Cyber Crime Update 2016

Attack Volume is Proliferating

Patrick Morin, Risk and Business Advisory Principal
Updated January 2016

In a recent bulletin Hewlett Packard noted the volume of cyber attacks had risen 176% between 2010 and 2014 and a recent survey conducted by Ponemon found that 90% of businesses had experienced a breach in the past 12 months. Cybercrime is no longer a concern just for well-known businesses and high value government targets. The automation of attacks, the availability of training and proliferation of off-the-shelf malware has expanded the number of hackers and the number of attacks each can conduct simultaneously. Unfortunately, there is little good news in the realm of cybercrime, but business leaders must prepare their organizations and understand the threats they face.

Trends in Cyber Crime

The growing number of devices connected to networks and the precision of new social engineering tactics are two new but quickly maturing network vulnerabilities. These trends have two main effects on network security: increasing the number of access points and vulnerabilities on a network, and enabling hackers to develop more creative and sophisticated methods for stealing user credentials. Together they are forming a more complex environment for Information Security professionals to protect and monitor.

Internet of Things (IoT) –The internet is expanding to manufacturing machinery, cars, printers, security cameras, refrigerators, thermostats and even door locks. Businesses need to remember that every additional device connected to a network is a potential entry point for hackers. Unfortunately, many of the IoT devices do not have sufficient prepackaged security. Password requirements are weak, software is often exposed to user interface high-jacking and typically the software lacks data encryption (software updates can even be edited on some devices).

Mobile and BYOD– Businesses are transferring a growing number of work functions to mobile devices from online banking to data storage, attracting attention from hackers. Mobile security is still lacking and a large majority of mobile activity remains inadequately managed. Many devices do not use their locking functionality; only 1 in 4 have remote wipe capability and up to 11.6 million devices are infected at any time. Further, there are more opportunities to install malware on devices shared between personal and business use due to heightened exposure from dual usage. Once installed, malware can steal an array of credentials across personal and business applications making other more consequential types of cyber-attacks easier for hackers.

Spear Phishing – Social engineering has evolved from email spamming into a sophisticated attack combining malicious software and online data mining in order to manipulate natural human tendencies. Hackers have been known to exploit emotions and work/personal relationships, and to identify individuals whose characteristics predict they may be more likely to succumb to an attack. Hackers will gather highly personalized information about a target employee and their organization to launch an attack that includes emails, phone calls and in extreme cases face-to-face interactions. Linkedin, job postings and other business networking sites provide hackers readily available information about everything from the technologies a company uses to which employees are the most valuable targets. These highly personalized attacks are difficult to detect and prevent. As a result, companies need to be vigilant about monitoring what company and employee information is available online, providing adequate employee training and implementing stringent user access controls to limit damage if an employee’s account is compromised.

What Organizations Should Do

It is an unfortunate fact that a determined perpetrator will be able to find a security hole within any Network. However, this does not mean organizations should not take steps to secure their systems; they need to employ a multi-tiered approach to network security similar to what is described in the chart below. Organizations need to evaluate their key vulnerabilities, protect their networks with industry standard security, and then constantly monitor activity to identify attacks as soon as possible. This approach does not guarantee an invulnerable network, but will help minimize the impact of an attack and give businesses the best chances to emerge unscathed from a breach.

image

If you have questions or would like to discuss this further, please contact Patrick Morin or your BNN professional at 1.800.244.7444.

Disclaimer of Liability: This publication is intended to provide general information to our clients and friends. It does not constitute accounting, tax, or legal advice; nor is it intended to convey a thorough treatment of the subject matter.