As we enter the second decade of the 21st century, more business value worldwide resides in the digital realm. As these open and globally interconnected networks proliferate, cyberattacks become of increasing concern. Cybercrime prevention is at the top of the agenda in boardrooms as criminals pursue financial gain through fraud, identity theft, and ransoms. Of equal concern are the theft of intellectual property and the actions of so-called ‘hacktivists’.
As high-profile breaches are becoming increasingly commonplace, not to mention critical – take the penetration of vaccine developers Oxford University-AstraZeneca’s system last year – it can feel like businesses are losing ground to malicious actors. Research conducted by consultants McKinsey&Co and the World Economic Forum suggests that companies are struggling with cybersecurity management; according to their survey, just 5% of companies could be classified as ‘mature’ when it comes to cybersecurity.
This is because traditional ‘protect the perimeter’ cybercrime prevention strategies are becoming outdated. Companies need to enlist cybersecurity specialists to quantify the risks and design mitigation plans, or risk nigh-on everything. Here, we look at the main areas of concern for businesses this coming year, including cyber targets and innovations in technological crime.
Table of Contents
Key company concerns going forward
Despite many companies’ lack of maturity in the cybersecurity field, they’re acutely aware of its importance. The global cybercrime prevention market size is forecasted to grow to $248.26 billion by 2023. This is with good reason; this figure pales into insignificance compared to the global value of cybercrime. Cybersecurity Ventures expects the global cost of cybercrime to grow by 15% per year over the next five years, reaching $10.5 trillion annually by 2025.
McKinsey/World Economic Forum’s research identified the key areas of concern for executives in public and private organisations globally. This covered their perception of the types of cybercrime, their business impact, and their readiness to react. As would be expected, the vast majority of survey respondents believed that Internet crimes are a substantial strategic risk for their organisation. A large majority also believe that cybercriminals will continue to have the edge over company defences. Of those interviewed, 60% said the pace and sophistication of attacks will increase while the ability of organisations to defend themselves will decline.
Product companies, particularly those in the tech sector, are most concerned about industrial espionage and intellectual property theft. Leaks involving knowledge about production processes have the potential to be more damaging than product specifications, considering “teardown” techniques by aggressive competitors are becoming more common. Meanwhile, service companies are more preoccupied with breaches involving customer data. Worth noting is that many respondents were concerned about these attacks coming from within, that is, from employees themselves.
However, mitigating the damage from these risks is a complicated balancing act. Often, there isn’t a business case for allocating an unlimited budget to create an impenetrable cybersecurity fortress. Executives have to weigh up the value of reducing risk and keeping up with business demands, as in fact, the true cost of cybercrime can stem from the delay or loss of technological innovation.
For instance, in the tech industry, more than half of the executives surveyed said they needed to pivot the direction of their R&D efforts in line with security concerns. Equally, they were worried that cyber fraud would suppress the value extracted from the cloud, mobile, and even some digital healthcare technologies. Approximately 70% of those surveyed said they had delayed the adoption of public cloud computing for this reason, and 40% said they had enterprise-mobility concerns.
These concerns have become particularly acute during the COVID-19 crisis, where remote working left organisations open to cyber threats. Hesitancy around the adoption of cloud solutions hinders productivity – pre-pandemic, 90% of respondents to McKinsey’s survey said that controls had a “moderate” impact on productivity. Meanwhile, in advanced tech companies, executives felt this scenario was “a major pain point.”
Certainly, there is a consensus that organisations, governments, and businesses need to make a concerted effort to manage security threats while meeting business demands. However, there is concern about how this consensus may take shape; some executives suspect that policymakers will draw up regulations based on outdated information. This is why cybersecurity specialists are crucial players in our particular moment. Next, we’ll discuss what they’re likely to come up against in the coming year.
Innovations in technological crime
Any network connected to the Internet is exposed to Internet crime. Any machine with an IP address or hostname resolving publicly in DNS is vulnerable. Therefore, workers using a VPN or other access tool are at risk, especially if they’re working remotely. This is certainly the case as the use of cloud services becomes all the more ubiquitous. In 2021, experts predict that cybercriminals will increasingly focus on compromising exposed infrastructure.
Organisations with outdated cybersecurity systems are the most at risk – now, perimeter defences are not enough. Just as AI and machine learning are disrupting every industry, so are they disrupting cybercrime. One of the most significant innovations in cybercrime is AI fuzzing, which integrates AI with traditional fuzzing techniques to detect system vulnerabilities and automate attacks. Equally, hackers are targeting machine learning models. As many machine learning models are open source, this gives cybercriminals a route into their inner workings. Hackers engaged in “machine learning poisoning” also potentially have the capacity to introduce Trojans into the system.
Ransomware attacks are also becoming more powerful. Currently, 24% of cyberattacks on organisations happen through ransomware. Whereas before these attacks were carried out by skilled, adaptable criminals, now, Ransomware-as-a-Service (RaaS) tools are increasingly available on the dark web. These kits allow criminals to enter systems and hijack information, either holding it ransom or selling it on the deep or dark web.
Perhaps more worrying is the growth of specialized criminal groups like GandCrab.
These groups are beginning to concentrate resources on more lucrative targets, as opposed to “spray and pray” techniques. Recently, GandCrab developed REvil, a ransomware program that has reportedly earned the group $2 billion. Right now, security experts estimate that REvil accounts for 12.5% of the ransomware market share.
These groups are operating more and more like corporations. Like businesses, they are innovating: they have R&D initiatives that are identifying new tactics and techniques. For example, research suggests that these organisations are seeking to leverage quantum computing and communication to administer cyber attacks. Considering what’s at stake, it’s vital these strategies don’t remain under the planning radar.
However, many of the entry points to networks remain the same. Human-operated and automated ransomware tend to penetrate systems via email and social media phishing and exploit kits. Once clicked, cybercriminals carry out extensive research and to find tactics, techniques and procedures that will prove effective – including sending messages via authentic email addresses, using logos, and adopting convincing grammar and tone. Hackers are always finding new ways to craft seemingly genuine messages to entice unsuspecting targets to open links without thinking.
Malware isn’t the only problem; utilising legitimate administration and management tools to breach enterprise networks is becoming commonplace. According to Positive Technologies, more than 50% of criminal groups are leveraging publicly available penetration testing and system administration tools like Cobalt Strike, PowerShell Empire and BloodHound to plan attacks. These strategies allow them to run harmful software directly into the computer’s memory – significantly reducing their chances of being detected.
The human element of cybercrime prevention
The increasingly convincing nature of ransomware and the use of legitimate tools brings us to what is perhaps the most important dimension of evolving cybercrime threats – human error. Often, the lack of monitoring of critical systems is down to fatigue, overload, or indeed, a lack of trained engineers. Thus, the root cause is a lack of cybersecurity skills. According to a study by the Information Systems Security Association (ISSA), 70% of executives believe their organisation has been impacted by a global skills shortage in cybersecurity.
This gap is causing rising incidents – leading to lost productivity and sensitive information. Yet it will often be our human instincts that will leave systems most vulnerable. Social engineering – a non-technical strategy that exploits human interaction to deceive – is becoming an increasingly popular tactic. In fact, Microsoft reports that social engineering attacks currently stand at around 20,000 to 30,000 a day in the U.S. alone.
Gone are the days of an obscure African prince contacting you via email to hold a million dollars – now, tactics are much more believable. Social engineering attacks like spear-phishing, which are highly targeted attacks that use personal information to gain trust, and pretexting, a series of falsehoods pretending to need sensitive information to perform an urgent task, will only become more prevalent.
Technology can help organisations identify when malware entered the system, but to prevent social engineering attacks, you need more than network detection. You need to make sure employees have robust, up-to-date training about social engineering threats. By educating staff about how to spot phishing and keeping them abreast of new hacks, you can boost the organisation’s security maturity substantially.
Balancing protection and digitization
Undoubtedly, the threat posed by hackers is growing. The pace and intensity of attacks is increasing, making cybercrime prevention of increasing importance. However, what is most crucial for the business world is that this urgency is balanced with pragmatism; companies shouldn’t stunt digitization out of a fear of cybercrime. Take, for instance, cloud computing; in an increasingly hostile environment, public clouds could be underutilized, given increased fear of vulnerabilities.
This dynamic could play out in many fields, considering the increasing sophistication of hackers’ arsenal. The ubiquity and visibility of data breaches have the capacity to trigger a backlash in the public and private sectors, pushing governments to enforce tighter controls. Although data privacy law is, of course, important, excessively stringent regulation could decelerate digital transformation.
This under-utilization of digital services could have serious financial implications; for instance, McKinsey&Co estimates that cloud computing could create $3.72 trillion in value by 2020. However, hesitancy could delay the adoption of many systems and reduce the potential value from the cloud by as much as $1.4 trillion. Thus, for the dynamism of the economy and innovation, a constructive approach to cybersecurity is essential.
This is why seeking expertise is absolutely crucial. In order to close the gap between organisations and cybercriminals in 2021, business leaders, CTOs, and cybersecurity professionals must collaborate to create more tools and continue to innovate. Just as AI and machine learning are enabling more sophisticated attacks, we too can create more sophisticated defences – it just requires investment and confidence in digital.
However, perhaps the most important element of a cybersecurity plan for the future will be the human one. As hackers increasingly prey on human nature, companies need to train their staff to enhance digital literacy and security practices. This will make the first line of defence as strong as possible, spearheading the progression towards full maturity in the cybersecurity field.
Sourcing the cybersecurity expertise you need
Human intelligence is vitally important to technical development. This is why talent acquisition is essential to a cybersecurity initiative. In a context where threats are evolving all the time, and indeed, the value of the cybersecurity market is inflating, businesses will find it increasingly challenging to source the right professionals. As a result, businesses need to cast their net wide when it comes to talent.
The freelance market is fertile ground. Thanks to the dynamism of the freelance model, businesses can access highly qualified experts in an agile, economical way. However, the search needs to be executed correctly, or else businesses risk forgoing the benefits mentioned; after all, fruitless recruitment drives are inevitably time-consuming and costly. So how can companies connect with the up-to-the-minute expertise they need?
Outvise was created to facilitate this connection between businesses and TMT and digital experts. With a 30,000-strong fully-curated network of certified experts, businesses can connect quickly with the right professionals, in some cases, as quickly as 48 hours. These experts are available for on-site and remote working, providing companies with the flexibility they need – and the cybersecurity expertise necessary to keep data secure, inspire employees, and drive digital transformation.