As a former Scotland Yard Detective Superintendent with more than 30yrs experience running all types of serious and organized crime units and latterly as the senior cyber crime advisor at PwC I have had the opportunity to engage with all aspects of serious crime incidents.
A common theme with providing a response, ideally proactively to prevent or reactively to mitigate and investigate any crime is the ability to receive, process and react to intelligence. A straight forward process if you are dealing with traditional old fashioned physical crime where you have leads familiar to us all such as a motive, a physical scene, witnesses, evidence, weapons or tools, all relatively contained and accessible for your resources to investigate.
Cyber crime in comparison is carried out for a range of different motives including “Just for Laughs” as stated by the LulSec attackers (who attacked the FBI and the UK’s Serious and Organised Crime Agency amongst other government agencies and industry victims). Suspects can operate from any country in the world, can affect directly or indirectly infrastructure and victims around the globe, utilize infrastructure in several countries and unlike investigators need not worry about legislation or jurisdiction!!
"Cyber crime is cheap to commit and expensive to defend."
Cyber criminals are able to adapt quickly to the rapid pace of technological change taking advantage of the convergence of internet enabled technologies to develop bespoke new attack vectors and exploit technology to capitalize on the speed, stealth and scale it provides to attack victims. Cyber crime is cheap to commit and expensive to defend, criminals operate within the virtual environment and as such are not constrained by real world boundaries. It’s not by chance that they exploit the widely differing legal and regulatory regimes in place within different countries.
The main categories of malicious actors involved in cyber space can be grouped as Criminals (primarily organized crime), Activists and Spies.
Cyber criminals are motivated by financial gain; they increasingly purchase components they need to commit crimes through online marketplaces (‘as a service model’). Once they have access to the system or network, they are free to extort or take any data that might have value. Criminals are more sophisticated and calculated in how they select targets, they use more stealth and blended intrusion techniques than activists.
Activists tend to use quite bold and basic methods to cause maximum disruption and embarrassment to victims. Hacktivists have captured headlines with high profile campaigns coordinated through social media. They are often opportunistic and unpredictable in their targeting. Favoured criminal techniques include distributed denial of service attacks and SQL injection (a basic database hacking technique).
"Spies, often state-sponsored but can include other groups such as investigative journalists. These actors commit some of the most targeted attacks."
Spies, often state-sponsored but can include other groups such as investigative journalists. These actors commit some of the most targeted attacks. They know what they want, be that intellectual property, financial data, confidential business data, or insider information and are unyielding in their efforts to obtain it. Attacks are not necessarily technically sophisticated and there has even been evidence that State affiliated espionage has been reliant on something as simple as Phishing.
As a result of the ‘as a service’ nature of the cyber crime marketplace the division between the three different types of malicious actors has become increasingly blurred. Establishing the “Who, Why, and How” of an incident is a significant challenge but certainly cyber crime has become a multi billion pound business and is as structured and organised as any company.
As our dependence on the Internet has increased, so cyber-crime has moved from obscurity into the spotlight of consumer, corporate and international security concerns. Cyber crime is no longer an issue that concerns only information technology and security professionals, the impact has extended from consumers to the C-suite and boardroom with awareness and concern about security incidents and threats now top of mind amongst all sectors. In the offline world, national governments have to plan for the risks that arise from interdependence in a globalized economy – if China has an economic crisis, we’re all affected. So too, in the online world, governments are waking up to the fact that Internet crime spans a truly international dimension, taking criminality from the local to the global.
Research has shown that companies suffer a 5% drop in stock price post a breach and a loss of 27% of consumers. Last year 594 million people worldwide were victims of online crime. Recovery post a cyber attack and how a company responds to a breach has a significant impact on the mitigation of harm both to the company and its clients, timeliness of action as well as clarity of communication can make a significant difference.
With the reputational and financial impact of cyber crime together with new EU regulations on Data Protection and the Information Commissioners Office empowered to make orders and impose substantial fines, businesses can no longer view cyber security as an IT risk or a technology issue. Cyber security is both a key business enabler as well as an enterprise wide risk issue that needs board understanding, involvement and action if companies are to survive what is generally seen as one of our greatest global threats.