Cybercrime becomes more structured - corporations need to improve their management to resist it
The eternal fight between cops and robbers goes on in the cyberworld. Cybercrime is getting always more structured and organized, in a demonstration of unregulated capitalism. Are corporations and governments able to react fast enough and set up structured cybersecurity operations? The answer is more a management matter than a technology concern.
Thales just published its 2020 Cyber Threat Handbook, subtitled “organized cybercrime.” In this document, Thales focuses on the increasingly organized and structured cybercriminal organizations. These organizations are increasingly structured in groups, each group specializing in a particular field, and ready to collaborate with other groups to coordinate attacks. Consequently, attacks are increasingly available in the form of Malware-as-a-Service (MaaS), especially Ransomware-as-a-Service. These large scale actions have led to widely publicized attacks such as the ones on three hospitals in Alabama, the city of New Orleans, and firms Altran (which lost EUR 20 million) and Norsk Hydro, among too many others.
Guillaume Poupard, Director-General of France’s national agency for information system security (ANSSI) declared in newspaper Les Echos: “The biggest threat in the future [will be] organized cybercrime.” The United Nations and Accenture estimate that organized cybercrime will cost the global economy around US$ 5.2 trillion (EUR 4.4 trillion) between 2020 and 2025. Cybersecurity Ventures places the estimated cost at US$ 6 trillion (EUR 5.1 trillion) per year.
“Big Game Hunting”, or in other words, targeting large and visible targets such as big corporations, cities, hospitals or administrations, to extort large amounts of money is only the tip of the iceberg. As cybercriminal resources become commoditized, some attackers prefer to target smaller organizations typically with ransomware for smaller but easier to obtain gains. While most of cybercriminal activities are performed to seek financial gain, attacks driven by governments or government-related services for more strategic purposes cannot be dismissed. The increasing structuration of cybercriminal offers makes the limit between these goals increasingly blurred.
Thales document lists actions that should be taken to prevent cybercrime: back up data, keep software and systems up to date, use anti-virus software, and keep it up to date, partition information systems, limit user rights and application permissions, etc.… They also provide a set of response actions to be undertaken after the attack is discovered: adopt the right reflexes, ensure a managed response to the crisis, communicate at the right level, do not pay ransoms, etc.…
At the same time, Giesecke+Devrient just published a short document stating that cybersecurity has to be a C-Level priority. While they recognize the highly technical environment of cybersecurity measures, G+D insists that dealing with cybersecurity is first a management issue. In many companies, singular security measures are often implemented by individual departments resulting in IT security silos. This approach leads each department to focus on only one specific security issue when a global approach is needed. This bottom-up strategy is no longer effective.
Defending against cybersecurity threats means having a global understanding of all threats and filling all the gaps. Security officers have to take care of all threats and all access routes to IT systems while attackers will only focus on one aspect or on a single weakness.
G+D concludes: “The company-wide security strategy and culture must be initiated by the company executives. But of course, such a culture must also be adopted, and consequently the individual employee is also of crucial importance.”