When thinking about cybercrime, many imagine a loan teenager sat in their bedroom 'hacking' into a corporate network to steal their millions, or their intellectual property. Whilst this is often true, it is not the whole truth.
There are many reasons that an individual may target a company. Ranging from revenge (for poor customer service or being sacked) through to doing it for the 'lulz' (slang for 'a laugh'). It could be a loan 'hacktivist' who sees you as a legitimate target as you oppose their ideology or outlook on life. These 'loan wolves' also attack companies to build their reputation amongst their peers – you simply become another 'notch on the bedpost'. We should also not forget the 'insider threat' where the people we have trusted have access to systems, and sadly abuse that trust by intentionally stealing your clients or your money.
But it is not just the loan wolves we need to be aware of. Traditional organised crime gangs are, like most organisations going online. Online fraud increased by 48% in 2015, demonstrating that organised criminals are capitalising on the borderless nature of the Internet. It was reported by the 2013 Europol Serious & Organized Threat Assessment, the "Total Global Impact of cyberCrime [has risen to] US $3 Trillion, making it more profitable than the global trade in marijuana, cocaine and heroin combined".
Organised criminals have seen the benefit of 'steal a little from more'. As Professor David Wall (Leeds Becket University) states "Steal £1million from a bank, you'll be chased by every law enforcement agency in the world. But steal £1 from 1 million people – and no one will come looking for you."
What can we do?
There are many things we can do to decrease the chances of being a victim of cybercrime, and only a few of these are directly related to 'hardening' the computer system itself. Here are a few ideas you should consider/discuss/implement.
- Cybercrime is carried out by people. It's a people problem. Not a technology problem.
- When recruiting staff, follow up on references and carry out appropriate background checks.
- Speak to your IT department and ask them to conduct a review of 'Access Rights' across your systems. Does everyone have the right access to the right information? Ask them who has 'highest privileges' on the systems and check that passwords for this level of access is strong (and changed regularly).
- Have a process between IT and HR, so that when people change roles, their access rights are updated appropriately.
- Develop a 'cyber Awareness' education programme which can include training your staff to be on the lookout for 'suspicious' emails and 'Think before you click'. But explain how important this is for them personally too.
- Encourage your staff to raise their own security. When was the last time they reviewed their own DirectDebits in their own accounts? Make security, personal.
- Speak to your IT vendors (software, or Cloud) and ask them what protection they have in place to protect against 'Malware' or 'DDoS' attacks). Ask them about backup processes and test that backups are happening as they should.
Crime, disorganised or organised is a fact of life. But there are simple steps we can take. We need to be vigilant personally and professionally. The majority of cybercriminals are 'opportunistic' – they're looking for an open window, low awareness. Don't let them in. Be pro-active, not re-active.