A Secure Business?
Each year, cybercriminals cause hundreds of millions of dollars in losses. In most cases, the attackers are engaging in industrial espionage. Online security is one of the fastest growing markets in the IT sector.
It was one of the largest data thefts in history. Hackers penetrated the servers of internet company Yahoo! and stole the information of at least 500 million customers: encrypted passwords, email addresses and personal information such as dates of birth and phone numbers. The hackers also gained access to millions of user accounts and used the stolen information to send spam and steal credit and gift card information.
The Silicon Valley company only publicized the attack, which occurred at the end of 2014, in September 2016. It did not provide details because the FBI was investigating the incident. This spring, the US Department of Justice revealed a diplomatic bombshell: It announced charges in the Yahoo! case against four people – including two employees of the FSB, Russia's spy service, which the Department of Justice alleged had directed a comprehensive "criminal conspiracy." The complaint charges that the stolen information was used to spy on employees of foreign governments, executives at banks and other organizations, and journalists.
In an increasingly digital and interconnected world, the risk of cyberattacks is on the rise. According to the Identity Theft Resource Center, a nonprofit organization, 2016 was a record-breaking year: In the US alone, there were official reports of 1093 data breaches – more than twice as many just five years ago (see chart). According to security analysis company Risk Based Security, billions of records were stolen during these breaches.
Everyone Is a Target
The economic damage caused by cybercrime and the cybertheft of intellectual property is enormous. The Center for Strategic and International Studies, a non-partisan think tank in Washington, puts the figure at 450 to 600 billion US dollars annually. The financial and emotional damage that ever more people suffer because they have been hacked and lost their privacy is incalculable.
Digital attacks target everyone and everything: from individuals, their computers, mobile phones, networked homes and cars, to organizations and companies, as well as crucial infrastructure and governments. Most attacks, according to various surveys, target money and engage in industrial espionage.
Powerful cyberespionage organizations, which are not infrequently backed by governments, attack other governments, military installations, infrastructure and companies worldwide. Valuable economic, research and development expertise is stolen. Hackers even managed to crack the computer systems of the EU Commission and the central bank of Bangladesh – from which they stole more than 80 million dollars.
Security Is Good and Expensive
The fast-rising number of targets as a result of increasing networking has led to a boom for providers of cybersecurity. "Security is one of the fastest growing markets in the IT sector, and it will continue to grow," says Michael Diamond, an analyst at market researcher NPD. Corporate spending on cybersecurity is growing twice as fast as overall IT spending and will amount to more than 100 billion dollars by 2020, predicts US market research company IDC.
Most of the money spent by companies and governments goes toward security services, especially managed security services. With managed security services, an external service provider assumes responsibility for protecting and monitoring a company's entire IT infrastructure.
The second largest area is security software, which mainly involves investments in the security of end devices and identity and access management.
The third largest area is security hardware, which primarily profits from the purchase of "unified threat management systems." These are devices that combine various tasks, such as firewalls, VPN gateways, virus and spam protection, authentication and a system for detecting attacks, in a single platform.
It is not surprising that cybersecurity is now one of the most popular areas of activity for venture capitalists in Silicon Valley. They invested 3.1 billion dollars in 279 cybersecurity startups last year, according to CB Insights, a market research company. This is four times as much as in 2010.
The Risks Posed by Baby Monitors
The Internet of Things poses a particularly high risk. The majority of IoT devices – from web cameras to baby monitors to televisions – are sold without extensive security features. This makes it easy for attackers to hack them without the knowledge of their owners and turn them into a centrally controlled network made up of millions of devices. Hackers use these so-called botnets – a group of computers that has been infected with malware – to attack and paralyze their victims' servers.
The most prominent botnet attack to date occurred last October. The websites of internet giants such as Amazon, Netflix, PayPal and dozens of other popular companies, including Airbnb, The New York Times and Twitter, were unavailable for hours following a botnet attack that paralyzed the servers of one of the network service providers used by these companies. Experts believe that the attack was used to test a cyberweapon.
Attackers Are Gearing Up As Well
Despite the enormous range of products and services to protect data, systems, infrastructure, accounts and privacy, the internet is not necessarily more secure. While the number of security products and services is growing, the attackers are constantly developing new techniques as well. Not only is the arsenal available to cyberattackers becoming more sophisticated, but it is also easier than ever to obtain the weapons for all sorts of attacks. Cybergangs buy tools, information, services and advice on the darknet, a section of the internet popular with criminals that can only be accessed with special software.
This shadowy area of the internet is also used to offer pilfered information for sale. For example, the login credentials for 70,000 accounts were stolen from hacked servers and offered for sale in a Russian-language underground marketplace last year. It was possible to buy the access details to the government network of an EU member state for just six US dollars.
Despite spending enormous sums of money on cyberdefense, many companies and authorities are not sufficiently prepared for cyberattacks and give too little priority to the battle against cybercrime. In a 2016 study commissioned by Nasdaq and US security company Tanium, more than 90 percent of managers surveyed admitted that they were incapable of understanding a security report. Furthermore, they said that their company was not prepared for a major attack. And this despite the fact that nine out of ten companies have been the target of a major cyberattack over the past five years.
The consequences of an attack can be significant. One-third of companies that experienced a data breach in 2016 reported a drop in sales, clients and business opportunities of at least 20 percent. This figure was reported in the latest Annual Cybersecurity Report published by network equipment provider Cisco.
Ninety-five percent of all successful attacks against companies can be traced back to human error, according to research. Some of the most common errors include sending emails with sensitive documents to the wrong recipients and opening emails infected with malware. Company IT departments setting up common user names and passwords also ranks near the top of the list. Spending vast sums on cybersecurity is of little use against such actions. For this reason, the National Cyber Security Alliance, an association of US IT companies and the US Department of Homeland Security, urgently advise more employee training: "The best security technology in the world won't help if employees do not understand their role and responsibility in protecting sensitive data and corporate resources."