SINGAPORE (May 7): More than two million malware attacks are launched every day across the world. And as cyberattacks continue to rise, so-called cybercriminals are getting increasingly sophisticated and are offering cyberattacks as a service, according to industry experts.
In a recent report detailing the impact of cybercrime, think-tank Center for Strategic and International Studies and computer security fi rm McAfee highlight that cybercrime costs the global economy US$600 million ($802 million) annually, or about 0.8% of the world’s GDP. More than two billion people, or two-thirds of internet users, have had their personal information stolen or compromised. One survey found that 64% of Americans have been victims of fraudulent charges or loss of personal information.
At a recent roundtable on cybersecurity hosted by The Edge Singapore, McAfee chief technology officer for Asia-Pacific Ian Yip notes that cybercrime is the third-highest crime committed globally, after corruption and narcotics trafficking. Cybercrime attacks, which include cyberespionage and the theft of intellectual property and confidential business information, are growing because criminals are quick in adopting new technologies. Many are also becoming more financially sophisticated and able to monetise cybertheft. At the same time, there are more internet users coming online, many of whom tend to be from developing countries with weak cybersecurity. What else should businesses know about cybercrime? How will attacks affect businesses, and indeed the economy, in the longer term? Are business owners prepared to deal with cyberattacks?
Attack kits on offer
According to Yip, about 50% of all threats identified are the work of cybercriminals. And, despite expectations otherwise, ransomware attacks have increased 59% y-o-y. Separately, 10% to 20% of all threats are state-sponsored. A worrying trend, Yip highlights, is cybercrime being offered as a service. “It vastly lowers the barriers to entry for a criminal,” he says. “It doesn’t cost very much. The average criminal who doesn’t know anything about attacking a system can buy a malware exploit kit or pay a cybercrime provider. You can buy identity records in the dark web for US$20.”
Andrew Hobby, vice-president of Cisco Asia Pacific and another panellist at the cybersecurity roundtable, notes that new technologies available to legitimate organisations to improve operations, or to ward off cyberattacks, are also being used by criminals. “A lot of what we are hearing today, around machine learning and artifi cial intelligence, are not only giving organisations the ability to respond quickly and be effective in their response, they are actually being used against them as well,” he says. In fact, an attack may no longer depend on someone clicking on a link or email that has been embedded with malware. “What has started happening a lot more in the last couple of months is, these threats can move within the organisation without [anyone] having to interact with them,” Hobby explains.
Yet, any attack is almost certainly going to be in a new form. “If it’s been seen before, it’s probably been [acted on] earlier on.” One way of identifying and responding to a new threat is to trace the way it behaves, such as what it targets or how it moves through a system. “We are building capabilities able to identify those things,” Hobby adds. “You may not understand that particular signature or that particular threat, but you know how things are likely to behave and you look for behaviour around these threats.”
High likelihood of being caught by phishing
One of the first, and most important, steps in preventing cybercrime is education on cyberattacks. One of the most common starts to an attack, for instance, is through a so-called phishing event, where an individual provides a username and password, or other confidential information, through an electronic communication, such as an email, that is sent from a malicious source disguised as a legitimate one. “[Getting hold of a] username and password is one of the weakest points that we have,” says Gerry Chng, cybersecurity leader at consultancy firm EY. “It’s been around ever since computers have been invented.”
Yet, experts also acknowledge that despite education efforts, it is highly likely someone will fall for a phishing event. Is there a way out? “For us, it’s a three-step process,” says Hobby. “First, to reduce the temptation, you have to remove as many of those phishing emails from your people as you can and there are technologies to do that. Second, educate people on how to respond when they get one of them: how to identify it and how not to click on it, how to resist the temptation. And third: when you do click on it, how do you see whether the intent of that email is malicious, or not?”
“At Cisco, we take it to the next level. We send our own staff phishing emails,” Hobby adds. “When they click on it, it’s about education. We’re actually testing them as well, so it’s a difference between a theoretical notion of something that might happen and something that actually happened.”
The top takes responsibility
How should business owners react to an attack? Over the past year, companies that have had their systems breached have had to walk a tightrope between finding out what happened and securing their systems and informing their customers, and the public, about the attacks in a timely way.
In April, it emerged that about five million customers of major US department stores Saks Fifth Avenue and Lord & Taylor had their credit and debit card information stolen in a breach that began a year ago. Four years earlier, another major US retailer, Target, fi rst announced that hackers stole data from 40 million cards during the year-end festive shopping season, but later admitted the breach was nearly twice as large as it had initially thought. US consumer credit reporting company Equifax was in the line of fire last year when it waited more than a month before alerting 143 million customers to a data breach. Ride-hailing company Uber waited more than a year before telling drivers and riders that their personal information had been hacked.
“[For companies], you need to understand what’s the magnitude of the breach, what’s the nature of the breach, and if it is still going on,” Hobby says. “You fi nd a lot of circumstances where organisations underestimate or misunderstand the magnitude of the threat.”
To be sure, there are regulations requiring disclosure of attacks. In Singapore, the Cybersecurity Act was passed into law on Feb 5. The Act applies to organisations that are designated as operating critical information infrastructure (CII) in Singapore, such as those in the energy, telecommunications, water, healthcare, banking, transport and media sectors.
Under the Act, the CEOs of such critical infrastructure are held responsible and accountable. They will have a duty to report cybersecurity incidents to the commissioner of cybersecurity and to disclose certain information regarding its CII, including on the “design, confi guration and security” of that infrastructure.
In addition, they are obliged to carry out periodic cybersecurity audits and risk assessments, and could be subject to investigations from the authorities on cybersecurity threats or incidents and forced to take remedial action where deficiencies in security measures are found. If a CEO is found to be wilfully not compliant with the obligations under the Act, he or she will be penalised. “The [security] culture has to start at the top, with the board. That is why CEOs have to be responsible,” Yip says.
Eroding customer trust impacts future business
Ultimately, the onus is on business owners to assure customers of a company’s commitment to preventing, or at least limiting the impact of, cybercrime. The consequences of distrust in almost ubiquitous online transactions and other interactions can be far-reaching. “What’s a future-ready business? Getting analytics and data, improving insights and solutions. But a lot of this relies on the availability of data that comes from transactions, preferences and so on,” says Chng. “When consumers stop sharing this data, it will affect the companies’ ability to tap data and offer solutions.”
But Chng has raised concerns that companies are not adequately prepared to deal with a cyberattack. And the consequences could be dire. “When something bad happens, what does the company tell the consumers? How do they explain what has gone wrong, the extent of the damage, what they are doing to fix it and prevent it from happening again. I don’t think companies are prepared for that.
“What’s going to happen in today’s social media world is that if you don’t have a response, the internet will have a response for you on your behalf and if you cannot control it, it’s going to go viral. That’s going to be very damaging to the reputation of the company because you cannot pull that back.”