Denial of Service (DDoS) attacks have become accessible to just about anyone willing to ask, and pay, for such services. A botnet service provider’s business model is not much different from an ISP’s.
Similar to “Crime-as-a-Service”, many other items can be chosen from a highly refined Menu of Crime, including:
The dispersed nature of cybercriminals, their committed will to succeed and their theoretical infinite availability of resources pose a serious threat to governments and businesses alike. In particular, Malware-as-a-Service is becoming increasingly – and worryingly – professional, a copycat of the methods and business models of legitimate commercial software development companies, complemented with 24/7 customer support and frequent patches and updates to continuously improve the quality and performance of the products.
Furthermore, as the ROI is huge, malware is becoming increasingly “intelligent”, including code to prevent being deployed or executed in a sandbox environment. Malware developers will continue to refine and improve their products to make them stealthier and harder to detect and analyse.
In this scenario, oversimplified here due to the restrictions of a blog post, what are the options for an organization to defend its interest and, finally, its own existence? Here are four tips:
In March 2014, the European Parliament approved an amended version of the Network and Information Security (NIS) Directive. The amendment included a requirement for companies providing critical infrastructure and supporting industries to report to competent authorities any incident with impact on their core services – such as a data breach. It is likely that similar dispositions will be extended to other industries in the not-so-distant future. Aligning to similar requirements will be compulsory and therefore will fall under the tagline of “compliance”. What about anticipating the game by reducing your own risk factors? What if you would discover that the economic reward, i.e. your ROI on reducing risk is positive for your business? Think, and act, differently.
U.S. National Cyber Security Awareness Month Blog Series:
Week 5: 4 Tips for Organizations to Combat Cybercrime