The speed of technology change and the colonisation of the workspace by personal and mobile devices have allowed cyber-criminals to outsmart businesses by targeting their staff
It wasn’t meant to be this way. The internet was supposed to diminish barriers to communication and information, and level all sorts of metaphorical playing fields, but as well as the benefits it has also brought hackers, trojans, viruses, worms and all sorts of cyber-nastiness.
As for those level playing fields, well, they may have democratised the internet but they have also created a vast new risk landscape, with such joys as the ‘selfie’ exemplifying technology’s mixed blessings. We want the world to see us as we see ourselves, and because smartphone self-portraits provide a fast, cheap and simple way to achieve this, the phenomenon has gone global. So have the consequences.
Nelson Mandela’s funeral may have been an opportunity to celebrate his life, mourn his passing and reflect on his achievements, but media coverage was dominated by a selfie of Danish prime minister Helle Thorning-Schmidt, flanked by US president Barack Obama and British prime minister David Cameron. Cue eagerly anticipated thumbs up and heart-shaped emoticons.
As with many trends that characterise our love affair with mobile technology and social media, familiarity can create a false sense of security. Many of us are so beguiled by the prospect of instant affirmation, so enamoured of the power at our fingertips, that we forget to think before we click – exposing individuals, organisations and entire countries to all sorts of risks. Because while we are using our new best friends to relentlessly collect, store and share vast amounts of personal and professional information, cyber-criminals are just as relentlessly developing new ways to exploit this.
Targeted attacks are on the rise and corporates breached on a daily basis, often unaware that valuable information is compromised or stolen. ‘If the perfect crime is one that goes completely undetected, then corporate cybercrime is it,’ says Dana Tamir, enterprise security director with IBM security company Trusteer. ‘Cyber-criminals are quietly and anonymously rummaging through corporate accounts for confidential data, leaving without a trace, and then using or selling the information for economic gain.’
And we all do our bit to help them out. Tamir says: ‘Cyber-criminals have found that compromising employee endpoints is a far simpler path into the corporate network than a direct network attack.’
Workforce use of personal smartphones and tablet devices is the norm in many organisations, without validation of the business case or appropriate safeguards, and despite their inherent insecurity. Tamir explains: ‘Vulnerabilities allow cyber-criminals to secretly install malware on the employee endpoint device and essentially gain the same level of corporate network, application and data access as the employee.’
It’s not the only way for cyber-criminals to infiltrate corporate networks, of course. Phishing remains an effective and popular method for luring individuals to compromised websites and fooling them into downloading infected files. Warnings and widespread awareness of the dangers of clicking on unfamiliar links and opening suspicious file attachments do not seem to deter. ‘End users are not completely to blame,’ says Tamir, because cyber-criminals have got better at disguising their intentions, and smuggle malware in on the back of social media scams, fake surveys, free gift offers and must-see videos.
Almost anybody can be snared by a new technique called a ‘watering hole’ attack, which compromises websites that cater to a particular audience. So while a high-tech R&D facility or outsourcing service provider may have impressive levels of logical and physical security, cyber-criminals can compromise much less secure websites (such as local services) that staff may be visiting as a way to find those employees and compromise their personal devices.
And it isn’t just tactics that are evolving. So is the nature of cybercrime and the profile of the typical cyber-criminal.
‘Hackers used to attack for fame or fun,’ says Alex Lei, director of security sales, Symantec Asia South, but other motives have become more common. Kapil Raina, senior director of product marketing with security specialist Zscaler, adds: ‘Attackers have evolved from individuals motivated by curiosity to well-funded criminal organisations seeking profit.’ Recent analysis by Verizon found that financially motivated cybercrime makes up 75% of all data breaches, and that 20% of breaches are state-driven.
Last year Kaspersky Labs uncovered one cyber-espionage campaign, dubbed NetTraveler, which compromised more than 350 victims in 40 countries. ‘They’re just one big ugly gorilla with a thousand faces and we haven’t seen all of them yet,’ says Costin Raiu, head of Kaspersky’s global research and analysis team. Cyber-espionage targets typically include government agencies, military contractors, and companies in comms, health, nanotechnology, energy, professional services and space exploration.
While attacks on large corporates and government agencies grab the headlines, smaller entities are also at risk. According to Symantec, 31% of all targeted attacks involve companies with fewer than 250 employees – so if you think your business is too small to be attractive or you don’t have anything worth stealing, think again. An attack on a large enterprise may offer greater rewards than an attack on a mid-sized or small business, but the likelihood that they will be less careful about their cyber defences does wonders for their appeal.
Even the smallest organisation merits the attention of cyber-criminals if it stores and processes credit and debit card data and other identifiable information on businesses and individuals. Theft of digital information has already overtaken physical theft as the most commonly reported fraud. As ever more products and services are provided, sourced and accessed online, and mobile devices proliferate, so the security of data and systems is becoming increasingly complex and their governance increasingly important.
In the face of all of this, an effective and proportionate plan of action is a must (see box). As highlighted in the recent ACCA report Digital Darwinism (see 'Related links'), technology is evolving faster than many individuals and organisations can adapt. ‘It is hardly feasible any more to have in-house experts capable of keeping track of fast-moving developments,’ says Rainer, who suggests that external expertise is now essential.
For the finance profession, this presents challenges and opportunities. Dr Darren Hayes, an infosecurity expert at Pace University, finds more accountancy firms branching into ‘the lucrative areas’ of IT risk assessment, fraud and investigations, cybersecurity, privacy and compliance. ‘I meet accountants who no longer use their accounting expertise because of this diversification,’ he says.
Accountants in business are broadening their horizons too. Joint ACCA and IMA research during 2013 found cybercrime alongside cloud, mobile and big data on a list of technologies looming progressively larger in the remit of CFOs.
ACCA chief executive Helen Brand says: ‘Who would have thought 10 years ago that technological trends would become part of the CFO role? But they are and will continue to do so.’ She suggests that we could see the rise of the CTFO – ‘a chief finance and technology officer with a seat on the board’. It’s certainly time that somebody made cybersecurity a board-level concern. Though if we are to combat emerging cybercrimes effectively, and catch and punish attackers, collaboration between companies, industries and governments will be required – and politicians may need to put their heads together to do more than take a selfie.
This article was first published in the March 2014 UK edition of Accounting and Business magazine.
Lesley Meall, journalist