Cyber Crime Landscape
Cyber threats are very real and can have a serious impact on organisations of all types and sizes. The Internet is beyond any agency’s control and, as such, security in cyberspace doesn’t exist.
The latest surveys on data breaches show that the threat of cyber crime is becoming ever more wide-spread. On this page we explore the most common threats and targets.
What's on this page?
Cyber crime is a global phenomenon which affects everyone, from individuals and employees to small and large organisations. The majority of cyber crimes are perpetrated overseas, beyond the jurisdiction of the victim’s country, meaning that, for example, a financial institution in London can be attacked from China and there’s nothing the British authorities can do about it.
According to the
2013 Norton Report, the highest numbers of cyber crime victims globally were to be found in Russia (85%), China (77%) and South Africa (73%); the cost of consumer cyber crime was found to be highest in the USA ($38bn), Europe ($13bn) and China ($37bn).
According to the
BIS Information Security Breaches Survey 2013, 87% of small firms and 93% of large firms in the UK experienced a cyber security breach in 2012. Some incidents caused more than £1 million in damages. The median number of breaches suffered by large organisations rose from 71 the previous year to 113 and, for small firms, from 11 to 17. The average cost of a serious cyber security breach for a small firm is between £35,000 and £65,000.
The True Cost of Information Security Breaches and Cyber Crime (Pocket Guide) sets out a sensible, realistic assessment of the actual costs of a data or information breach and explains how managers can determine the business damage caused.
The mostly targeted information is
commercial, including intellectual property, customer lists and related information, business and commercial strategy and financially sensitive information.
Data assets such as banking information, payment card details, PII (personally identifiable information) and contact details are also on the top of cyber criminal’s agenda.
According to
The Global State of Information Security® Survey 2014, “compromise of employee and customer records remain the most cited impacts, potentially jeopardizing an organisation’s most valuable relationships”. The survey, which included more than 9,600 responses from across the globe, found that:
- in 35% of cases, employee records were compromised;
- in 31% of cases, customer records were compromised or unavailable;
- in 29% of cases, internal records were lost or stolen; and
- in 29% of cases, identity theft occurred (client or employee data was stolen).
Cyber crime is continually evolving, and it is becoming ever easier for cyber criminals to commit attacks. While
advanced persistent threats (APTs) continue to be a serious issue on a nation-state level, most organisations are likely to be hit by other outsiders.
The Global State of Information Security® Survey 2014 found that hackers represent the most likely source of cyber attacks (32%), followed by competitors (14%) and organised crime (12%). Only 4% of the respondents reported security incidents perpetrated by foreign nation-states.
The
Eurobarometer Cyber Security Report 2013 provides comprehensive statistics based on the experiences of EU citizens of various types of cyber crime. It shows that internet users in the EU are very concerned about cyber security: 52% were concerned about experiencing identity theft, 49% about being the victim of banking fraud and 45% about having their social media or email account hacked.
An Introduction to Hacking & Crimeware - A Pocket Guide provides a foundation-level overview of the dark world of cybercrime.
With the advancement of communications technologies, hackers are exploiting the weaknesses of mobile devices, software and applications to access information assets. More importantly, they themselves have access to unlimited information on hacking software and techniques.
The most widely-spread and evolving threats to be aware of are:
Social engineering attacks
Social engineering entails exploiting an individual’s weakness by making them click on malicious links, or by physically gaining access to their computer through deception.
A typical social engineering attack was carried on GoDaddy in 2014. The company admitted that one of its employees was ‘socially engineered’ into giving out additional information which allowed a hacker to gain access to
Naoki Hiroshima’s GoDaddy account.
Pharming and phishing are other examples of social engineering.
- Pharming aims to redirect a website’s traffic to a different, fake website, where the individual's information is then compromised.
- Phishing attempts to acquire user information by masquerading as a legitimate entity, through the use of such as spoof emails or websites.
Password theft
Using inadequate passwords leaves you open to attack, especially when those with malicious intent have access to lists of likely passwords to make it easy for them to get access to others’ accounts. Mark Burnett, the author of
Perfect Passwords, has compiled a
list of popular passwords, which is available online. According to his research, 8.5% of passwords are ‘password’ or ‘123456’. Using such simple passwords or using the same password on multiple accounts makes it easy for criminals: once they gain control of one account they can easily gain control of others.
Website hacking
Almost all websites have vulnerabilities that can be exploited by hackers. IT Governance’s own
Penetration Testing Service has found that, on average over the last six tests carried out, there were 19 high-level threats, 26 medium-level threats, and 34 low-level threats. These are not isolated cases, and many of these vulnerabilities will have been easily accessible by cyber criminals.
Hackers have access to online tutorials which list known software vulnerabilities, making it easy to know where to start with their new-found skills. Automated software is available for those who need it, and support packages are available in case hackers need guidance.
Fraud as a Service (FaaS)
Fraud-as-a-Service (FaaS) offerings are now more widely accessible than ever before. FaaS first appeared with the release of the first commercial banking Trojan, Zeus, in 2007 and was largely offered through postings in secret hacking forums. However, FaaS is now offered through social media platforms including Facebook (
Source: Infosecurity Magazine).
Citadel is a typical example of FaaS. It is the most advanced crimeware tool money can buy and is the only crimeware of its grade being marketed to fraudsters in open underground venues. It even has its own dedicated customer relationship management system where clientele can congregate, raise issues, get support and request new modules be implemented.
Theft of mobile devices
Almost half of the respondents to the
2013 Norton Report don’t use basic precautions such as passwords, security software or back-up files for their mobile devices. 38% of mobile users experienced mobile cybercrime last year, and 27% of adults lost their mobile device or had it stolen. Only 26% of smartphone users have mobile security software with advanced protection.
The perils of social media
The
2013 Norton Report also found that 12% of social media users claim someone has hacked into their social network account and pretended to be them. 39% of social media users don’t log out after each session, a quarter of users share their social media passwords with others, and 31% connect with people they do not know.
Internet of Things increases threats The so-called Internet of Things will make it easier for hackers to take control of devices as they are being connected to the Internet in increasing numbers. A recently discovered botnet was even found to have a fridge on its list of infected devices. As more and more devices are equipped with chips and are connected to the Internet, so this will become an increased source of threat. A hacker could soon control every part of your life. (
Source: The Independent).
No single standalone solution is sufficient to combat cyber crime.
Today’s organisations need to recognise that expensive software alone is not enough to protect them from cyber threats. Cyber security technology is only effective when processes are in place to keep it that way. Processes on the other side are dependent upon the skills of the people who implement them and the awareness of those who need to adhere to them.
Find out more about
getting cyber secure >>>