The National Security Strategy identifies criminal exploitation of the internet as one of the most serious threats to the United Kingdom, and government has committed substantial resources to tackling it. But this should not be seen by domestic businesses as some sort of security blanket which takes the pressure off the need for them to act. For all the upstream work that the Serious Organised Crime Agency and its partners are doing to contain risk and reduce opportunities for cyber criminals, the front line of defence is not a national or international boundary policed by law enforcement. It is in each and every company.
Robert Mueller, the head of the FBI, warned in March 2012 that the threat to the US from online attacks will shortly become greater than that posed by terrorists. “In the not too distant future we anticipate that the cyber threat will pose the number one threat to our country,” he said. “We need to take lessons learned from terrorism and apply them to cybercrime”.
A driver for growth
The internet is a huge force for good and a powerful driver of economic growth and opportunity. But it also presents unique opportunities for criminals who are attracted by the ease of entry, low cost and risk, and relative anonymity it offers. Businesses need to understand the risks they face and the steps they need to take to protect themselves.
Organised criminals are agile and entrepreneurial. They are also almost always more motivated to commit crime than potential victims are to take pre-emptive steps to stop them. The criminal community is forever testing the boundaries of what is possible – it does not have to conduct due diligence, or refer to investment committees!The evidence of this is stark and, you might imagine, powerfully persuasive in influencing corporate security policy? I’m not convinced it is - yet. But let’s consider the facts.
Although chasing down a precise figure is never going to be possible, a study for the Cabinet Office last year found that, of the estimated £27bn a year cost to the UK economy from cyber crime alone, the hit on business is more than £20bn of this. Almost half involves the theft of Intellectual Property.
Quite apart from direct financial losses, reputational damage also has a financial impact. Last year, a major multinational company reported direct losses from hacked personal data of £105m. The hidden cost in terms of damage to its brand, reputation, and shareholder value is almost certainly many times greater.
The Phishing Problem
In 2011 the Anti Phishing Working Group reported that over 38,000 phishing websites were being detected globally every month. That was more than one new malicious site every 70 seconds. A CIFAS report around the same time reported that over 40,000 pieces of sensitive and financial information were traded on the black market every day.
While cutting edge attack systems may remain in the hands of an elite, the expertise to steal data in large volumes is available to new entrants to the market with the right connections and enough money. Criminals operate their own self-regulated market for cyber crime goods and services, including stolen data, malicious software, technical infrastructure and money laundering: and they are able to operate on an unprecedented and industrial scale.
They will always hold the initiative and risk can only increase as more data is acquired, stored and shared and ever greater use is made of mobile devices.
It’s true that awareness of some risks is on the increase, for example around identity theft and credit card fraud. This is prompting more effective reporting and intervention and this month has seen losses at a ten year low. But other threats remain ahead of the business awareness curve.
How many businesses, for example, are unconscious vehicles for money laundering, or have considered the possibility that they might be? The Global Money Laundering and Terrorist Financing Threat Assessment, produced by FATF in July 2010, described the role insiders play in money laundering.
Criminals are able to understand how to undertake transactions while concealing their own involvement. Inside knowledge of a profession or sector can allow them to access financial products in an indirect or non-attributable way, making the tracing of funds or assets lengthier and more difficult.
The individual employee is also potentially the weakest link. This is rarely because they are malicious: more often it involves failure to apply basic security procedures. But the way in which individuals now openly communicate personal information about status and personal interests, in and out of the workplace, inevitably increases the risk of exposure to criminals. Corporate websites openly display key post-holders within organisations and company networked systems are used daily by staff at all levels to connect to social networking sites and browse online. The use of personal devices is commonplace at work and this can bridge unconsciously into business fire-walled environments. Criminals know and exploit these vulnerabilities to breach systems, recruit vulnerable staff, hijack identities and steal data and assets. It is dangerous to underestimate how very subtle this can be, or the lengths to which criminals are prepared to diversify and infiltrate apparently low-risk areas such as the back office.
All this is evidence of the unavoidable fact that law enforcement can never expect to arrest its way to a cyber crime solution. As the private sector is the biggest economic victim of cyber attacks, it needs to be pro-active in mitigating the risks it faces. The crucial question is: where on the corporate ladder should a company vest responsibility for its cyber security? Mitigating the cyber threat to a company’s business model, its shareholder value, its data, and its reputation is not something to be delegated to the CIO or the head of security. It is a strategic risk which should feature on the main Board risk register and be firmly in the grip of the CEO. Defaulting, whether through ignorance or nervousness, to ‘specialists’ is to lose sight of the fact that the real threat is to the performance of the
business. As Clemenceau might have said, cyber-security has become too important to be left to the computer experts.
So, if the evidence doesn’t incentivise Boards to take the threats to data security more seriously and protect themselves from attack, not to mention the legal obligation to protect the personal data they hold, what else might? Companies may be concerned about the impact on their business in terms of shareholder value or reputation should the story of a breach become public. But how can we help businesses to understand that the cost of addressing this business risk up front will be so much less than that of cleaning up after an attack? Indeed, should we perhaps be looking for a paradigm shift in how we regard companies who choose to make a virtue of demonstrating how they have responded to the attacks on them. It seems to me that the investor community also has a huge role to play here: particularly if it is to demand evidence of awareness of the threat and the measures taken to mitigate it as a pre-condition for investment. This might also encourage greater disclosure within companies themselves and end the culture of keeping the bad news story in the server room and away from the Boardroom.
The Department of Business Innovation and Skills, which has the policy lead in this area, is actively working in partnership with business representatives, professional service providers and key professional bodies to facilitate the spread of best practice in managing cyber security as a corporate risk.
Fostering a thriving market
Primary objectives of the UK Cyber Security Strategy, to be achieved by 2015, are for the UK to be one of the most secure places in the world to do business in cyberspace and to foster a thriving UK market in cyber security products and services.
To get there, businesses need to understand how to help law enforcement to help them by reporting and information sharing, which should be aided by the placement of Action Fraud as the single point of entry for reporting. The enabling legislation of SOCPA 2005 provided the necessary gateways, and many companies are increasingly willing to share information with each other and with law enforcement.
This dialogue will be enhanced by the joint private and public sector initiative launched by the Prime Minister last year to develop a national cyber security hub to facilitate information exchange between the private sector and government.
Actionable information on cyber threats would be shared by all participants to give a more comprehensive, and timely, understanding of malicious activity against computer networks.
We might not have all the answers now, but we can begin by asking the right questions. Taken together, all of these initiatives will, I hope, help reposition security and fraud prevention so that they are seen as essential profit centres rather than unwelcome overheads. Because it is on the effectiveness of corporate defences against the threat from cyber crime that future prosperity is going to be increasingly dependent. That is what places the Risk Register on the front line.
For more information
Serious Organised Crime Agency
Tel: 0870 268 8100