But what are companies doing about it? As cybercriminals and their schemes increase in sophistication, companies have to increase the sophistication of their defenses to lessen the threat.
Global business is losing upwards of $575 billion every year in the prevention of cyber attacks, the cleanup after attacks and, perhaps most significantly, the opportunities lost as a result of diminished customer trust, competitive disadvantages and brand damage (Center for Strategic and International Studies).
Some of the biggest companies in the world are suffering security breaches. Target leaked credit card numbers of some 40 million customers, causing the CEO to step down. Nortel, a Canadian telecom, went under after hackers repeatedly stole intellectual property over the course of a decade-long breach.
In response, the cyber-security industry has taken off. According to the Economist, the cyber-security industry will reach about $170 billion by 2020.
However, as with any new industry, the level of expertise varies quite a bit. Without strong, well-established trade associations and standard qualifications, it’s hard to say what you’re going to get with a cyber-security company.
More than a Firewall
As cybercriminals get more sophisticated with their hacking schemes, companies have to be more sophisticated with their defenses against corporate cybercrime.
Purely technical solutions are also going out of fashion. Even the best technology doesn’t work if the humans who operate it are careless or ill-trained. Attackers often use a mixture of computer hacking and “social engineering” (in effect, confidence tricks) to gain access to their targets.
People who obligingly click on links or open attachments in bogus emails are the single biggest security weakness: even the strongest front door is insecure if those inside open it to all comers.
It’s not just about having a firewall in place – social engineering and phishing campaigns target human nature.
Employee education is a big part of cyber defense these days, just because of the nature of the attacks. It’s absolutely vital that you educate your employees to be suspicious of emails from people they don’t know and to avoid, at all costs, opening suspicious links.
It’s also vital to show employees what phishing emails look like when they come from a familiar contact. One common phishing technique involves taking over an account and emailing everyone in the contact list with a link that gives the hackers the login information of the contacts, so the hackers can take over their accounts as well – and repeat the process.
– Kirk Porter, President of Avitus Technologies
Bug Bounty Programs
One way companies have found to test their security is to call on the very people they’re defending against. (Actually, the ones who work on the side of security research rather than the side of cybercrime.)
Google famously has a bug bounty program for Chrome. Rewards range from $100 to $20,000, depending on how serious the bug is.
If a hacker finds a bug that enables access to a file system or database, they could garner up to $10,000. If they find a bug that enables them to completely take over an account and execute remote code, they could earn up to $20,000.
Google views the bug bounty program as a worthy investment, engaging the community with the expertise to threaten them. Given that hacking communities don’t exactly share their expertise with, say, corporate IT engineers, there’s really no other way to discover what they can do.
Laying Out Bait
One step further than bug bounties is baiting and infiltration techniques, which offer a more proactive (if riskier) approach towards cyber defense.
Basically, companies will infiltrate a hacking community by either staging a fake hack on themselves or by laying bait for outside hackers to bite on.
By gaining access into a hacking community, companies can get a heads up on the latest techniques and activities. By laying out bait, they can identify leaks in their systems and even identify and track hackers.
Samir Kapuria of Symantec told CNNMoney that Symantec had a client that hid phony blueprints of one of its products in its servers. The company later saw the phony blueprints on the black market, proving that they had a breach in their system.
Hack the Hackers?
Perhaps overly extreme, some companies have considered or even undertaken offensive moves against hackers.
These counterattacks can include hacking into a cybercriminal’s computer and either taking it over or shutting it down altogether. If they take it over, they can even engage the camera and take pictures of the hacker.
However, these types of counterattack are frowned upon because of the cost as well as the potential for dramatic backlash (a war with hackers), damage to innocent third parties and even international scandal (say, if the cybercriminals are state-sponsored).
It would also draw the ire of the FBI, which is why the industry norm is to document attacks, track down hackers and hand over “prosecution files” to the FBI. It gives federal agents a significant head start and puts companies one step closer to eliminating the threat.
“As a commercial entity, it’s very hard to take an operation down by yourself,” IOActive’s Ian Amit said. “This is a law enforcement thing.”
A More Sophisticated Defense
Defending against corporate cybercrime requires more than just a firewall or other technical means. It also requires education of your employees.
While you may not want to engage in offensive tactics to keep your customers’ information safe, you do want to take a multi-faceted approach. Because hackers are taking a multi-faceted approach.