Cybercrime poses a growing threat to global business, and protection depends on awareness, collective responsibility and behavioural changes as much as technology.
Ask people about cybercrimes and they may reference big-name disasters which have grabbed headlines and whose fallout has been felt across the world.
Like the attack on US retail giants Target and Home Depot which led to the theft of millions of customer card details; or the gang that used ‘Lurk’ malware to orchestrate the theft of RUB 1.7bn (USD 25m) from banks in Russia; UK mobile and broadband provider TalkTalk’s loss of 100,000 customers after a data breach compromised customers’ personal information; or the attack on Japan’s pension service which exposed a million names, ID numbers and addresses; the thousands of malicious URLs created to mimic online banking services in the run-up to Brazil’s Summer Olympics in Rio 2016. Sony, Yahoo, Mattel, Amazon, Ryanair, eBay, numerous major banks – the list is growing.
Such attacks have put cybercrime in the global spotlight. But while thefts from big business or governments garner media attention, most cybercrime is more routine. “Some attacks are targeted,” says Stephen Gates, of global cyber security consultant NSFOCUS. “But most are arbitrary, such as hackers building web robot armies that scan the internet looking for vulnerable systems.”
SMALL IS VULNERABLE
It is not all big business either – all companies are at risk, and the most vulnerable are the small to medium enterprises (SMEs).
“Small, private companies are probably more exposed than large public ones,” says Olga Petrukhina, head of legal practice, UHY Prostor Ltd, Ukraine. “They do not have the expertise and tools in-house to combat the problem. For some, a cyber breach could cause them to go out of business, not only through potential financial loss but also through damage to their reputation and the subsequent fall in confidence.”
The existential threat that cybercrime represents to SMEs is an argument for more strategic and rigorous protection. Professional services companies, with their imperatives for quality and client accountability, have an opportunity to lead the way in this, while highlighting a crucial fact about cybercrime. “It is a strategic business issue, not just an IT issue,” says Olga. “Service offerings that provide proactive advice and insight are becoming more essential, for example risk assessments, training and awareness, plus incident and breach response management.”
READINESS IS KEY
Many firms have cybersecurity expertise, but the ones that combat attacks most effectively are those with a cultural readiness and framework in place. This may take many forms, but at its heart is a recognition that responsibility begins at the top. “Boards that choose to ignore cybersecurity do so at their peril,” says the US Securities and Exchange Commission (SEC) commissioner Luis A. Aguilar.
A framework developed by the National Institute of Standards and Technology (NIST) – a US federal technology agency that works with industry to develop and apply technology, measurements and standards – works to five key principles underlying the overall approach: identify, protect, detect, respond and recover.
Firms should ask themselves: ‘Is there a cybersecurity plan?’ ‘Has accountability for cybersecurity been assigned to a senior executive?’ ‘Have employees been trained on cyber risks they need to be alert to?’ If the answers to these questions are yes, they are taking the issue seriously, but need to continuously apply and evaluate the measures to stay effective.
Knowledge of the main types of attack is vital for SMEs. For professional services, two key threats are ransomware and business email compromise. The first is a malicious encryption of files where perpetrators demand ransom for decryption. It can be triggered internally – a single misconfiguration, improper file permission setting or uneducated employee is all it takes to deploy it. Business email compromise is a type of phishing where an email impersonating someone with authority sends a request to an employee, tricking them into making a transaction.
In April 2016, the US Federal Bureau of Investigation (FBI) warned of a dramatic increase in business email compromise. David Hartley, who runs the technology advisory service for UHY member firm UHY Advisors, St Louis, US, says staff can be a company’s weakest link or its first line of defence. He says, “In our client base, criminals are increasingly focused on exploiting the human element of cybersecurity through tactics like phishing, spear-phishing and social engineering.
“It used to be that we could count on our technology to protect us through firewalls, antivirus protection and so on. Now criminals are trying to trick the humans using the technology rather than exploiting the technology itself.”
For UHY member firms responsible for storing and handling their own sensitive data and that of clients, people are a crucial asset against cybercrime. David says, “The importance of protecting our clients will be reinforced through monthly training that all UHY employees in the US will be required to complete.”
Cybercrime is clearly an issue that can strike any firm at any time, though SMEs are most vulnerable – but are there also global hotspots?
Research from security company Mandiant suggests that Asian organisations are 80% more likely to be targeted by hackers than other parts of the world. The reason is that the median time between a security breach and its discovery in Asia is 520 days, the study claims, or three times the global average. Hackers target Asian companies not because they offer the best returns, but because they present fewer obstacles to lucrative data.
The US tends to top lists showing the wider financial costs of cybercrime, with European countries and China, Brazil, Russia, Japan and India high in the rankings, but no country is immune. Last year the UN estimated that cybercrime affects more than 431 million adult victims globally and has grown into a lucrative transnational business, with returns that may exceed three trillion US dollars a year.
“In India we have seen an increase of over 300% over the past few years,” says Sunil Hansraj, joint managing partner of UHY member firm Chandabhoy & Jassoobhoy, Mumbai, India. “We hear almost daily reports on ATM frauds, web payment portal frauds and corporate server hacking. At our firm, important client-related data is normally maintained directly by partners in a secured storage set up normally as encrypted/password protected data with restricted access.”
BACK DOORS TO DATA
The increasingly global and interconnected nature of business has only widened cybercrime’s impact. To an increasingly sophisticated subsector of cybercriminals, often with links to organised crime, SMEs are not only vulnerable in themselves but also represent a potential backdoor into the larger organisations they supply and service.
“Sometimes, small companies are more prone to hacking attempts, especially if they are part of a supply chain for a larger organisation,” says Bogdan Botezatu of Bitdefender, a global security company based in Romania. “Attackers will often target a smaller contractor of a large organisation, in order to escalate its privileges and try breaching the larger business.”
When smaller companies are digitally connected to larger ones, the results can be ruinous. The Target attackers bypassed the retailer’s frontline security and accessed its network via one of its air conditioning contractors.
While it is true that cybercrime is a large and growing threat, businesses can manage their exposure and most are only as vulnerable as they allow themselves to be. “Cyberattacks, malware and system vulnerabilities have been mystified beyond all reasonable analysis,” says Ian Trump, global security lead at cloud service provider LOGICnow.
“In fact, the most effective IT strategies against all unknown and known threats are generally the same. Patch and update the operating system, patch and update third-party applications, restrict administrative access and use malware defences.”
PROTECTING OUR NETWORK
Cybersecurity initiatives take place across the UHY network. Colin Jones, partner at UK member firm UHY Hacker Young, London, UK, believes simple strategies for reinforcing security messages make a huge difference. A written information security code is regularly reinforced by training, along with the recognition that cybersecurity is a company-wide responsibility rather than just an IT issue.
“Clients have an expectation that given the size of our global network, and as a professional services organisation dealing with confidential client information, our member firms will have robust cyber security measures in place,” he says.
Information and training is being matched by investment in state-of-the-art security technology. A report by Oxford University’s Saïd Business School concluded that Mexico’s financial sector is becoming increasingly attractive to cybercriminals.
“One critical change has been upgrading our firm’s infrastructure with an emphasis on enhancing information security,” says Oscar Gutierrez, managing partner of UHY Glassman Esquivel y Cía. S.C., Mexico. “So, we acquired perimeter security and specialised filtering equipment for incoming and outgoing connections.”
UHY Mexico also offers clients a physical connection, via an implant at their offices, to the firm’s secure network. “This way they can protect and manage all their information on our servers without compromising their security,” says Oscar.
Companies are becoming more demanding in evaluating the cybersecurity readiness of their business partners. They may seek additional assurance in a service auditor report or even sending in their own auditors to review the company’s cybersecurity programmes.
UHY Advisors in the US offers cybersecurity audits for its enterprise customers, testing client networks against recognised benchmarks. For middle market customers, the firm performs cybersecurity risk assessments and can help establish a cybersecurity programme.
Marcello Reis, partner at UHY Moreira, Brazil, says cybersecurity services for clients are a vital part of the firm’s offering. “As well as our own measures to protect data, we have a team of specialists in information security audit and advisory, and we are accredited by the Brazilian Internal Revenue Services (Receita Federal), which also controls and regulates all international trade. We provide advice to large and medium-sized multinationals in Brazil in order for them to get access to a special customs regime that speeds up the import and export processes, while tightening IT security.”
RISK AND REWARD
Cybercrime offers both threats and opportunities – some estimates put global cybersecurity spend at USD 170 billion by 2020. As awareness of cybercrime grows, companies who can offer cybersecurity services will always enjoy a significant competitive advantage.
“No business is free from risk, whatever its size. We need to be in a strong positon to deal with the issues and threats involved with cybersecurity and advise clients on best practice,” says Colin Jones.
READY OR NOT?
NIST framework for winning the cybercrime war
develop organisational understanding to manage cybersecurity risk to systems, programmes, assets and capabilities
develop activities and controls to ensure delivery of critical infrastructure services
develop activities and controls to identify occurrence of a cybersecurity event
develop activities and controls to take action of a detected cybersecurity event
develop activities to maintain plans for resilience and restore services impaired by a cybersecurity event
Notes for Editors
Tel: +44 20 7767 2621, or email: firstname.lastname@example.org