Business of Security

What can one get for $6 nowadays?

A fancy coffee? Half of a movie ticket? Or, maybe, access to a compromised server to wreak whatever havoc suits one’s financial aspirations.

Cyber security firm Kaspersky Lab reported in June that its researchers had uncovered a global forum that allows cyber criminals to buy and sell access to compromised servers for what amounts to spare change. Many servers host or provide access to popular consumer websites and services.

Angela Stelmakowich, Editor

At the time of Kaspersky’s announcement, the xDedic marketplace – complete with live technical support, special tools to patch hacked servers and profiling aids – listed 70,624 hacked remote desktop protocol servers for sale from 416 unique sellers in 173 countries.

It may simply be a sign of the times – a time when data is king, service is embedded in crime and entrepreneurial endeavours are not always above board.

Combine that with today’s reliance on technology, automated systems and interconnectedness, as well as the slippery challenge of estimating how big cyber risk truly is or could be, and today may not seem a friendly time for organizations looking to keep information secure.

A recent survey from British Telecommunications plc and KPMG LLP shows that while 94% of polled IT decision-makers are aware that criminal entrepreneurs are blackmailing and bribing employees to gain access to organizations, 47% admit they do not have a strategy in place to prevent it.

Results suggest industrialization of cyber crime is disrupting digital enterprises, thereby making it tough for businesses to exploit digital technologies that may help spur growth and profit.

The report cites emerging threats from profit-orientated and highly organized cyber criminal enterprises. The 21st-century “cyber criminal is a ruthless and efficient entrepreneur, supported by a highly developed and rapidly evolving black market,” says Mark Hughes, BT’s chief executive officer of security.

It is a sobering message, perhaps more so because of the current state of readiness and preparedness. Earlier this year, Cisco reported just 45% of polled organizations worldwide are confident in their security posture given cyber attackers’ ability to now launch more sophisticated, bold and resilient campaigns.

And given the amount of time needed to detect cyber crime (survey respondents report 100 to 200 days), plenty of damage can be done while business is continuing as usual.

Here at home, Deloitte Canada reported in December that only one in five polled Canadian companies report being prepared to effectively respond to a cyber attack.

Add to that that just 36% of respondents say their businesses have in place effective procedures and technologies to protect critical assets.

Nothing is perfect, true, but tools and practices are available to combat the threat. Use of both – coupled with equal portions of common sense and vigilance – can certainly help.

Beyond that, education, especially on the front lines and among those who may be targeted for social engineering, is critically important.

“If the company views cyber security as an IT or a technology-only issue, they leave themselves open to that first line of defence – their employees, their contractors,

their customers – to that area of vulnerability,” David Craig, a partner in PwC Canada’s cyber security and privacy practice, told Canadian Underwriter at an event earlier this year.

Wombat Security Technologies emphasizes the need to use employees – in a positive way. Having staff become advocates of cyber security would help reduce associated risks and better

protect the businesses for which they work, suggests president and chief executive officer Joe Ferrara.

“As more and more organizations work to educate their employees about the dangers of poor cyber hygiene, we will begin to see more and more consumers who are better-equipped to identify cyber threats,” Ferrara predicts.

That could only help to ensure all concerned are, in fact, a little more secure.