Since we conduct so much sensitive personal and business affairs on electronic devices, we are all ripe targets for cyber thugs. Strategic Risk, an excellent risk management and corporate intelligence publication based in Britain, has put out an informative update on cyber risks.
I thought I’d mention it, since cybercrime and related threats like cyberwarfare and cyberterrorism have grown significantly and yet receive, at least in my humble estimation, very little media coverage and analysis. During, say, the 1970s, hearing that the Soviets had managed to steal every personnel file of every employee of the U.S. federal government would have dominated the American psyche for months. When essentially the same thing occurred this year — Chinese hackers, very possibly linked to Beijing, pilfered the entirety of the U.S. Office of Personnel Management’s file archive — no one beyond foreign-affairs journalists and specialist bloggers seemed to care or even notice.
For businesses, the risk of such a massive attack is just as great. To give you a broad idea of the vulnerable position in which the private sector finds itself, per the Strategic Risk report: cyber attacks are becoming both more common and more sophisticated. Attackers have refined their methods, ruthlessly directing their energy toward specific marks. “Cyber-attacks are becoming far less scatter-gun in approach and are now highly targeted,” according to Stuart Poole-Robb, who runs KCS Group, a corporate risk and security consulting firm.
Cyber criminals prepare for phishing attacks with months of research. (“Phishing” refers to obtaining valuable information — passwords, PINs, and other sensitive financial information — by posing as a legitimate person or organization to whom the target would ordinarily give that information.) Using social engineering, criminals maneuver an employee into making the fatal mistake of clicking on a tainted link or opening an infected attachment, inadvertently exposing the company’s assets to the attacker’s malware.
If you’re new to studying cybercrime, you will be surprised by cyber criminals’ insidious attention to detail, such as planning their phishing operations for Friday afternoons — when a company’s tired staff, longing for the weekend, is more prone to laziness and error.
What’s worse, as technology improves, cybercrime grows more sophisticated and defense against it gets ever more difficult. There is, for instance, such a thing as cyber insurance, but as I have already written on this site, it is difficult for businesses to insure against cyberattacks for the following reasons:
- There is no low-risk pool to offset the cost of insuring the high-risk pool. Hackers target everyone, from poor old ladies to multinational corporations. Put simply, everyone is in the high-risk group.
- Cyber attacks are constantly evolving; thus it is difficult for insurance companies to evaluate to what extent a company’s own security measures would be effective against an attack.
- The cost of a cyber attack, for both a company’s finances and brand, are usually so high that any insurance policy would likely cover only a fraction of the damage.
Cyber crime is an area in which its perpetrators continue to enjoy a distinct advantage: the risk for them is still relatively low, at least compared to the risk inherent in other crimes.