Companies need to look for ways to go on the offensive against ‘industrialised’ cyber-criminals, finds a report from BT and KPMG
Businesses must be prepared to go on the offensive in order to combat increasingly sophisticated and well-organised computer criminals, according to a new study.
The report, co-authored by BT and KPMG, found that computer-criminals are increasingly forming organisations akin to businesses, with human resources operations and substantial budgets for research and development, calling for a better coordinated response.
In one case, computer criminals were able to hijack senior executives’ email accounts and send false correspondence, scamming an unnamed company into paying $18.5 million (£13.9m) to illicit accounts in the Asia-Pacific region.
“One major challenge identified by the report is the funding and scale of R&D spending that the criminals can bring to bear on breaching the defences of target companies,” said the report.
BT and KPMG found that 60 percent of the companies they studied had a computer security budget financed by their central IT budget, while half thought it should come from a separate security budget.
It was also discovered that companies are beginning to place more of an emphasis on security, with 26 percent having appointed a chief digital risk officer, but they said the trend is still at an early stage. In the reports view, there needs to be shift from seeing security as a “defence exercise” to recognising it as the factor that enables digital innovation and ultimately drives profit,
“The industry is now in an arms race with professional criminal gangs and state entities with sophisticated tradecraft,” stated Mark Hughes, chief executive of security at BT. “The twenty-first century cyber criminal is a ruthless and efficient entrepreneur, supported by a highly developed and rapidly evolving black market.”
He added that companies need to work more closely with law enforcement organisations, while also looking into ways they can disrupt the criminal organisations behind the attacks.
“You need to think about credible attack scenarios against your business and consider how cyber security, fraud control, and business resilience work together to prepare for, and deal with those threats,” stated Paul Taylor, UK head of cyber security at KPMG. “If that’s done, then cyber security can become a mainstream corporate strategy as a vital component of doing business in the digital world.”
The report found that while 97 percent of those surveyed had experienced an attack on their computer systems, and 94 percent were aware that criminals were using blackmail and bribes to gain access to organisations, 47 percent said they don’t have a strategy in place to counter such threats and only one-fifth said they were fully prepared for hacking attacks.
The vast majority (91 percent) said they were constrained from defending themselves by factors including regulation and the lack of graduates with the right skills.