Your exposure could be more costly than you realized
Cybercrime is obviously a topic that GTconsult is quite find of. Because our focus is on technology and how it enables productivity, we are also aware of how technology is also a hotbed of criminal activity. The challenges that we currently face is that this new breed of cyber criminals is highly motivated and are very hard for authorities to catch because they can basically hide in plain sight.
We talk about cybercrime on a frequent basis, but we do not always have access to information that quantifies the nature of the risk. And if we cannot quantify the risk, our readers will start asking questions about how serious the risk actually is.
Massive impact
I recently read an article on ITWeb which references a McAfee report. The report points out that Cybercrime losses have exceeded $1 trillion. Please do not say that with a Dr Evil voice with your pinkie finger in your mouth and a cat on your lap. You are not in an Austen Powers Movie.
The ITWeb article points out that cybercrime costs the global economy over $1 trillion, or just more than 1% of global GDP, a figure which is up more than 50% from a 2018 study that put global losses at close to $600 billion.
This was revealed by a new report by McAfee dubbed The Hidden Costs of Cybercrime, which examines the financial and unseen impacts that cybercrime has around the world. The report, conducted in partnership with the Centre for Strategic and International Studies (CSIS), was compiled from interviews of 1 500 IT and line of business decision makers. The report explored the damage reported beyond financial losses, finding 92% of companies felt effects beyond monetary losses.
A wider attack surface
The article points out that Steve Grobman, SVP and CTO at McAfee, says the severity and frequency of cyber-attacks on organisations increases as adversaries hone their techniques, new technologies widen the attack surface, and work expands into home and remote environments.
“While industry and government are aware of the financial and national security implications of cyber-attacks, unplanned downtime, the cost of investigating breaches and disruption to productivity represent less appreciated high impact costs,” he says.
The article adds that, in South Africa, organisations had to scramble to establish work-from-home infrastructure for their staff to ensure business continuity through the COVID-19 lockdown, but compared to more developed markets, few company’s security infrastructure was up to the job for this shift,” adds Carlo Bolzonello, country manager for McAfee SA.
“While many managed the shift, they were unwittingly vulnerable to security breaches, whether they were accidental data leaks, private data being maliciously shared by disgruntled employees, or targeted hacks from global crime syndicates. Organisations equipped with a cloud-based advanced threat management solution that offers complete coverage across the attack lifecycle, would have had the ability to prioritise and protect what matters, easily and efficiently,” he adds.
Hidden costs
The article points out that the report also scrutinised the hidden costs and the lasting impact and damage cybercrime can have on a business, including system downtime, which is a common hazard for around two thirds of respondents’ organisations.
The average cost to organisations from their longest amount of downtime in 2019 was $762 231, and a third of respondents stated IT security incident resulting in system downtime cost them between $100 000 and $500 000.
The article added that another hidden cost emerged as reduced efficiency, as system downtime saw organisations losing, on average, nine working hours a week leading to reduced efficiency. The average interruption to operations was 18 hours.
Then there’s incident response cost. The report highlighted that it took an average of 19 hours for most businesses to move from the discovery of an incident to remediation.
Finally, the report looked at brand and reputation damage and found that the cost of rehabilitating the external image of the brand, working with outside consultancies to mitigate brand damage, or hiring new employees to prevent future incidents is another cost, with 26% saying they had suffered brand damage from the downtime experienced due to an incident.
Ill prepared
The article points out that, unfortunately, the report also uncovered a lack of organisation-wide understanding of cyber risk, which makes businesses vulnerable to sophisticated social engineering tactics and, once a user is hacked, not recognising the problem in time to stop the spread.
According to the report, 56% of the participants admitted to not having a plan to either prevent or respond to a cyber incident. Out of the 951 organisations that actually had a response plan, only 32% believed the plan was effective.
“Why are there still companies who are ill prepared for cyber threats?” asks Craig Tarr, CEO of GTconsult, “if we looked at the situation five years ago, we could have argued that access to cyber protection was limited to larger companies because those were the only solutions available at time. Those products were also very reactive in nature. We have come a long way from these times. Products in the industry are proactive and seek to negate the threat before it becomes an issue. Further, companies offer a range of products that offer protection to large, medium, and small companies. There are even companies that offer consumer-based solutions. We need to be aware of the protection we have access to.”
Areas of concern
The McAffe report points out that, based on survey data, spyware, and malware (including viruses, worms, spyware, keyloggers, and Trojan horses) cost organizations the most in 2019.
The report adds that malware facilitates a range of criminal activities, from ransomware and data exfiltration to the active disruption of networks. Illicit Cybercrime-as-a-Service dealings have allowed malware to simultaneously become more advanced and also more accessible to those without deep technical expertise.
As cybercrime markets have grown increasingly sophisticated, they have seen the emergence of specialized vendors who are experts at not only designing malware, but also setting up the necessary infrastructure for an attack. The article points out that they offer to lease malware to would-be cybercriminals for a fee, creating an environment where a small group of technically minded criminals can focus their full attention on the development of new attack capabilities, and where a large group of less sophisticated actors can easily take advantage of them.
The report adds that in the first half of 2019, more than 3 800 data breaches were reported, exposing more than four billion records to cybercriminals. One particularly concerning subset of data breaches are those affecting personal health data. This data can often be one of the most valuable forms of data for criminals because of the way it allows for the precise targeting of fraudulent schemes to vulnerable individuals based on their medical histories.
As of August 2020, the U.S. Department of Health and Human Services was investigating more than 550 cases of personal health information breaches caused by theft, hacking, IT incidents, or unauthorized access. These cases involve the data of almost 35 million individuals.
The report points out that data breaches are mostly the result of external actors, but a recent study found that many are the result of insider attacks. One recent example was the 2019 breach of more than 100 million Capital One records by a software engineer working for Amazon Web Services, who hosted the bank’s database.110 Insiders can also pose a threat to sensitive corporate intellectual property (IP). An example of this was the case of Tesla in 2018, when an employee abused his/her access to make “damaging” changes to the source code of Tesla’s manufacturing operating system, and exported gigabytes of information about Tesla’s manufacturing processes to a third party.
Phishing
The report points out that according to the Anti-Phishing Working Group (APWG), in the first quarter of 2020 more than 165,000 unique phishing sites were recorded. Phishing has become easier in recent years, as Phishing-as-a-Service offerings have emerged on cybercrime markets. Thanks to these offerings, cybercriminals no longer need to have expertise in designing a phishing infrastructure before sending out their campaigns. Instead, criminals can simply buy from vendors who offer their own kits and hosting and focus on victims (whose contact details are also easily available from the same markets).
The report adds that one research group found more than 5,000 turnkey phishing kits available in the first half of 2019 alone.
Ransomware
The report points out that ransomware remains the fastest growing part of cybercrime. During the COVID-19 pandemic, ransomware attacks in general have increased 148% from the baseline levels reported in February 2020.
The report adds that one of the most concerning trends in ransomware is the shift towards targets in the manufacturing industry. Security researchers are beginning to see the emergence of ransomware strains targeting industrial control systems, and millions in ransom has already
been paid by industry victims who have fallen prey to these variants.
This trend is likely to continue as factories and other industry operators prepare to expand their deployment of vulnerable IoT devices throughout their premises—broadening the attack surface of their network and creating new targets for malicious actors.
Financial cybercrime
The report points out that cybercrime continues to impose heavy costs on financial institutions. Today, there are five billion unique user credentials (for example, username and password combinations) available on the darknet to cybercriminals.118 These pilfered credentials can grant
access to corporate networks or bank accounts.
The report adds that there are more than 15 billion pilfered credentials for sale on the darknet, five billion of which are unique first-time identifiers. The FBI’s “2019 Internet Crime Report” states: “Some criminals buy credentials on darknet marketplaces, where a single account costs on average $15.43. But the more sought-after banking credentials sell for an average of $71.”
The report points out that financial institutions have also come under attack by nation states. In 2016, North Korean hackers managed to steal $81 million from Bangladesh’s central bank by taking advantage of stolen credentials and submitting false money transfer requests to the Federal Reserve Bank of New York.122 More recently, in 2018 the same group of hackers managed to steal $20 million from the Mexican bank Bancomext.123 The scale of the threat facing financial institutions can be most clearly seen in the 2018 arrest of a cybercrime gang leader whose group stole $1.2 billion from more than 100 banks over a period of five years.
“Phishing has always been a major concern when it comes to cybercrime. In the beginning, you could easily spot a phishing email because the design of the email (logos) was wrong and the spelling in the email was incorrect. Criminals have now become smarter and are producing emails where you cannot tell the difference if it is genuine or not. If you are unsure about an email that you receive, call the company that sent the email and ask if it is genuine or not. It is important that you do not become a victim,” says Tarr.
Who Are the Criminals?
This is a question that was asked by the Trump administration when they accused China of launching focused cyber-attacks on the country. The real answer is that it is often difficult to pinpoint who the criminals are because they lurk in the shadows.
The McAffe report points out that cybercrime is now a specialized “professional” activity. There are still many unsophisticated new entrants, but if they live in countries where the rule of law is strong, they usually end up in jail. Cybercriminals thrive where law enforcement is weak, whether it is because many countries have still not developed the necessary capabilities to fight cybercrime or because their government decided to turn a blind eye to the activities.
The global reach of the internet means criminals and victims do not need to be located in the same place. As FBI Director Christopher Wray explained at the 2020 National Cybersecurity Summit,133 We’ve got to change the cost-benefit calculus of criminals and nation states who believe they can compromise U.S. networks, steal U.S. financial and intellectual property, and hold our critical infrastructure at risk, all without incurring any risk themselves.
The report adds that, for most countries, the vast majority of cybercrime losses will be attributable to actors outside of their jurisdiction. Cybercrime has become among the most lucrative activities, with data trading and ransomware becoming increasingly popular tools. From January to June of 2020, the victims of the 11 most significant ransomware attacks in Europe and the U.S., in both the private and public sectors, have incurred financial losses of $144.2 million connected to rebuilding infrastructure, paying ransoms, and the creation of new security
structures.
The report points out that organized cybercrime teams are highly regimented, with team leaders, coders, network administrators, intrusion specialists, data miners, and even financial specialists leading vast organizations of multinational hackers. More recently, some previously unconnected groups have started collaborating with each other in order to increase their activities and profit. In China alone, an estimated 400,000 people work in rapidly growing organized cybercrime networks.
The report adds that some countries are hotbeds for cybercrime. A weak rule of law, lack of specialized law enforcement agents, and inadequate resources allow cybercriminals to enrich themselves with impunity. In Nigeria, for example, unemployment, poor implementation of laws, and inadequately equipped law enforcement agencies help explains why cybercrime can flourish.
The report points out that criminal cyber activity from Vietnam has increased in the last few years, with consensus that the situation has been aggravated in recent years.140 Rapid economic growth and an inability to absorb talent have led to Vietnam to be considered a “mid-tier cybercrime hub.”
The report adds that other states, however, have a permissive environment for cybercriminals and use them for state purposes when needed. In Russia, for instance, the complex and close relationship between the state and organized crime makes it into a sanctuary for the most advanced cybercriminals. Allowing criminal groups to pursue their financially motivated schemes and protecting them from law enforcement comes with a price; they are expected to use their skills to support the government’s interests.
The report points out that John Carlin, former assistant attorney general for the Department of Justice’s National Security Division, said, Increasingly, you cannot tell which is which when it comes to the criminal and the intelligence agency. So, one day, the same crook may be doing something purely to make a buck. But that same crook may be directed by a trained intelligence operative using the same tools and techniques to steal information from them for the goals of the state. When issuing sanctions against Maksim Yakubets, leader of the cybercrime group Evil Corp, U.S. officials highlighted his “direct assistance to the Russian government’s malicious cyber efforts,” in addition to his financially motivated crimes.
The report adds that this symbiotic relationship seems to also be the case in Iran, where cybercriminals act, in many cases, both for private gain and for the government. Recent charges against two Iranian hackers found that in the same cybertheft campaign, there were instances in which they acted at the behest of Iran, and sometimes only for financial gain.144 Mabna Institute hackers stole research from universities, governments, and companies around the world, costing the organizations more than $3 billion.
The report points out that some states have directly engaged in cybercrime for their own financial gain. North Korea uses cyber-enabled theft and money laundering, extortion campaigns, and cryptojacking to fund its projects.146, 147 The hacking initiative is orchestrated by the Reconnaissance General Bureau, North Korea’s intelligence agency, and reportedly has 6 000 agents carrying out operations in more than 17 countries.148, 149 North Korea may have funnelled up to $2 billion from cybercrimes against banks and cryptocurrency exchanges to its weapons of mass destruction (WMD) research. Cryptocurrency exchanges are a favoured target for North Korea, since
they allow the state “to generate income in ways that are harder to trace and subject to less government oversight and regulation than the traditional banking sector.”151
The report adds that two 2019 hacks represented the theft of $250 million in cryptocurrency.152 Ransomware is another preferred tool. By making the ransom cheaper than the cost of backup and restoration, they seek to force companies to pay. We have discussed how IP theft, as a hidden cost, can represent a significant loss to agencies and companies, as well as pose a national security risk. This form of crime is harder to fight when it is state backed. Economic espionage to benefit national industry has long been a hallmark of China’s economic policy. China accounts for roughly 80% of all economic espionage cases in the U.S., and it has cost the U.S. economy around “half a trillion to a trillion dollars of damage.”154, 155 Cyber-theft plays a significant role in making this a successful policy. Typical targets of state-linked Chinese hackers include defence and technology firms, engineering companies, and pharmaceutical and medical device developers spread out across the U.S., Europe, and Asia.156 For example, so as to benefit its aircraft industry, China has leveraged its underground hacking scene, Ministry of State Security or MSS Officers, company insiders, and state
directives.
The report points out that amid the COVID-19 pandemic, targeting of healthcare and medical research facilities has increased. The president of the EU Commission suggested that China might be behind these operations and remarked that this would not “be tolerated.”158 In a related event, the U.S. Justice Department issued an indictment last July against two Chinese hackers targeting IP, including COVID-19 research. The document alleges they sometimes “acted for their own personal financial gain” and, in some cases, they acted for government agencies.
The report adds that, overall, China has a flourishing cybercrime network but this may be a consequence of its massive state surveillance program, since many of the hackers caught by the Chinese police are offered a choice: work for the state or go to jail.
The important bit
“At the end of the day, you can have the best cyber security protection in the world and a motivated cybercriminal may still find a way to penetrate your defences. While a well-established cyber security protocol is important, your response to a cyber-attack is equally important,” says Tarr.
The McAffe report points out that the survey found that organizations in different countries assess cyber risk differently. While many of the findings hold true across the world, some outliers help us better tailor plans for increased efficiency. There is no one-size-fits-all solution to cyber risk.
The report adds that, although the findings of the report is limited by the locations surveyed (the U.S., Canada, the U.K., France, Germany, Australia, and Japan), they provide useful snapshots of variations across countries.
Conducting IT security investigations and the impact of downtime
The report points out that organizations conducted an average of 18 IT security investigations in 2019. German, U.S., and UK organizations conducted above average investigations, with French organizations at the lower end of the spectrum, conducting around 15. This might suggest that organizations in France face less of a risk or that they have less regard for it. Thirty-two percent of French organizations report that they did not experience a cyber incident that caused downtime when that was only true for an average of 26% of the total respondents.
The report adds that, with downtime being a common consequence for around two thirds of respondents’ organizations, location appears to make a difference. Forty percent of the companies or agencies in Japan experienced no downtime, while this was only true for 18% of them in the U.S. This could be explained if Japanese organizations implemented better preventative measures—but they do not seem to be doing differently from others in developing prevention and response plans. Another plausible explanation is that organizations in the U.S. are more tempting and lucrative targets.
The report points out that, although, in some instances, there seemed to be a link between the duration of downtime and the costs associated with it, this was not always true. The average cost of the longest downtime for organizations in both Japan and Germany was above $1 million, and, although Japan’s downtime duration was slightly above average at 19 hours, Germany was in the lower spectrum at 14 hours.
Incident response
The report pointed out that it took an average of 19 hours for most organizations to move from the discovery of an incident to remediation. This typically entails restoring IT services back to normal capacity, removing the threat from the system, and retrieving lost data. In some cases, however, organizations will not consider an incident to be remediated until the source of the incident has been identified or some measure has been implemented to prevent the incident from reoccurring in the future.
The report added that, during the average longest IT security incident, 15 hours elapsed before the compromise was discovered. This time of extreme vulnerability was even longer for organizations in Japan, the U.S., and Canada. In the case of Japan, companies and agencies took significantly longer than their counterparts did in other countries to move to remediation, taking 48 hours—20 hours longer than the total average.
Prevention and response plans
The McAffe report pointed out how the lack of plans for both preventing and responding to IT security incidents is widespread, with only 44% of our respondents stating their organization has both. French organizations scored even lower, with only 26% of institutions boasting prevention and response plans. It is uncommon for an organization to not have any sort of plan in place.
The report added that, even if they did not have plans for both preventing and responding, they would have one of them in place. Only in Japan did we find a larger percentage of institutions that had neither kind of plan: 4% against an average of 1%. Limited involvement of the C-suite in developing plans is also a shared experience across the countries. However, it is interesting to note who they decide to involve. While the U.S., Canada, and the U.K. lead in involving the CEO or the board, organizations in France and Germany tended to bring on the CIO, CISO, and CTO to a larger extent.
Communication strategies
The report pointed out that agencies and companies in Canada and Germany were less likely to share information about their most severe IT security incident with anyone outside of their organization.
The report adds that one could hypothesize that increased media reporting would be an incentive for organizations to get ahead of the story and inform the public.
The reports that that, however, that is not the case. Although, incidents that occur in the U.S. garner the most media attention—24% of the organizations there responded that their most severe IT security incident was covered by the media (and this was true for an average of 16% of the total
surveyed institutions)—22% of U.S. companies and agencies interviewed reported they did not share any information. This was well in line with the average across regions. Communicating with clients and customers does not appear to be a priority in most countries, with no significant discrepancies among the interviewees: only 345 out of 1 332 companies informed their clients that they had experienced a cyber incident.
Important points
Tarr points out that there are a few important things to take note of.
The first point to take note of is that South Africa experienced two major data leaks this year (Experian and Absa) and that in both cases, there was a lot of communication with the public and the companies acted swiftly to get to the source of the leak. “This proved to play a key role in the management of the incident and the possible retention of customers following the incident. These were perfect case studies on how to respond to an incident once it occurs,” says Tarr.
The second important point to note is that GTconsult offers key protection when it comes to cyber exposure. “One of the most popular offering that we have is Penetration Testing. GTconsult will penetrate your system in the same way that cyber criminals do. We will then make recommendations about what needs to be done to improve your protection,” says Tarr.