Welcome to the layer cake
Corporate IT security is living in the past. Here's the screaming reality.
The title of the gangster movie, “Layer Cake”, refers to the pecking order of villains. The most organised are the cream on top.
Losing information on how a product is made is far worse than losing records on who buys it.Mark Eardley is channel manager at SuperVision Biometric Systems.
Increasingly, organised villains are becoming cyber villains. According to criminologist Dr Michael McGuire, of the London Metropolitan University, established, organised villains may commit at least 80% of all cyber crime. It's a help-yourself bonanza for the guys at the top.
Dr McGuire conducted research for a recent report called: 'Organised Crime in the Digital Age'.It suggests that everybody should discard “our assumptions and stereotypes not only of who the digital offenders are and how they are organised, but what they are prepared to do and where they will find their victims”.
Organised villains? What else could explain, for example, a 10-year-old botnet called Coreflood? This Trojan horse opened a backdoor on over 2.33 million computers, acting as a keylogger to gather user information in order to steal from bank accounts and payment cards. Nobody knows how much it earned the villains, but security vendor McAfee thinks $100 million is feasible.
Is $100 million a lot of money? I suppose it's all relative. Painted by the Norwegian artist, Edvard Munch, The Scream sold earlier this month for $119.9 million -- a world-record price for an artwork at auction. Back in 1895, Munch described his painting's imagery as due to him sensing “an infinite scream passing through nature”.
I mention this because it seems much of the corporate world has yet to hear the scream of cyber crime. In what is probably the world's largest policing operation against cyber crime, the US Department of Justice and the FBI announced in a joint press statement that civil action had been taken in April 2011 to disable the Coreflood botnet. In addition to targeting 13 'foreign nationals', the operation seized five command and control computer servers in the US and 29 Internet domain names. Organised villains? Pretty much.
Layers of corporate cyber crime
Because so many corporate activities are IT-based, the damage caused by cyber crime extends into virtually all areas of an organisation and it comes in many shapes and sizes.
Probably the most frequently publicised cyber crime is the theft of mass customer data, which typically targets information that can be used in payment-card fraud or to steal from other people's bank accounts. Coreflood is just one example of similar botnets, such as 'Mariposa', which monitored over eight million computers for passwords, bank credentials and credit card info.
But these spray-and-pray botnets have nothing to do with targeted attacks against a specific set of customer details, such as the 2011 cyber theft from Sony of around 100 million PSN customer records, or the theft a few months later of over 360 000 sets of customers' payment card data from the US bank, Citigroup.
Next on the high-profile list in the mainstream media comes EFT fraud by corporate insiders. Typically, Jack uses Jill's password to process fraudulent payments. The recent R42 million cyber theft from Postbank rings those particular bells. It's also worth considering that in another part of a victim company, Jill can use Jack's password to alter payroll details and to modify delivery notes, purchase orders, invoices and credit notes.
But well-publicised cyber crimes are not necessarily the ones that cause the highest losses. Although there's less news about it, the cyber theft of corporate secrets is clearly widespread, and has the potential to be far more damaging.
Such thefts strike at a company's competitive advantage since they result in the loss of information such as strategic plans, forecasts and financials, R&D, deal negotiations, pricing structures, legal actions, production processes, and mergers and acquisitions.
This upper layer of cyber crime threatens the foundations on which a company is built. Losing information on how a product is made is far worse than losing records on who buys it.
Layers of cyber crime losses
Although South African corporates may not be able to quantify their cyber crime losses, they certainly do know what gets spent on preventing them. According to the SA “IT Security Market Sizing and Forecast 2006 - 2011” reportfrom BMI-TechKnowledge, the South African IT security market for hardware, software and services was expected to grow to an estimated value of R6 574 million by 2011.
Perhaps more than any other figure, this layer of expenditure on security systems clearly indicates the presence of cyber crime and the cost simply to counter it - and it does not include the recurring, direct costs of all the employees and consultants who manage these multimillion-rand systems.
But what about the less obvious layers of costs that contributes to the accumulated expenditure that can be directly attributed to actual corporate cyber crimes?
The quantifiable costs incurred as a consequence of containing and investigating a specific cyber crime is compounded by the cost of implementing measures intended to prevent its recurrence.
And there are still even more layers of loss. These include the loss of productivity and sales revenue; expenditure on legal costs and regulatory penalties; the costs of mobilising a public relations response; and the consequent losses caused by an overall loss of stakeholder confidence.
It's an almost never-ending tale of cyber crime loss, loss, loss...
In the opening line of “Layer Cake”, the hero says: “When I was born, the world was a far simpler place. It was all just cops and robbers.” He's reminiscing about the days of good old-fashioned villains wearing balaclavas, carrying sawn-offs and robbing banks.
But the world turns and things change. Welcome to the layer cake. And listen to its scream.
* Mark Eardley will speak about the evolution of corporate cyber crime and the challenges it presents, at the ITWeb Security Summit.
Mark Eardley has worked in the South African biometrics industry since 2006. He has directed the marketing for a local biometric brand and is currently responsible for business development at SuperVision Biometric Systems, South Africaâs oldest biometric specialist.