Cyber crime is at a level higher than ever before and the damage to economic security is severe.
One of the earlier large-scale cyber attacks took place in the summer of 2015, when several of New York’s most prestigious and trusted corporate law firms found themselves hacked from China. The hackers accessed the firms’ computer networks by tricking partners into revealing their email passwords. After more than 100,000 attempts over a period of seven months, the hackers were eventually able to access highly sensitive documents about upcoming mergers, and allegedly used this information to trade, netting USD4 million in stock market gains.
The companies tried to keep the cyber attack quiet, to protect their systems from further attack and to protect their reputations, but information about the attacks were leaked to the press and later confirmed by the FBI and the firms.
The number of cyber attacks
Cisco, the worldwide leader in IT and networking, calculated the number of distributed denial-of-service attacks (assaults that flood a system’s servers with junk web traffic) jumped globally by 172 percent in 2016. Cisco estimate the number of attacks will rise to 3.1 million by 2021. The more serious attacks in the past have involved hackers working in isolation to steal personally identifiable information such as credit card numbers. Those attacks involved losses of money or identity theft, but were usually managed by relatively low-cost settlements to customers.
As the number and scale of network attacks grows, the toll on business increases. The rise of bitcoin has transformed hacker attacks to a new level that has led to potential losses that are harder to assess, although industry estimates already place it in the billions of dollars annually. Criminal networks are often loosely connected over networks like the now-defunct Silk Road or the still active Shadow Brokers, and scores of dark Web sites have become collection points for spreading malicious code. The average total cost of a data breach in the US in 2014 was USD5.85 million. It is estimated to be USD7.35 million in 2017. In the global economy, cybercrime is estimated to have cost more than USD450 billion in 2016.
A global cyberattack by the WannaCry ransomware cryptoworm targeted computers running the Microsoft Windows operating system by encrypting data and demanding ransom payments in the Bitcoin cryptocurrency. The attack began on 12 May 2017, and within 24 hours had infected more than 230,000 computers in over 150 countries. Parts of the United Kingdom's National Health Service (NHS), Spain's Telefónica, FedEx and Deutsche Bahn were just some of the companies affected.
Petya (or non-Petya) attack
First seen in March 2016 and transmitted via infected e-mail attachments, by June 2017, a new variant of Petya was used for a major global cyberattack. The majority of targets were the Ukraine and Russia where initially more than 80 companies were attacked, including the National Bank of Ukraine. India, France, Germany, Italy, Poland, United Kingdom, and the United States, were also being targeted. During the attack initiated on 27 June 2017, the radiation monitoring system at Ukraine's Chernobyl Nuclear Power Plant went offline. Several Ukrainian ministries, banks and metro systems were also affected. The US Department of Homeland Security began coordinating with international and local partners and Europol was "urgently responding" to reports from member states of the European Union.
The WannaCry ransomware attack is estimated to have cost as much as USD4 billion. The Petya malware attack is just two days old at the time of writing and is likely to be at least the same amount.
Government and corporations are learning fast that no network is completely safe. All are vulnerable and defenceless against cyber criminals who may just be a handful of individuals halfway around the world. Expensive data-security systems and high-priced information security consultants can still be hacked by those who have the resources to relentlessly mount assaults until they succeed.
Companies are beginning to understand although defence systems are useful, what is more important is to have a plan in place to detect and neutralize intruders when they strike. Most companies now have a formal cybersecurity incident response plan across their organization, since the solution to an intrusion is no longer as simple as extracting the virus and continuing with business as usual. Most regulators also require incident reports as soon as the event happens. The non-compliant firm risks enforcement actions and civil lawsuits if they fail to participate in suppressing the attack.
If a company’s computers are compromised and used to make an attack on another victim, the liability could be with the first company’s system, if it is not reported to the regulators.
The increasing number of cyber attacks has led to a sharp rise in cyber security insurance. For insurers, risk modelling has began to resemble other industries where the economics of the market are paramount. Regulators are suggesting firms insure their risk, with insurers beginning to offer better costings more closely tailored to risk than in the past. This has become possible now that insurers have more accurate tools to assess each organisation’s level of ‘cyber security readiness’.
Training and monitoring
Compliance teams are responsible for training and monitoring staff around cyber awareness, particularly in the use of social media. Questions remain about the potential vulnerabilities with email and engaging with clients, employees and counter-parties via social media.
Software developers continually produce new and improved operating systems and do their best to minimize the risks of security exposures, but fully protected software is not possible. Hackers continually look for weaknesses they can exploit, even as security specialists continually test and check to see if they can find any weaknesses themselves.
Organisations and companies need to remain ever-vigilant around cyber security. Whilst some sectors, most notably banking and finance, have good anti-hacking protocol, there remains room for improvement from other organisations who are not as stringent. The more lax organisations are those at risk from hackers or hefty penalties from the regulators.