Cybercrime comes with significant cost. It was been estimated that the global economic cost of combating cybercrime could reach $400 billion, according to a report entitled “Net Losses: Estimating the Global Cost of Cybercrime”, published by the McAfee Centre for Strategic and International Studies a couple of years ago.
The study suggested most countries, governments and companies underestimate how much risk they face from cybercrime and how quickly this risk can grow, claiming that potential global losses caused by cybercrime are estimated at $375 billion annually, while the maximum could be as much as much $575 billion.
The challenges of cybercrime are more than economic; they are compounded by the networked nature of the issue. Today’s interconnected business environment increases an organisation’s vulnerability to security attacks, as security is no longer confined by the boundaries of a single company but transcends them to be dependent on all those operating on the same network, claim Zhao et al in the Journal of Management Information Systems.
Last year, Construction Machinery ME obtained an interview with Joe Lahoud, general manager Construction Machinery Centre Co LLC (CMC) in the UAE, who had recently been the victim of fraud. He acknowledged an “increasing trend” whereby hackers are creating email addresses and website domains similar to those used by genuine company representatives and communicating with customers and suppliers directly.
Lahoud referenced a particular case in which a hacker accessed a customer’s private email account and developed an online correspondence impersonating a CMC representative. CMC happened to be expecting an authentic five-digit euro transfer from the customer. Believing the hacker’s messages to be genuine, the customer’s accounting personnel initiated the transfer to a new bank account advised by the hacker.
This instance of cybercrime took on a new dimension. Instead of taking advantage of a deficiency in a security system, as mentioned in the Journal of Management Information Systems, the fraudulent individuals were actively developing websites and email accounts realistic enough to fool customers into transferring large funds. This tactic is known as social engineering, with con artists concocting ingenious schemes to trick people into giving up personal information or visiting websites that download viruses.
“I strongly advise you to review your security measures and money transfer procedures. We need better data protection, both at the individual corporate level as well as societal government level, but we also need better detection and response,” said Lahoud.
This type of cybercrime demonstrates the levels of ingenuity criminals possess, but perhaps the most common and most worrying security risks come from within the organisation itself, suggests Mark Button, director of the Centre for Counter Fraud Studies, University of Portsmouth, UK.
“It takes a lot more sophistication to actually hack into a company website, and of course, out there in the world there are very many skilled computer operatives capable of doing such work. However, there are a lot of very simplistic security issues that can cause equally traumatic threats to a company. These include simple measures such as changing default passwords – an easy way to prevent unauthorised people entering and making changes without detection. Another simple online security threat is a corrupt staff member or disgruntled employee who gives away confidential cyber information, thus highlighting the need to regularly change all passwords.”
Having a thorough awareness of online security strategies, combined with vigilance, is the key to preventing cybercrime, suggests Button.
“I think organisations are waking up to the possible risks and attacks. This realisation will bring much greater interest in developing the best strategy to counter the present threats. Equally, you have lots of individuals who are of a corrupt nature, and they are realising that there is a large potential in these type of criminal attacks. Not all require high levels of education or skill. If you can just get one corrupt insider to allow you access into a laptop or computer system, to share a password or ID numbers, you simply don’t need extensive or significant hacking skills to earn big rewards.”
Reports of similar incidents in the construction industry are at not uncommon. Finnish crane maker Konecranes experienced a fraud when $19.2 million was stolen from one of its foreign subsidiaries. Konecranes said perpetrators used identity theft and other methods to induce the subsidiary to make unwarranted payments. A similar attack was targeted at Komatsu, when a fraudulent website was created posing as a Komatsu Group Company asking people to provide them with their personal information in order to apply for false employment opportunities.
Ultimately, preventing cybercrime comes down to strategy. If an organisation has the resources, then they need to be investing in someone appropriate for the task of protecting their assets online.
“This is all about organisation and strategy. The person who really understands the full range of risks is able to help the firm develop the most resilient strategy,” Button continues. “An organisation can go to the best, most expensive IT company that provides very technical skills to detect and block attacks, but then, if they don’t cover the staff, who can be turned or tricked, then they’re missing out on a much more vulnerable point of entry.
“This is what I mean by a strategy. This is what will prevent cyber criminals from conducting successful attacks.”