No business too small, no firewall too high – intruders are costing London businesses billions each year
They are invisible enemies – like thieves in the night – difficult to detect, harder to catch and embarrassing to discuss.
They slip into your systems covertly, poisoning them from within, leaving you shamefaced, violated and facing huge costs. They are cyber-criminals and they are targeting your business.
Consumer details, credit card numbers and sensitive company information are all on the shopping list and, as these super-stealthy thieves become more sophisticated, the number of attacks rises.
According to security specialist Symantec there was a 93% increase in web-based attacks in 2010 – driven by a growing proliferation of web-attack tool kits. These DIY hacking-packs take newly discovered vulnerabilities and make them into attack kits which are sold on the underground economy.
The government’s Office of Cyber Security and Information Assurance has reported cyber-crime costs the UK economy £27bn each year.
And London’s position as an international business hub makes it the UK’s hotspot for cyber-crime.
“The sheer concentration of high net-worth institutions within the Square Mile makes London an obvious target,” says Professor Kevin Jones from the Centre for Software Reliability at City University.
When large, well-known companies are breached the news makes the national press. Sony PlayStation hit the headlines this year when more than 100 million customer accounts were compromised.
More recently, at 1.15am on Saturday 3 September, the Dutch government announced that hackers who broke into web secuity firm DigiNotar had sent bogus security certificates that could be used on websites including the CIA, Google and Twitter.
Roel Schouwenberg of the security company, Kaspersky, commented on the Securelist blog: “The attack on DigiNotar will put cyberwar on or near the top of the political agenda of Western governments.”
Conversations surrounding global cyber-security will be focused in London shortly as the capital is the location for the International Cyber Conference, which takes place on 1 and 2 November.
Government databases, banks, huge multinationals and internet giants such as Google are the targets that hit the headlines. But these tantalising targets are not the ones being infiltrated most often.
“The glamorous businesses that you’d expect are not regular victims. They are so paranoid about security that they generally manage it much better,” explains Phil Beckett, director at consultancy firm Navigant.
So who exactly are the targets of these security breaches?
Everyone, it seems.
Large-scale, targeted attacks do happen, as we have seen in the case of PlayStation but, more often than not, the way in which cyber-criminals operate is random and those violated are merely victims of opportunity rather than targeted attack. Companies in this instance are identified because they exhibited a weakness that the attacker could exploit.
“Small businesses tend to be victims of untargeted attacks that we call ‘spray and prey’ – hackers send out thousands of emails and wait to see who bites,” says Graham Cluley, senior technology consultant at security firm Sophos.
“Hackers are no longer gunning for the big elephants as they have a higher risk of detection”
Jelle Niemantsverdriet, principal consultant, forensics and investigative response, Verizon
According to telecommunications giant Verizon, which conducted a data breach investigation in conjunction with the US Secret Service, 83 per cent of their cases in 2010 were opportunistic attacks.
The report also identifies a surprising trend appearing in global security attacks. The number of records compromised dropped dramatically in 2010, from 144 million in 2009, to just four million last year.
However, the number of cases being reported has shot up from 900 breaches between 2004 and 2009 to 761 in 2010 alone – the majority of which were SMEs.
Essentially, the lowest amount of data loss occurred in the same year as the all-time highest amount of incidents investigated.
What can we surmise from this?
Cyber pick-pocketing is on the rise; smaller, easier targets in vast numbers.
“Hackers are no longer gunning for the big elephants as they have a higher risk of detection. Criminals are focusing on smaller targets, in greater number and spreading the risk,” clarifies Jelle Niemantsverdriet, principal consultant forensics and investigative response at Verizon.
The new method on the block is industrialised attack. The criminals target a specific type of industry and bombard them with a number of malware techniques to gain access. Once successful, they use the same technique to prey on similar companies.
“I don’t think people realise the power of information”
Phil Beckett, director at consultancy firm Navigant
Customer information, including credit card details can be stolen and sold on. The existence of chains and franchises make this method all the more lucrative.
Verizon has identified the hospitality and retail sectors as the big targets, receiving 40 per cent and 25 per cent respectively of all attacks made.
These two sectors combined make up one in five of London’s businesses. “We have seen a spate of attacks on companies that store a lot of customer information,” concedes Cluley.
It’s not just credit card details that these crooks covet. The whole cyber-crime industry had matured at an increased rate whereby the black market-value of many types of information has increased and information is traded as a commodity.
“Previously we saw incidents where people siphoned off information but there was only a number of places they could sell it, but now the market for information has grown – buying and selling of information has increased rapidly,” says Dr Mike Westmacott of The Chartered Institute for IT.
The value of information that a company has is sometimes difficult to understand and appreciate. You can assign value to information and register it as an asset, so it should be treated like one.
“I don’t think people realise the power of information. It underpins everything that every organisation does,” says Beckett, “even if a company doesn’t have consumer information they still have valuable designs, contracts, plans etc., that can give them competitive advantage.”
So your systems have been breached and information has been stolen – what are the consequences?
There are both direct and indirect repercussions to cyber-crime and, unsurprisingly, it’s the hidden ones that hurt the most. The direct costs of infiltration, such as losing a client or losing competitive advantage, pale in comparison to the price of the clean-up.
“The cost of trying to find out what happened, fixing the issue, the distraction of management and the damage to reputation far exceed the direct financial loss. The indirect costs are harder to calculate, larger and have more of an impact on a business”, says Beckett.
Are London’s businesses just sitting ducks?
There appear to be plenty of ways to step up your security measures, some obvious, some less so. One thing that is certainly true is that companies need to be more vigilant at a number of levels.
Social engineering is a malignant phenomenon that has gained momentum on the tailcoat of social networking sites. The sites provide a rich research platform for tailoring attacks as hackers can sneak among our friends, learn our interests and gain our trust.
For example, social networks were used to gather the personal information that allowed malware onto the systems of Google in 2010.
Banning Facebook and Twitter will leave you seriously out of the loop when it comes to marketing. Instead, employers need to educate staff about the dange
rs of posting work-related information online. Less is more.
Cisco has identified “seven deadly weaknesses” that cyber-criminals can exploit – they make a useful reference point.
Another symptom of our times is the increasing push to mobilise the work force. Smart phones and other portable devices can carry sensitive information outside the safe perimeters of the organisation.
“Taking information outside of the company is something that needs to be addressed,” admits Westmacott. “Unencrypted information is leaving companies on devices that can be easily lost or stolen.”
Verizon found that 86% of detections were made by a third party. That is to say a company was informed of the breach by someone else such as their credit card company or the police. Companies need to become more self-aware when it comes to infiltration.
These crimes are not committed in a split second as Hollywood might have us believe. They can take place over a matter of days, weeks or even months. Catching these slippery cyber-menaces red handed is a real possibility.
“Companies need to look at their log analysis and not just in the real time but also in the history. Although the breech has already been made it might not always be too late to catch someone before they make off with the stolen information”, advises Niemantsverdriet.
This means war…
There is no room for complacency. We have seen evidence businesses of every size, nature and prominence are in the firing line for web-based attacks.
The way that cyber-criminals work can seem unfair. Their random selection of victims, multitude of tactics and ability to remain undetected can make it seem impossible to win.
While government and the citizen are affected by rising levels of cyber-crime, business bears the lion’s share of the cost.
But this war is not without its defences – becoming cyber savvy and having a strong security strategy will go a long way to ensure there are no Trojan horses nestling maliciously behind the walls of your empire.
Who is our silent enemy?
Verizon looked at the origins of the external agents responsible for the breaches in their caseload:
Europe-East (including Russia, Turkey) 65%
(incl. Northern, Southern)
Middle East 1%
Oceania (Australia, New Zealand, etc.) 1%
Cisco’s 7 deadly weaknesses:
1. Sex appeal: people should assume that a flirtatious advance from someone they don’t know has a less romantic purpose behind it.
2. Greed: if something is too good to be true, it probably is.
3. Vanity: scammers will try and convince potential victims they have been chosen to be on the receiving end of an exclusive offer.
4. Trust: cyber-criminals often attempt to convince individuals they represent a high-profile brand.
5. Sloth: criminals rely on user laziness to ensure that poorly written messages and shortened URLs don’t rouse suspicion.
6. Compassion: posting fake messages from “friends” pretending to need money or requesting donations for fake charities.