Cyber crime losses set to hit $8 trillionThursday, June 1, 2017
Cyber crime cost to businesses set to accelerate enormously, but mitigation relatively simple, according to new report.
Cyber crime is set to extract a heavy toll over the coming years, according to a new analyst report. The headline figure from Juniper's report is that criminal data breaches will cost businesses a total of $8 trillion over the next 5 years, due to higher levels of Internet connectivity and inadequate enterprise wide security.
The company also predicts that the number of personal data records stolen this year will hit 2.8 billion, and is expected to almost double to five billion by 2020. By contrast, 2016 saw 2 billion personal records stolen, giving 2017 a predicted near-40 per cent rise in losses.
One of the main reasons for the predicted increases is highlighted as everyday business security provisions, which Juniper calls out as muddled and underfunded. SMEs (small and medium enterprises) are particularly at risk, spending less than $4,000 each on cybersecurity measures this year, with only marginal increases in spend expected over the next 5 years.
These firms also tend to run older software, which WannaCry and other recent cyberattacks have exploited, according to the analysts, who also picked out causal integration of new and old systems without regard to overall network security as being an ongoing issue.
Ilia Kolochenko, cybercrime expert and CEO of High-Tech Bridge, agrees that the WannaCry incident highlights the lack of coherent business response to rising security concerns. “The root causes underlying WannaCry are the fundamental cybersecurity problems: incomplete or outdated inventory of digital assets (software, hardware, users, data), missing or wrong risk assessment and risk mitigation plan, and lack of continuous security monitoring. These three are aggravated by operational problems such as poor patch management systems or missing security hardening on user machines. Very few vendors can help mitigate all these problems at once, and thus cannot be entirely responsible for WannaCry, or similar incidents.”
The research emphasises a need for companies to put more money into cybersecurity and system upkeep, which should be treated as a vital element of workplace safety.
“The attacks on hospital infrastructure show that inadequate cybersecurity can now cost lives as well as money,” remarked Juniper research author James Moar. “Businesses of all sizes need to find the time and budget to upgrade and secure their systems, or lose the ability to perform their jobs safely, or at all.”
Another live issue the report picks out is that ransomware is becoming a far more advanced form of malware, as ransoming stored data and devices becomes easier and more valuable than stealing financial details. The analysts believe that the RaaS model (ransomware as a service, where anyone with loose morals can buy an off-the-shelf toolkit and create their own attack), has only just begun to develop, citing the trajectory of banking Trojans as a case study.
Kolochenko has previously gone on record with similar concerns over ransomware: “We will see an important growth in the RaaS model in the near future. Many cybercriminals don’t want, or simply don’t have enough skills, to do all the administrative work involved in ransomware – billing, support, money laundering, etc. There is nothing sophisticated in the RaaS model, it’s just about making this type of cybercrime more accessible and affordable. This is a sign that the cybercrime industry is maturing, like a legitimate business.”
Ironically it might even be said that the smaller criminal enterprises are developing their business model more successfully than their legitimate counterparts, certainly in the security arena. Maybe it really is time SMEs sharpened up their security stance, at least by attending to the basics, rather than by trying to exceed that $4,000 spend next year...
The Juniper report, The Future of Cybercrime & Security: Enterprise Threats & Mitigation 2017-2022 is available here.