New thinking is required to understand the criminal entrepreneur, it is claimed.
The world’s biggest companies are facing an unprecedented number and variety of digital attacks by ruthless criminal entrepreneurs. Whilst awareness of the threat has never been higher, most businesses do not comprehend the methods and motivations of the attackers, the scale of the threat or indeed how to counter it. That is according to a joint BT and KPMG report, titled ‘Taking the offensive – Working together to disrupt digital crime’.
See also a blog by Mark Hughes, CEO, BT Security, arguing that you need to think like a digital criminal: https://letstalk.globalservices.bt.com/en/security/2016/07/need-think-like-digital-criminal/.
Hughes said: “It’s important to understand that cyber criminals are entrepreneurs. They’re ruthless, yet rational, individuals — most often driven by profit. Like legitimate company executives, they develop a business model that allows them to succeed.
“Part of their ‘business model’ is to collectively fund research and development directed at exploiting any vulnerabilities in companies’ networks. And the latest digital strategies are a particular focus. To combat these enterprises, businesses need to disrupt the cyber criminals, and make their business model ineffective, rather than waiting for them to launch an attack. Understanding this is key to effectively combating the cyber threat.”
Comments
Dominic Cockram, Managing Director of Steelhenge, part of the Regester Larkin Group, said: “A series of high-profile hacks and data breaches has shown that any organisation is at risk when it comes to cyber-incident. In recognition of this we’ve seen many organisations shift the focus away from solely investing in prevention, to strengthening their capability to respond effectively to cyber specific events.
“For example, investing time and budget in understanding the risks, knowing what their ‘information crown jewels’ are, putting in place cyber response procedures and ensuring that operational, technical, executive and strategic teams are all cyber aware, well-trained and rehearsed and integrating cyber security into the broader crisis management and business continuity frameworks.”
David Kennerley, Director of Threat Research at Webroot, said: “There is no doubt that cybercriminals are becoming more sophisticated. Couple this with the sale and open access of the tools on the dark web needed to launch an attack, and businesses are facing an increasingly complex an often customised threat. It is becoming apparent that the battle against the growing number of threats cannot be won by traditional security defences and tools alone.
“Businesses should be turning towards cybersecurity vendors that are using artificial intelligence in an attempt to make sense of the billions of data points collected by endpoint and gateways, scanners and other proactive intelligence systems. Machine learning is able to more quickly distinguish between good and bad behaviour, malicious IPs, websites and files. This means a far greater number of threats can be analysed, before it is passed to human researchers for a deeper analysis. Only by using smart threat intelligence solutions will organisations receive the collective intelligence based detection, protection and alerting systems needed to combat the ever-more professional and sophisticated cyber criminals of today.”
And Darren Anstee, Chief Security Technologist at Arbor Networks, said: “The skills shortage is a definite issue, the recent SANS 2016 Incident Response Survey showed that 65 per cent of respondents felt that the skills shortage was an impediment to incident response. Businesses can take the fight to cyber-criminals with improved intelligence sharing and better co-operation with law enforcement. But pre-emptive attack is another thing entirely, as there are legal issues such as attacker infrastructure made up of compromised machines belonging to other organisations and individuals, and the route to those systems can be across multiple service provider networks.”
Stephen Love, Security Practise Lead – EMEA, Insight, called the KPMG and BT report a welcome approach in the IT security industry. “While defensive measures are crucial in protecting a business from attack, too often we are playing catch up. There might be a hole in a system that hackers infiltrate, so it is plugged with a patch. Now it is vital we begin to think proactively and stop the hole from ever appearing in the first place.
“A worrying finding of KPMG and BT’s report is that only 22pc of respondents believe they are fully prepared for cybercrime in today’s digital age. In addition to this, while 71pc believe they have appropriate procedures and tooling, only 30pc understand what the tools do and how they should be used. This is a clear indicator that businesses need to upskill their employees in order to stop digital crime before it causes damage, rather than simply reducing the fallout.
“Every employee should have a thorough understanding of the technology and tools in place that protect the business from cybercrime. Employee training and support is crucial here. Yes, the industry needs to go on the offensive against cybercrime, but it must start from the ground up. It is one thing to wrap a company in security solutions, but they will not be optimised if your employees don’t understand how to use them and stay safe.”
Phil Smith, Head of Product at Smoothwall, said: “It is astonishing to think that of all the firms surveyed, 97pc suffered a cyber-attack, and what’s more, only a fifth of CTOs feel that they are well equipped to deal with one.
“Gone are the days when companies prepared for ‘if’ a cyber-attack occurred – now, they must be ready for ‘when’ a breach takes place. In this digital age companies have a wealth of data and information, making them very lucrative targets for cyber criminals. It is vital therefore that companies protect themselves and have a robust plan in place in the event of an attack, as the fall out could cause immense reputational damage to a company.
“Security needs to be taken seriously throughout companies by all of their staff, so they do not allow themselves to be susceptible to a cyber-criminal’s advances. It is common knowledge now that the majority of security breaches occur due to human error. Ensuring a strong security culture is instilled throughout the workforce therefore is vital to ensure staff are constantly vigilant and aware of the threats. Security needs to be taken seriously at all points of the organisation, to ensure that all employees understand the risks of their actions and know the security processes in place should an incident occur, to mitigate the risks in the event of a breach.”
