With the final £1.8m payment made, Claudio Lotito, chairman of top Italian team football team Lazio, celebrated the completion of the transfer of Dutch defender, Stefan de Vrij, with friends last week. But the celebration was short-lived. A phone call from Feyenoord the next morning enquiring after the missing fee led to the discovery that online criminals had persuaded the club to send the money to a bank account the criminals, not Feyenoord, owned.
Lazio isn’t the only business to suffer, as other high-profile attacks of the last year have shown:
And it’s not just large businesses that are feeling the heat. A survey by Zurich Insurance found that nearly 900,000 UK SMEs suffered a cybersecurity breach in the last 12 months.
With the increasing number of attacks and regular news items reminding us of how big and bad the problem is, it’s no wonder companies are thinking: ‘not if, but when."
Cybersecurity measures are becoming more important for businesses of all sizes because the number of attacks is increasing, the types of threats are changing, regulations are tightening and, as a result, revenue and profit are at risk.
It’s estimated the cost to businesses of cybercrime will hit $6 trillion annually by 2021 and for medium-sized companies, cyberattacks are considered the biggest risk to their business.
A survey of 1200 c-level executives found half were changing, or planning to change, their cybersecurity activities because of the increased threat from cyberattacks. Many had already experienced breaches. 80% said a careless member of staff was the most likely source of an attack. Worryingly, a lot of those breaches were caused by known vulnerabilities which suggests risk management planning was poor.
On the dark web – the murky undercurrent of the traditional Internet where products from vice, through weapons to real estate are for sale – cyberattack tools are cheap and easy to find. Software for harvesting passwords can be found for $50, ransomware for $200, and malicious file encryption software, a bargain at $25. A completely new personal identity? Yours for $1100.
The principle of ransomware is straightforward: malicious code is used to encrypt business data which stays that way until the company pays up or a security vendor finds a fix. But for all the effort from vendors to neutralize ransomware before it can do any harm, or to develop smarter decryption tools, the criminals are one step ahead. Encryption algorithms are getting more sophisticated — encryption is done slowly, rather than as a big bang, to help avoid detection — and different attacks are launched simultaneously through different routes to further confuse detection software.
The rise in cybercrime will more than triple the number of unfilled cybersecurity jobs, which are predicted to reach 3.5 million by 2021. Since cybersecurity tools need to be installed, configured, and kept up to date with patches to catch new threats, it’s easy to see how that skills shortage can translate to a bigger threat for businesses, especially smaller ones that can’t pay the unsurprisingly high salaries.
Ever inventive, cybercriminals are finding new ways to attack. Some focus on unknown vulnerabilities in newly released hardware or software. Finding these so called zero-day threatsbefore the vendor, means there is no effective deterrent and a high success rate for the criminals.
Business Email Compromise, also known as CEO Fraud, is a phishing scam that uses a fraudulent email to impersonate a senior executive. An employee, usually in the finance department, gets an apparently real, and usually urgent, message from a senior manager to release funds to an account the criminals hold. It can be remarkably effective and only needs to work once to net the criminals a big return.
Given the increase in attacks and the resultant threat to commerce, it's unsurprising that regulators are taking a greater interest in cyber threats.
At the request of the G20 summit, the Financial Stability Board evaluated the scale of financial sector cybersecurity regulations in the 25 FSB member countries. Each had at least one regulatory scheme, some as many as 10.
The Cybersecurity Act became law in the US in 2015 and has been called the most significant piece of federal cyber-related legislation ever introduced. It enables sharing of cybersecurity information between the private sector and federal government and contains measures to improve the effectiveness of federal cybersecurity activities.
Europe is heading in the same direction, with the European Cybersecurity Act having started its journey through the EU parliament in September of last year. It will inevitably result in a series of specific regulations in the coming years, meaning a bigger compliance headache for companies operating in Europe. These two acts sit alongside existing regulations that address cybersecurity including the New York Department of Financial Services Cybersecurity Regulation, HIPAA, and PCI DSS.
In the short term, the biggest show in town is data protection.
In the EU this takes the form of the General Data Protection Regulation (GDPR), which takes effect on the 25th of May this year. Although the Regulation is being introduced by the EU parliament, compliance is needed for any company, regardless of home or operating location, that stores or processes personal data of individuals from the EU.
Non-compliance can be met with hefty fines – up to 4% of turnover or €20 million, whichever is greater – and has instilled a mixture of fear and panic in businesses that operate within its scope. At the beginning of March, only 10% of UK businesses said they were ready for the deadline. The US equivalent is the Data Security and Breach Notification Act which entered the Senate in November. Although it has a long way to go before becoming law, the current draft contains a proposed maximum five-year prison sentence for intentionally hiding a personal data breach.
With the increase in the number of attacks and regulations, SMEs in particular stand to lose the most given their limited resources. That’s the subject of our next post.