In macro terms, the economic impact of cybercrime is heavy, from the direct costs of an attack due to recovery and cybercrimes, to indirect costs like inhibiting innovation and expanding employment, loss of custom due to loss of trust, and so on. The Centre of Strategic and International Studies (CSIS) estimated that the cost of cybercrime to business totaled $400 billion worldwide. Countries themselves can be victims - or perpetrators - of cybercrime, a risk that's only likely to grow as our digital sophistication grows.
On a micro level, our personal accounts and identities are at risk online. Cynics will tell you that if you want to stay safe, keep your home computer off the information grid and stay off the Internet completely. Phishing emails relate to home addresses as well as business, and realistic-looking spoofing can gather your personal information under the guise of a legitimate transaction. Downloading software, and increasingly apps for your mobile device, can bring malware with or in place of the software you thought you were getting.
From organizations to individuals, steps can be taken to make our cyber world safer. Sometimes these steps can feel burdensome or unnecessary, but understanding the risks can make undertaking a personal or organizational security plan feel much more worthwhile.
Should governments be worried about cyber attacks from other countries? The risks on a national level, at this point, are unknown in terms of probability, but the nature of what is at stake makes government systems high-risk. Cyber espionage can be carried out, and sensitive information sold or released. The trusted countries of today could be adversaries tomorrow. And even for lesser cybercriminals the government databases hold a massive amount of useful information.
Information and intellectual property are the stock in trade of the developed world, and it is also what is most vulnerable. The richer the economy, of course, the more a country and its economic entities are at risk of cyber attack. The U.S., Japan, Britain and South Korea have been identified as some of the biggest and likeliest targets. For developed countries, cybercrime has had a negative impact, causing restrictions on hiring in sensitive positions, and overall causing a shifting of employment away from valuable jobs for security reasons.
In 2014, Sony, Home Depot, the City of New York, and Target were among a number of high-profile security breaches. Late in 2014 a German steel mill had undergone "massive damage" as a result of a cyber-attack. In the steel mill, hackers used a spoofed email that got users to open an attachment containing malware that deployed itself in the mill's systems, enabling the attackers to have access to the full system where they wreaked havoc, managing to harm the production system so much that a blast furnace could not be shut down, causing enormous harm.
And that highlights another problem: employees, whose careless or malicious behavior is the greatest security risk of all. Malicious activity by people who have legitimate access, carelessness about passwords, email attachments, company equipment, and use of their own equipment, all present openings for hackers and social engineers to launch an attack on an organization.
Even a small business can be a target - and this happens more and more frequently, as hackers find that these businesses, even handling credit cards as they do, have not implemented basic security to protect their information.
Cybercrime can include:
The problem for businesses, governments, and even for individuals; budgets is justifying the cost before a problem occurs. Business is cost-and-profit-driven, and security is clearly on the cost side. Moreover, many senior managers are only vaguely aware of how digital their own business has become; they were hired in pen-and-paper days, and despite knowing better in theory, that is how they still the company to be run. That is why C-suite managers are often successful social engineering targets.
However, the more cybercrime occurs, the more the urgency of secure practices and infrastructure becomes of importance, even at budget time. There are things that can be done from the macro organizational level to the micro single-user level, to help everyone be more security-aware and compliant.
Prevention for Organizations:
Prevention for Everyone:
Areas for extra awareness
Email is a risky way to send personal information. Don't use it for credit card numbers, bank accounts, or other information that can make you vulnerable to fraud or identity theft.
Don't fall for phishing emails. Phishing is a scam where an email appears to be legitimate - say, from your bank, telling you to go to a website and verify some information. The website is spoofed, however, and information entered there is collected by identity thieves or other criminals. Some phishing emails are clever and well-designed, but many are easy to spot, containing spelling errors or bad grammar.
- Mobile awareness
Don't skip over permissions when you're installing apps - read them. Many apps require long lists of permissions and are perfectly legitimate, but it's good to know who has access to what - and to ensure that if you are permitting an exchange of information, that you trust the source. Phone apps can access your contacts, your location, and your camera, giving the criminally-inclined access to a lot of your life.
Trust the app publisher. Not only you must trust the publisher, but you must also make sure the publisher of the software that you download matches the one you expect. Using legitimate software to install malware on your phone is one of the greatest vulnerabilities of your mobile device.
Set policies.Employers who allow employees to bring their own devices to work should require them to install anti-virus software and implement any other available safety measures.
Security is mainly in your hands, whether you are a user, a service provider, or an information services chief. There are many steps that can be taken on an organizational and an individual level that lessen the threat inherent in simply being connected to the Internet. Most of these are within the reach of companies and individuals with little effort, and prevention, as has been proven time and time again, is better than recovery.