The largest bank heist of all time took place in Brazil in 2005 and the cash stolen was estimated at nearly $70m. A gang of 6-10 robbers, previously ‘operating’ as a landscape company in a nearby building dug a tunnel measuring 78 m (256 ft) long, 4 m (13 ft) below street-level, which ended directly below the Banco Central in Fortaleza, Brazil. On the weekend of 6-7 August 2005, the robbers broke through a meter-thick, steel-reinforced concrete bank vault and seized five containers of 50-real ($24) notes, weighing 3.5 tonnes. A truly monumental physical effort. Very few bank robberies are this ‘successful’.
This may sound like a life-changing amount of cash, but in reality, it does not even register when you consider the scale of plundering that’s taking place online. The biggest declared loss of $850m took place between 2013 and 2018 by Russian hackers who managed to break into the computer systems of over 100 financial institutions.
The costs of cyber crime
In their report of the extent and economic impact of global cybercrime in 2018, McAfee estimated that it costs the world almost $600bn per year, the equivalent of 14% of the worldwide internet economy. It goes onto report that cybercrime is the third largest type of criminal activity after government corruption and the illegal drugs trade.
Cybercrime is the third largest type of criminal activity after government corruption and the illegal drugs trade.
Top of the list of tools used by cybercriminals is ransomware. There are more than 6,000 online criminal marketplaces selling ransomware products. Even ‘ransomware-as-a-service’ (RaaS) is becoming more widespread.
The costs to businesses of this criminal activity takes many forms;
- Loss of intellectual property and business-confidential information
- Identity theft – online fraud and financial crimes, often the result of stolen personal data
- Manipulation of financial market data
- Opportunity costs, including disruption in production or services and reduced trust in online activities
- Cost of cyber security – securing networks, purchasing cyber insurance and paying for recovery from cyber-attacks
- Damage to organisational reputation and brand value
The rise in cybercrime is inextricably linked to the growing pervasiveness of connected devices. The surge in ‘Internet of Things’ (IoT) devices opens up many more ports for online hackers to exploit as a gateway to breaking into other more lucrative targets. This obvious weakness is exacerbated by widespread acceptance and reliance upon default security settings (user names and passwords) and failure to update security patches. When botnets infect multiple devices, and all of these are joined together in a coordinated attack on web servers the result can be disastrous. In several examples, major social media websites have been taken off line by distributed denial of service (DDoS) attacks; in 2016 the Mirai botnet crippled several major players such as Twitter and Netflix.
Attacks are on the increase
And the scale of online attacks is on the increase. The estimated number of malicious, ‘black hat’ penetration tests per day are a staggering 80 billion and the creation of new viruses each day are believed to be between 300,000 and one million. The prevalence of this is driven by the online collaboration that makes it now possible for organised crime gangs to share hacking tools and ‘plug-ins’ on the dark net.
The list of prominent attacks grows relentlessly, some high-profile cases are;
- Equifax exposed personal and financial records of 140m people in US, Canada and UK in 2017, which brought about hundreds of legal claims on the company.
- FaceBook announced in September 2018 that attackers exploited a vulnerability in Facebook’s code which allowed hackers to steal Facebook access tokens of 50 million user accounts which they could then use to take over people’s accounts. FaceBook faces a potential data protection bill of $1.6bn.
- In November 2018, Marriot Hotels suffered a data breach of 383 million people on its hotel guest reservation systems.
- In January 2019, sensitive data belonging to hundreds of German politicians, celebrities and public figures was published online via a Twitter account in what is thought to be one of the largest leaks in the country’s history.
It’s easy to think that cunning hackers will always find even more complex methods to detect vulnerabilities and that data breaches are inevitable; however, the other significant weakness is the online users themselves. Hackers capitalise on the gullibility of individuals.
A carefully scripted email that mimics an online service familiar to the user is the trojan horse into someone’s private life. Disguised as someone thought trustworthy to the target and with a simple click of a mouse the hacker can obtain details of passwords, bank details, etc. In 2017, it was estimated that around $130bn was stolen from unsuspecting users worldwide, with nearly $5bn of that sourced from UK citizens.
Identity theft stands prominent in the list of perceived concerns an individual may have when using online services. This fear may be a little over exaggerated in terms of financial loss. The Internet Theft Resource Centre estimated that the average personal loss was about $500. Not a great amount on average, however some will be hit with large costs. Even if you don’t suffer massive losses, the disruption and irritation caused in the aftermath can last for days, even months.
Phishing catches out even the most technically astute online companies
For this to happen to the gullible individual is to be expected, however phishing catches out even the most technically astute online companies. Take for example the massive brazen fraudulent success of one bogus supplier to Facebook, Forbes and Google, who swindled them out of a combined $100m over two years by convincing their accounts departments to wire funds across to Eastern Europe.
But despite the scale of the threat, the degree of complacency towards data security appears staggering. Many companies at risk of cyberattacks remain unprepared to deal with them. 44% percent of the 9,500 executives in 122 countries surveyed by the 2018 PWC’s Global State of Information Security Survey reported they do not have an overall information security strategy. Further, 48% percent say they do not have an employee security awareness training program, and 54% say they do not have an incident response process.
It’s not that governments are silent about cyber defence. The UK’s National Cyber Security Centre (NCSC) has published substantial guidance to organisations on building defence strategies against hacking.
An information risk management regime is central to your organisation’s overall cyber security strategy, which should be linked to your business strategy, as explained in our recent blog. You should follow an established security management framework. If you’re starting out, then we recommend the NCSC 10 Steps to Cyber Security framework. If you wish to demonstrate strong security management then consider implementing an information security management system and having it certified to the ISO 27001: 2013 standard.
Securing your business can appear time consuming and maybe expensive, but as the old adage goes, ‘fail to prepare, then prepare to fail’.
We can help you assess and improve your security posture. Even if you just want some initial guidance then please do contact us.ENQUIRE NOW