The lion’s share of surveyed IT decision-makers at large multinational corporations may be aware that employees are being employed to gain access to information, but about half of respondents do not have a cyber security strategy to prevent such behaviour.
That is just one of the findings in Taking the Offensive – Working together to disrupt digital crime, a new report released Tuesday by communications services company British Telecommunications plc (BT) and KPMG LLP.
Findings are drawn from interviews conducted in partnership with Vanson Bourne with directors responsible for IT, resilience and business operations at major companies in the United States, the U.K., Singapore, India and Australia, notes a joint statement.
Specifically, the report found that while 94% of polled IT decision-makers are aware that criminal entrepreneurs are blackmailing and bribing employees to gain access to organizations, less than half (47%) admit that they do not have a strategy in place to prevent it.
Results suggest the industrialization of cyber crime is disrupting digital enterprises, with BT and KPMG citing emerging threats from profit-orientated and highly organized cyber criminal enterprises. “Against a backdrop of proliferating attack tools and increased sophistication on the part of cyber criminals, businesses of all sizes are struggling to keep their data and systems secure,” the report states.
“The industry is now in an arms race with professional criminal gangs and state entities with sophisticated tradecraft,” Mark Hughes, CEO of security for BT, says in the statement. The 21st-century “cyber criminal is a ruthless and efficient entrepreneur, supported by a highly developed and rapidly evolving black market,” Hughes continues.
The situation is of concern given the fact that survey results show only a fifth of the polled IT decision-makers are confident that their organization is fully prepared against the threat of cyber criminals. “The vast majority of companies feel constrained by regulation, available resources and a dependence on third parties when responding to attacks,” the joint research indicates.
In addition, nine of 10 respondents report they believe they face obstacles in defending against digital attack, and 44% being concerned about the dependence on third parties for aspects of their response.
“It’s time to think differently about cyber risk – ditching the talk of hackers – and recognizing that our businesses are being targeted by ruthless criminal entrepreneurs with business plans and extensive resources – intent on fraud, extortion or theft of hard won intellectual property,” advises Paul Taylor, UK head of cyber security for KPMG.
To gain real insight, it is key to “think about credible attack scenarios against your business and consider how cyber security, fraud control, and business resilience work together to prepare for, and deal with those threats,” Taylor says in the statement.
“If that’s done, then cyber security can become a mainstream corporate strategy as a vital component of doing business in the digital world,” he adds.
“Businesses need to not only defend against cyber attacks, but also disrupt the criminal organizations that launch those attacks,” Hughes points out. “They should certainly work closer with law enforcement as well as partners in the cyber security marketplace.”
Findings further suggest the security role and accountability for it is being re-examined. Chief digital risk officers (CDROs) are now being appointed to hold strategic roles that combine digital expertise with high-level management skills.
Other survey findings include the following:
- 97% of respondents experienced a cyber attack, with half reporting an increase in the last two years;
- 26% of respondents confirm a CDRO has already been appointed;
- 55% of respondents have seen an increase in cyber attacks, but only 23% have insurance cover in place to cover the cost of major incident;
- 71% of respondents have procedures in place to review the tools and strategies deployed by cyber criminals, but only 30% understand them;
- 73% of respondents say digital security is on the board agenda, with 54% have also educated their directors; and
- 60% of polled decision-makers report that their organization’s cyber security is currently financed by the central IT budget, while 50% think it should come from a separate security budget.
A major challenge remains that the funding and scale of R&D spending that “criminals can bring to bear on breaching the defences of target companies,” the statement adds.
That said, the report – which lists examples of the many forms of criminal attacks encountered by global organizations, and describes the business models favoured by the criminals – concludes “the need to change mindset and to regard security not simply as a defence exercise. It is, in fact, the enabler that facilitates digital innovation and, ultimately, drives profit.”
To counter criminal activity, the report states, “businesses must be at least as agile and as flexible as the attackers, and there are clear challenges.”
Despite the challenges, though, “collaboration provides a way forward,” it notes. “By collaborating, businesses, government and law enforcement can share intelligence, resources and best practices and in doing so match the agility of criminal gangs,” the report adds.
“New thinking is required and the first step is to understand the digital criminal in terms of motive, modus operandi and how they intend to cash out,” Sir Michael Rake, chairman of BT Group Plc, notes in the report’s forward. “The next step is to turn that understanding into a cohesive and effective response,” Rake states.
“By working with government, law enforcement, peers inside their sectors, organizations in other sectors and security specialists, businesses can make it harder and more costly for criminals to operate,” he suggests. “Security is not competitive. Digital crime is making it difficult for all businesses to fully exploit the new digital technologies that fuel growth and drive profit. By working together, we can turn the fight back on the criminal attackers,” Rake adds.
Strategy for making cyber attack harder and less profitable
In addition, the report makes the following recommendation with regard to rethinking the digital security threat:
- gather intelligence on changing criminal tactics and new threats –employees and clients are often the best way of detecting attacks so ensure they know how they might be targeted, be an informed customer for cyber intelligence, demand actionable intelligence and look to the company’s own security team to tailor it to the company’s needs and business model;
- think like a criminal – working with the organization’s management team, identify the information and assets criminals would want to target and why that would be; and
- build out strategies to focus investment on getting the basics right in terms of protecting the most sensitive information and being able to respond if it is compromised.