What's the pension plan like, though?
Cyber crime is big business: research suggests perpetrators can make millions every year, and that few of them get caught. It’s no wonder so many cyber security workers get tempted to join the dark side.
As depressing as that is, it’s also important to acknowledge this reality and to recognise that such illegal enterprises are increasingly being operated with the kind of professionalism normally associated with legitimate business.
Not only do markets exist on the dark web to sell illicit hacking software to lower-level criminals, showing a clear hierarchical structure in the digital underworld; the way crimes are being carried out suggests at least some criminals are operating with some kind of strategy in mind. In other words, criminals are responding to market pressures and adjusting accordingly.
The UK government’s Cyber Security Breaches Survey 2019 shows an overall drop in cyber attacks, compared to previous years, with only 32% of all businesses reporting security attacks or breaches. In the 2018 report, that figure stood at 43% and in 2017 it was 46%.
The survey shows businesses are more cyber aware and treating security as a greater priority, so this makes sense. The survey also points to the significance of GDPR, which may have changed what people regard as a breach or made them less willing to admit to a breach (even though failing to report a breach can itself be against GDPR rules).
Cyber criminals can make vast amounts of money from their crimes
However, there’s another possible reason for the drop in attacks – one that’s consistent with other statistics from the survey. Despite the overall drop in attacks, among the 32% of businesses that were affected, the typical number of attacks increased, from two in 2017 to six in 2019. The average cost of dealing with attacks also went up, from £2,450 in 2017 and £3,160 in 2018 to £4,180 in 2019.
As the survey report says, it’s too early to make any definitive conclusions about these trends, but it seems plausible that criminals are adapting to a changing cyber security landscape. Cyber security technology like antivirus and firewalls is getting better, and people are becoming more aware of cyber threats, so the crooks, it seems, may changing things up.
Just like for legitimate organisations, if something is working, it makes sense for criminals to keep doing it. If it doesn’t, then they’ll look somewhere else. So while it might be getting harder to attack businesses in general, criminals can compensate by simply increasing the number of attacks they carry out on the most vulnerable organisations.
Similarly, the most common type of attack by far is phishing; it accounts for a massive 80% of breaches that businesses experience. That’s followed by 28% for people impersonating victims’ organisations online and 27% of attacks coming from malware, including ransomware.
From a business point of view, this is understandable. Distributing malware means either creating or otherwise acquiring rogue software first, which can be high effort or expensive, and it may not be worth it, because it can be blocked by antivirus and firewalls.
Phishing, meanwhile, often requires very little work, and as a form of social engineering, it targets one of the most tricky things to make secure: people. Even the greatest security technology can be rendered useless if a staff member is tricked by a phishing email and ends up transferring thousands of pounds into a criminal’s bank account.
So how do you avoid becoming one of the 32% that experience an attack? As we’ve always said, it’s a matter of taking a long-term, multi-layered approach to cyber security – one that considers not only technology but also the role of people. Don’t place all your faith in one solution, and make sure you have a backup plan, in case of disaster.