Cyber crime is a fast-growing area of crime. Cyber criminals use the Internet to steal individual's identities, hack into their accounts, trick them into revealing sensitive information, or infect their devices with malware.
Criminal organisations turn to the Internet with sophisticated methods to facilitate their activities and maximize their profit in the shortest period possible. Many businesses and private individuals have indeed been the victim of a cyber crime. According to an extensive Detica report from the Office of Cyber Security and Information Assurance within the Cabinet Office, the cost of cyber crime to the UK is estimated to be £27bn per annum. Many cases, however, are not reported and this means that the true economic cost is likely to be significantly higher.
Even the largest and most technologically savvy companies are susceptible to cyber crime. This month (October 2014), Apple’s iCloud service suffered a cyber-attack in China, in an apparent attempt to collect user names, passwords and other private information when the company released its newest round of iPhones. The methods used by cyber-criminals are becoming more and more sophisticated.
How can one minimise the risk of becoming a victim of cyber crime and mitigate the damage that may arise from a data breach? Below are some key things to consider:
The UK government’s recently introduced Cyber Essentials Scheme is a good starting point. The scheme is mandatory for central government contracts advertised after 1 October 2014 which involve handling personal information and providing certain ICT products and services. It provides a clear statement of the basic controls all organisations should implement to mitigate the risk from common internet based threats. The Cyber Essentials Scheme concentrates on the following five key controls:
- Boundary firewalls and internet gateways; these are devices designed to prevent unauthorised access to or from private networks and require a sophisticated set up in order to be fully effective
- Secure configuration; this means that systems are configured in the most secure way for the needs of the organisation
- Access control; this requires that only those who should have access to systems have access at the appropriate level and no other parties
- Malware protection; this requires ensuring that virus and malware protection is installed and is it up to date
- Patch management; this means that the latest supported versions of applications are used and all the necessary patches supplied by the vendor have been applied
It is clear that implementation of these controls can significantly reduce the risk of prevalent but unskilled cyber-attacks. Organisations can also reduce the impact of cyber crime by regularly backing-up important data. Criminals often use ransom ware: a type of malware which restricts access to the computer system that it infects. Criminals subsequently demand a sum of money in exchange for the encryption key so that the restriction can be removed.
When both the applications and the information are backed-up, there is no need to pay the criminals. An infected device can be re-imaged and cleared of any infections.
Education is also key. In addition to backing-up, organisations should be aware of the risks of clicking on email links and checking URLs carefully, the importance of implementing a clear desk policy, using strong passwords and changing them on a regular basis.
Computers need to be updated with the latest patches and be configured securely. Personal information needs to be protected and bank details and credit card statements should be reviewed on a regular basis to check for unusual or unauthorised transactions.
It is important to have a plan in place should a cyber-breach occur. Such a plan will help make the organisation aware of a compromise or incident sooner, limit its repercussions and shorten its duration. It is imperative to respond as soon as possible, so having a plan in place beforehand will reduce wasted time and limit the damage caused. Such a plan should be tested and scanned for weaknesses to assess whether it works effectively in the event of an actual attack. Penetration testing companies can also be engaged to asses an organisation’s level of security and system vulnerabilities by hacking in.
It is also essential to obtain legal advice in the event that a data or cyber attack occurs in order to understand any legal implications including the requirements.
It may be necessary to report the incident to the relevant authorities, including the ICO, Action Fraud (UK’s national fraud and internet crime reporting centre), and the police.
This article demonstrates some basic and practical steps that can be taken to avoid or reduce the impact of cyber security incident. Even though criminals use sophisticated techniques, prevention can be reasonably straight-forward at times, and is always better than cure. When armed with a little concrete advice combined with common sense, many attacks may be avoided. The more hurdles an organisation puts in place, the more likely it is that cyber criminals will leave the organisation alone and move on to an easier target.