It’s time to challenge conventional wisdom on fighting cyber crime
The world is experiencing an exponential increase in the number of internet users as more and more are harnessing the power of the world wide web.
With its myriad advantages, the online usage explosion brings with it distinct threats as well. One of the biggest threats of an increasingly connected world is its susceptibility to criminal syndicates and terror groups which use hackers for anything from monetary theft to causing infrastructural damage.
Cyber crime will become an increasingly common threat to South African companies and individuals. According to Grant Thornton, a possible alternative to offset potentially catastrophic consequences - although against conventional wisdom and hype - might be to avoid specific online-based activities altogether.
2013’s remote hacking of a dam’s operating system in the USA (only announced in 2016) by an Iranian terror group laid bare the potentially devastating consequences of having critical networks integrated online. The hacker gained unauthorised access to the dam’s office data systems, but luckily didn't have the ability to control it because the sluice gate happened to be disconnected for maintenance.
While this concept may ultimately be going against the grain here, I believe my opinion is informed not only by my IT background, but also through my understanding of the systemic complexity we are dealing with. The notion of a fully connected world where all systems (and people) are connected and every system can be accessed online is extremely dangerous. Think about dams; or nuclear power stations – hackers have proven that they can breach the highest levels of security. These critical infrastructure facilities, among others, are sitting ducks for teams of hackers, bent on wreaking havoc.
Rapid increase in internet usage
The rapid introduction of automation and the increase in global populations coming online will lead to the proliferation of organised crime and terror syndicates that want to exploit government and corporate systems for illicit gains. These rapid advancements pose systemic risks to society and will most certainly lead to an exponential increase in complexity and cyber-criminal activity on the web.
Add to this scenario increasing political, socio-economic and job polarisation (i.e. systemic unemployment) across the world, and you find a recipe for an extremely volatile, uncertain, complex and ambiguous (“VUCA”) world.
Rise in cyberattacks costs economies billions
The findings from the latest Grant Thornton International Business Report (IBR), entitled “The Global Impact of Cyber Crime”, a quarterly survey of 2,500 business leaders in 37 economies worldwide state that the cyber threat is no longer limited to code-breaking teenagers operating from their bedrooms. The total cost of cyber attacks to business over the past 12 months is estimated at $280billion, a 6% increase over the previous 12 months (cost of cyber figure is calculated using IBR figures and World Bank GDP data, plus estimates of global business revenues).
The survey states that 30% of cyber attacks in Africa are committed to conduct monetary theft while globally most attacks are aimed at causing infrastructure damage. Other motives include the theft of critical business information, extortion and intellectual property theft.
While the current best practice whereby experts systematically attempt to penetrate a computer system or network on behalf of its owners to find security vulnerabilities is important, it is not enough. It is simply not possible to make a network impregnable. Just like a home security system that includes 24-hour armed response and motion sensors makes it difficult for criminals, break-ins and house robberies do still occur. There is no such thing as 100% security.
Avoidance a vital part of combatting cyber crime
While conventional wisdom tells us that prevention is far better than dealing with the effects of a cyber attack, it is now very clear that we might not have a choice but to rely more on detection and correction and, in ultimate cases, it might even be better not to allow certain high risk networks to be online at all. Hacking syndicates work for criminal cartels, terror groups and state agents who make available significant resources to achieve their outcomes.
According to the IBR data financial loss isn’t the biggest consideration. Reputational loss, the amount of management time it consumes, the resulting loss of customers and the costs of putting best-practice defences in place are rated as more important than direct loss of turnover.
Not only corporations are at risk; individuals would have to apply the same level of care too. Hackers bet on the fact that every person likes to have his or her entire life on one device. As an example instead of using one device for all online activity, it is safer to confine internet banking to a dedicated and standalone device (with up-to-date security features), used exclusively for that purpose. This means that the standalone device is not used for any other purpose like internet browsing, emails, games or any other programs at all.
Complacency is widespread
It is therefore clear from the IBR data that enterprises and individuals should be obsessively concerned about safety. Yet the data indicates that 52% of businesses responded they had no cyber insurance and an additional 13% were not aware of cyber insurance.
There appears to be a general complacency about the seriousness of IT threats. While prevention is necessary, we have to embrace the new paradigm that successful attacks will occur and so we must be realistic in the face of increasing threats. Our ability to prevent security incidents in the future might diminish due to the systemic complexity we are dealing with. If we cannot live with the fact that we will have to rely more on detective and corrective controls in the future, the only alternative might be to avoid the risk – which is a valid risk response according to good corporate governance principles.
We have to accept a future in which we should carefully consider what we interface with where we have a bit more balance. An anti-systemic response is an approach of disengagement from a system’s rules which you cannot beat – for example, guerrilla warfare compared to a conventional army’s tactics.
We need to focus on strategies where we at least consider the adoption of anti-systemic responses to cyberspace in order to avoid very specific but highly critical cyber risks altogether.
Avoidance might be the only alternative in a world where over confidence in preventive controls (sometimes to the extent of arrogance) - where we believe we can handle the forthcoming ‘tsunami’ - will certainly be our downfall.
But in a world dominated by a tech cult, constantly looking for providing efficiencies to industry by means of automation and integration, this approach will most probably be slandered, and as a result the world is heading into an era of systemic chaos where prevention-only approaches will fail.
To discuss your cyber security needs or for more information on the cost of cyber crime, please contact our IT Advisory team.