Gotcha – cybercrime will affect you

I’m no cyber guru but this I do know – cybercrime is something every business owner and board need to be aware of and prepare for.

Robert Mueller – former FBI Director, former Sanford consulting professor on cybercrime, and now special counsel for the Russian involvement in the US presidential election in 2016, famously said “There are only two types of companies: those that have been hacked, and those that will be.

Even that is merging into one category: those that have been hacked and will be again.” I usual modify this quote to ‘those that have been hacked and those that don’t know they’ve been hacked’.

Most small and medium sized business owners think cybercrime only happens to big companies, and most individuals think it only happens to corporates. Cybercrime has actually been around for years – but the attacks are becoming more prevalent and effective and now pose a real and current threat to business continuity.

The message is that no one and no company is immune from cyber-attacks.

Cybercrime is big – it is the new ‘drug’ for organised crime. It is less labour and physical inventory intensive than any actual drug, can be carried out anywhere and anytime, and is easily scalable. If it hasn’t already cybercrime will surpass any other organised crime activity.

The difficulty with cybercrime is this. Once the crime has been perpetrated and discovered, it is likely that the funds and/or data have long since disappeared.

So why are companies targeted – especially small companies which may only have a little general information on their website or in their systems? Well most companies have more information than they realise – and a few large company attacks gives an insight in the type of information cybercriminals are after.

Sony – 47,000 records stolen with proprietary and employee details (employment, health and emails). Sony’s initial costs were over $100m (reduced to $15m after insurance payout) but resulted in an 11% sales decline and 7% fall in share price. Co-chairs resigned after ‘racist’ and other offensive emails released.

Home Depot – 56 million credit card numbers and 53 million email addresses stolen – cost Home Depot $109m to fix.

JP Morgan – email addresses and physical address of 76 million households and 7 million small businesses costing JP Morgan $83m.

eBay – hackers took customers’ personal information affecting 145m active users. Cost to eBay was $145m.

Target (US) – hackers stole credit card details. Credit card issuers had to reissue credit cards costing them $200m. The mid-range ‘price’ per credit card on the black market was estimated at $26.85 – so generated the cybercriminal $53.7m for six months work. The CIO, CISO, and CEO all lost their jobs and seven of ten Directors were pushed for re-election for failing to provide sufficient oversight.

The above cases also highlight three important facts about cyber breaches.

Firstly, 69% of all cyber breaches the victims are notified by an external entity. For example, a victim may receive a ransomware message from the criminal, or have people calling and advising the company, or customers querying suspicious transactions on their credit cards. So, the crime is committed without the victim knowing about it until it is too late.

Second, the median number of days that a threat is present on a network to its earliest detection is 205 days – near 7 months – according to Madiant M-Trends. The longest known threat present is 2,982 days – 8 years 2 months. The cybercriminal is patient, watching and waiting, gathering information and preparing for the greatest impact.

Thirdly, poor handling of cyber incidents, both internally and externally, have led to harsh impacts on many companies.

Over the next few articles in my series on cyber-crime I will explain in ‘lay-person language’ the common types of cybercrime, what to do after you’ve been attacked, and then some measures and ways that companies and individuals can protect themselves from what is unfortunately inevitable.