Cybercrime is alucrativebusiness model
The criminal underbelly of the Internet has developed into a multi-faceted business model whose participants range from individuals and amateur hacking teams looking for quick bucks, to sophisticated professionals engaging in multi-billion-dollar industrial espionage and even nation-state adversaries using the most highly sophisticated tools and methods.
A 2016 Cyber Security Review conducted by the Australian federal government found that cybercrime is costing the Australian economy up to $1 billion annually in direct costs alone. And those costs are growing.
As the Australian Criminal Intelligence Commission states:
“Australia is an attractive target for serious and organised crime syndicates due to our nation's relative wealth and high use of technology such as social media, online banking and government services. Due to the possible lucrative financial gains for serious and organised crime syndicates, the cybercrime threat is persistent.”
Put simply– cybercrime is here to stay.
There's never been a better time to be a hacker
Putting ethics aside for a moment, from a purely technical perspective there's little that separates an IT security professional who's authorised to test the security of a network from an attacker working for criminal gain or another malicious purpose.
Both have access to a vast array of learning materials and tools to achieve their goals, with a myriad of online courses teaching even the most advanced skills. Many powerful tools can even be downloaded and used for free.
And of course, the Internet itself is a 'target rich environment' for an attacker to hone their skills. This all combines to create a hackers paradise, so long as personal ethics and law enforcement aren't issues, which in many places, they are not.
Most computer networks are not well defended
Even now in 2019, most computer networks are not well defended against even moderately skilled cyber criminals. Ask a network administrator what security controls are defending their network and you'll probably receive the same responses we did ten years ago – a firewall, anti-virus programs (hopefully being updated), maybe some logging (which isn't reviewed anyway) and filtering spam emails.
But unfortunately, most hackers can send a well-crafted email that slips through a spam filter, tricks a user into opening a document or link, deploys a malicious program which bypasses anti-virus, infects the user's computer and calls back to the attacker. The stage is now set for a broader compromise of the network, which can last for months or longer until it's discovered.
While this is one common attack scenario, there are many more, including malware which provides access to a victim organisation's email or online bank accounts, ransomware which encrypts files across a company's network, or a fraudulent email which tricksan unsuspecting user into transferring large sums of money to the attacker.
All this is especially difficult for small to medium organisations, who often already have limited IT resources, or rely on third parties for core IT services (who often don't provide sufficient security capabilities either).
One more consideration – mandatory reporting of data breaches
Since February 2018, organisations regulated under the Australian Privacy Act 1988 are legally required to notify affected individuals and the Office of the Australian Information Commissioner (OAIC) when a data breach is likely to result in serious harm to individuals whose personal information is involved in a breach.
This new legislation is a game changer. No longer can organisations simply clean-up and move on. They must now conduct proper investigations to determine the extent of the breach and data compromised. Failure to do so could result in adverse findings and fines from the OAIC, legal action by effected parties and of course reputational damage to the organisation.
As with any risk, an ounce of prevention is worth a pound of cure.
Organisations need to take stock of their critical systems and confidential data, understand the ways in which it could be compromised and identify methods to prevent, detect and respond to any suspected or actual breaches.
This doesn't necessarily mean a huge investment in systems and people. Significant improvements can often be made by better leveraging existing capabilities, such as better use of backup and logging provided by native operating systems such as Microsoft Windows. But it will require knowledge and expertise of cyber threats, which means either training staff internally or engaging specialists to assist.