Companies can take several measures to stay safe
Cybercrime comes with significant cost. It has been estimated that the global economic cost of combating cybercrime could reach $400 billion, according to a 2014 report entitled “Net Losses: Estimating the Global Cost of Cybercrime”, published by the McAfee Centre for Strategic and International Studies. The study suggested most countries, governments and companies underestimate how much risk they face from cybercrime and how quickly this risk can grow, claiming that potential global losses caused by cybercrime are estimated to be $375 billion annually, while the maximum could be as much as much $575 billion.
The challenges of cybercrime are more than economic; they are compounded by the networked nature of the issue. Today’s interconnected business environment increases an organisation’s vulnerability to security attacks, as security is no longer confined by the boundaries of a single company but transcends them to be dependent on all those operating on the same network, claim Zhao et al in the Journal of Management Information Systems.
CMME spoke to Joe Lahoud, general manager Construction Machinery Centre Co LLC (CMC) in the UAE, who had recently been the victim of fraud. He acknowledged an “increasing trend” whereby hackers are creating email addresses and website domains similar to those used by genuine company representatives and communicating with customers and suppliers directly.
Mr Lahoud referenced a particular case in which a hacker accessed a customer’s private email account and developed an online correspondence impersonating a CMC representative. CMC happened to be expecting an authentic five-digit euro transfer from the customer. Believing the hacker’s messages to be genuine, the customer’s accounting personnel initiated the transfer to a new bank account advised by the hacker.
This instance of cybercrime took on a new dimension. Instead of taking advantage of a deficiency in a security system, as mentioned in the Journal of Management Information Systems, the fraudulent individuals were actively developing websites and email accounts realistic enough to fool customers into transferring large funds. This tactic is known as social engineering, with con artists concocting ingenious schemes to trick people into giving up personal information or visiting websites that download viruses.
“I strongly advise you to review your security measures and money transfer procedures. We need better data protection, both at the individual corporate level as well as societal government level, but we also need better detection and response,” commented Mr Lahoud.
This type of cybercrime demonstrates the levels of ingenuity criminals possess, but perhaps the most common and most worrying security risks come from within the organisation itself, suggests Mark Button, director of the Centre for Counter Fraud Studies at the University of Portsmouth in the UK.
“It takes a lot more sophistication to actually hack into a company website, and of course, out there in the world there are very many skilled computer operatives capable of doing such work. However, there are a lot of very simplistic security issues that can cause equally traumatic threats to a company. These include simple measures such as changing default passwords; this is an easy way to prevent people entering through legitimate portals and making changes without any detection. Another simple online security threat is a corrupt member of staff. This could be a disgruntled employee who decides to give away confidential cyber information, thus highlighting the need to regularly change all passwords.”
Having a thorough awareness of online security strategies, combined with vigilance, is the key to preventing online cybercrime, suggests Button.
“I think organisations are waking up to the possible risks and attacks. This realisation will bring much greater interest in developing the best strategy to counter the present threats. Equally, you have lots of individuals who are of a corrupt nature, and they are realising that there is a large potential from these type of criminal attacks. Not all require high levels of education or skill. If you can just get one corrupt insider to allow you access into a laptop or computer system, to share a password or ID number, you simply don’t need extensive or significant PC hacking skills to earn big rewards.”
Reports of similar incidents in the construction industry are not uncommon. Finnish crane maker Konecranes experienced fraud when US $19.2 million was stolen from one of its foreign subsidiaries. Konecranes said perpetrators used identity theft and other methods to induce the subsidiary to make unwarranted payments. A similar attack was target at Komatsu, when a fraudulent website was created posing as a Komatsu Group Company asking people to provide them with their personal information in order to apply for false employment opportunities.
Ultimately, preventing cybercrime comes down to strategy. If an organisation has the resources, then they need to be investing in someone appropriate for the task of protecting their assets online.
“This is all about organisation and strategy. The person who really understands the full range of risks is able to help the firm develop the most resilient strategy,” Button continues. “If you think about it, an organisation can go to the best, most expensive IT company that provides very technical skills to detect and block attacks, but then if they don’t cover the staff, who can be turned or tricked, then they’re missing out on a much more vulnerable point of entry.
“This is what I mean by a strategy. This is what will prevent cyber criminals from conducting successful attacks.”
A brief history of cybercrime
The term ‘hacking’ purportedly originated in the 1960s at MIT in the United States. Early hackers worked with computer systems to change the computer code that was used in early programs. At this time a hack became known as a clever way to fix a problem with a product, or an easy way to improve its function.
In the 1970s, the malicious association with hacking became evident. Early phone systems became a target when technologically savvy individuals discovered methods that resulted in free long-distance phone calls. As more complex communications became available to the consumer, more opportunities for cybercrime ensued.
In 1986, following irregularities in accounting data at the Lawrence Berkeley National Laboratory, it was discovered that a number of hackers in West Germany were stealing and selling military information, passwords and other data to the KGB.
In 1990, FBI agents confiscated 42 computers and over 20,000 floppy disks during a project known as Operation Sundevil. Stolen data was allegedly being used by criminals for illegal credit card use and telephone services.
In the years that followed, the sophistication and ingenuity of cybercriminals developed exponentially. An arms race ensued, with universities offering higher education courses in online security and public and private sectors investing ever greater sums of money to keep pace with the hackers.