This article was first published in the April 2013 International edition of Accounting and Business magazine.
If asked to picture a crime scene, most people conjure up a vision of flashing police lights, splattered blood and barriers of plastic tape. But this image is behind the times, says Cy Vance, Manhattan district attorney. ‘The crime scene of this century is the internet,’ he warned, speaking at an ACCA conference in New York at the end of February. ‘As the high-tech and digital world becomes more sophisticated so do criminals who are using technology to take advantage of unsuspecting victims.’
Vance’s worry is borne out by a flurry of data detailing a sharp rise in IT attacks. As many as 71 million people in the US suffered from cyber attacks – costing them around $21bn in damage – according to CNET.com. A study by Deloitte reported that costs related to cybercrime had climbed to nearly $6m a year on average for the companies they surveyed, while computer attacks on the US government had multiplied more than six-fold in recent years. And the US is far from alone.
Across the globe, computer crooks have become a menace that companies ignore at their peril, according to a panel of experts who spoke at the ACCA conference at Pace University in New York. The aim of the gathering was to help companies work out how to protect themselves from this new generation of digital delinquents. But experts are also clear that businesses will need plenty of help from government, law enforcement and universities.
The greatest vulnerability, said ACCA chief executive Helen Brand, is often among mid-sized companies. ‘Very large and complicated organisations at least have the resources to invest heavily in defending themselves,’ she argued. Meanwhile, smaller companies are less often targets and have small systems, so that any threat is easier to contain. The biggest challenge instead lies with the medium-sized companies, which can afford fewer IT specialists to protect them, yet make a tempting target for criminals. Closing this gap requires leadership from the very top of an organisation, Brand said. This is not an issue that can be left solely to the technology team.
One alluring but possibly deceptive short-cut for companies is cyber insurance. This is not the panacea it initially seems, said Kelly Bissell, a principal at Deloitte & Touche. ‘Cyber insurance is still in its infancy,’ he told the audience. Most policies will not fully cover the costs resulting from an IT breach. Worse still, if the insurer can prove that the company neglected to institute proper measures to defend itself, they can refuse payment. So far, only around a fifth of companies have bought specific insurance against cyber attacks, according to Zurich Insurance.
Instead there is no substitute for taking more direct action. Many companies have not been sufficiently pro-active, according to recent surveys. One Harvard Business School Review found that, while three-quarters of respondents expressed concern about IT security, only 16% had designated a tech chief to oversee cyber risks. Less than half had increased their spending to protect against attacks.
The price of apathy
Such neglect could cost companies dearly. ‘Criminals are looking for easy targets,’ argued Christopher Novak, who co-founded the investigative response unit for phone company Verizon. As a result, the least diligent companies can become a magnet to criminals. Merely meeting the standards set by regulators does not guarantee safety. Even companies that spend lavishly on top-quality software to defend their IT systems, Novak warns, often then neglect the basics, including the quality of firewalls. This, he says, is much like a home owner installing a state-of-the-art alarm system only to leave their front door open.
It is also not sufficient just to be vigilant to outside threats. After all, a business’ own employees have the greatest access to information. That raises the challenge of how to vet insiders with access to sensitive information. This is even a problem for the US government, which has elaborate mechanisms for checking out potential employees for security clearance. One ever more common stumbling block for individuals seeking security clearance is a poor credit score, which might make people financially strained and therefore tempted by the easy money offered by criminal activity. This raises the possibility that companies too may need to probe more deeply into the background of key staff.
Suppliers are frequently another weak point in a company’s defences. ‘The bad guys may think it is too difficult to hack into a big company, so they will target a supplier,’ warned Bissell. Large businesses need to keep tabs on the quality of security systems of suppliers – demanding proof that they are taking adequate precautions. This can be especially difficult when dealing with overseas contractors. A vast amount of company data is now stored in India and other developing countries, making them a prime target for assault.
ACCA’s Global Economic Conditions Survey showed that the second-highest country worried about cybercrime was India. ‘If you think about where information is being held, there is so much outsourcing to this kind of market that cyber legislation in the US will not be enough,’ said ACCA’s Brand.
Card fraud abounds
A key message from the conference was that companies need to be especially vigilant when devising methods of payment. For a start, financial institutions have been trying to reinforce the security of existing forms, such as credit and debit cards. One great hope is the introduction of chip-and-pin technology for the US, a device already prevalent in the UK. This is a vulnerability that criminal gangs have been exploiting, taking stolen cards from Europe across the Atlantic. The US payment industry has aimed to plug this technological loophole by 2015.
Still, most experts on the ACCA panel were sceptical that this target would be achieved. More importantly, experts doubt that this will do more than plugging one leak of many. As one technology becomes more fortified, IT villains move on to the next one. That is a big problem, since payment methods are constantly evolving. Tech experts believe that consumers will increasingly move towards paying with cell phones.
‘Every new way of paying for something is vulnerable,’ warned Deloitte’s Bissell. ‘The criminals try to stay on the cutting edge. This means we need to identify the vulnerabilities before a new method goes to market.’ His accounting firm encourages clients to talk to them about new payment offerings before they go live.
Of course, there is only a limited amount that companies can do alone to protect themselves. Wise ones will make full use of law enforcement to help. The stigma associated with being the victim of a cybercrime has meant many companies are wary of admitting their security has been breached. An added worry is that calling in the police will be highly disruptive, with officers ripping out servers and dragging them away to distant crime labs.
Such fears are misguided, said David Szuchman, executive district attorney, chief of the investigation division at Manhattan District Attorney’s Office. ‘We work collaboratively with companies,’ he pledged. That said, law-enforcement officials still have much work to do to fully get this message across. An unwillingness to alert the authorities can have disastrous results. One common problem is that companies wait too long before involving the authorities and in the meantime inexperienced IT staff obliterate the evidence needed to prosecute the perpetrators. This can be equivalent to erasing all incriminating fingerprints and cleaning up all blood and fibre samples before the police arrive.
In all nations, the police need to evolve as fast as the criminals. Law-enforcement officials need to be trained, not only in technology, but also in the law and business. There are new procedures on how to ‘tag and bag’ evidence so that it can be used in court. Without such efforts it will be impossible to clamp down effectively on criminals and call them to account.
The international nature of cybercrime is another reason why government and law enforcement are essential in the fight. Tracking down and stopping IT bandits spread across the globe demands a concerted effort by states. The countries of the former Soviet Union are a particular hotbed of criminality as there are large numbers of well-educated IT professionals with few legitimate opportunities.
This makes life hard for the police in rich countries since they do not generally have extradition treaties with these states and domestic criminal laws are weak or non-existent. ‘How do we get the hacker that is sitting in Belarus or Ukraine or Kazakhstan?’ asks Szuchman. At present, he complains, the only solution is to lure them to countries where they can be arrested.
A longer-term solution would be for rich nations to sign treaties with other governments to enable raiders to be prosecuted, wherever they are. That would require a concerted diplomatic drive by governments in North America and Europe. Cyber villains are becoming more prevalent and sophisticated. Still, there is optimism that, if companies and governments take the threat seriously, the tide can be turned.
Christopher Alkan, journalist based in New York