The business of cyber crime: making money off your mistakes
By Brandon Bekker, Managing Director of Mimecast Middle East and Africa
The IT security landscape is changing at a rapid pace, leaving security professionals scrambling to keep up. There is a lucrative industry for stolen private data, not to mention extortion with attacks like ransomware and so-called CEO fraud. Cyber criminals are making money hand over fist by exploiting flaws within organisations' technology and processes, says Brandon Bekker, MD of Mimecast Middle East and Africa.
CEO fraud or whaling is a highly targeted form of e-mail spear-phishing. Here, the criminal sends an e-mail that appears to be from an individual or business that you know (often the CEO or CFO), the kind of person unlikely to be challenged to identify themselves properly. By impersonating your boss, cyber criminals use e-mail to get you to send valuable data or wire funds to them.
Ransomware uses malware that prevents or limits users from accessing their systems, forcing them to pay a ransom through certain online payment methods. Only once they have done this will they be able to access their systems or get their private data back.
These types of malicious attacks exploit human frailty. The criminals know that computers don't make mistakes, people do. So, as technical defences have strengthened, they are turning to the people in front of the technology and exploiting them instead. They know that a successful attack on employees means they can effectively circumnavigate your traditional technical protections - a simple spear-phishing e-mail with a malicious attachment or Web link can open up your systems to further attack.
Cyber criminals know they can take advantage of the fact that employees often lack even basic cyber security awareness, making them vulnerable to well-crafted social engineering attacks like spear-phishing. So if you run a business (or its IT security), this targeted attack on your employees needs to be taken as seriously as an attack on your technology. Invest in technology and technical resources, but don't forget staff training.
Dimension Data's 2015 Global Threat Intelligence Report showed that attacks against businesses and professional services increased from 9% to 15% last year. The rise in threats, such as ransomware and spear-phishing, have seen cyber criminals cashing in, while businesses are left to deal with the devastation.
Cyber crime statistics posted by the South African Banking Risk Information Centre (SABRIC) reveal South Africans lose in excess of R2.2 billion to Internet fraud annually. The statistics have pegged South Africa as the most targeted country on the African continent.
So, just how much are cyber criminals making? A lot. The Cisco 2016 Annual Security Report has pointed out that attackers make around $34 million (nearly R546 million) in gross yearly income through ransomware per campaign. And the FBI reported losses due to CEO fraud or whaling in excess of $2 billion in under two years. And these are losses recorded from just two 'emerging' attack strategies.
Keeping the bad guys out means building a human firewall around your business and its data, to match the capabilities of your IT firewall.
* Brandon Bekker is a finalist in the ITWeb Personality of the Year award! This award recognises an individual who has made a positive impact on the South African IT industry and a significant contribution to the IT profession in the past year. To vote for Bekker, visit this link. Voting closes 7 October!