Thinking ahead of the cyber criminal
Economically no one company or government can outspend the cyber criminal actors who are being disastrously successful from our perspectives [1, 2, 3, 4]
Technically thieves are after our money, they are improving the speed they can operate at in a frightening way, this is not an uncertain fact but a very real reality. Confidence trickster fraud enabled at pace by digital cyber systems on cyber security weak businesses, especially smaller suppliers but not uniquely so, is providing the keys to the door in a very real sense. By pace we mean from opportunity to fraud in hours or less. Case study after case study is now showing opportunity speed of attackers, we only have to look at the MargiCart threat group for one of many examples; BA, TicketMaster et al [5, 6]
A new approach
Applying linear approaches to supplier assessment, in supplier questionnaires chasing tick boxes annually, is not only completely ineffective in the face of the criminal innovation but we can argue negligent of the risk and akin to the ostrich with its head in the sand. Negligent and incredibly costly.
In non-linear threat we need non-linear solutions, to think radically and out the box. This will never be solved by point solutions of individual organisations, it just won’t.
Collaboration is effective, the eyes and ears of the many, the inoculation of a majority to slow the spread of a virus, Collective Defence [7] taking down botnets[8], and other such axioms of experience we know already. Not innovative but in concept and needing to be in application to cyber security, to address the pace and scale of the threat.
So to a solution set
Whilst cyber hygiene should be mandatory(the inoculation piece), ditto secure by design, these are not enough for threat actors and confidence tricksters operating at pace working the opportunity windows in applications and human failings, the mandation needs to come to collaborate, to share the knowledge of attack and defence, to close down the opportunity window, to operate mutual defence at pace, no excuses just do it.
Government intervention [9], both in legal terms and in active cyber defence in the commercial sector is, unfortunately in a free market, not only now essential but as the pain increases I’d suggest inevitable – not if but when. Our national tier 1 threat from criminal activity is as great as terrorism and intertwined [10] and costing the UK many billions but no one is estimating just how much, in 2015/16 this was at least £1.1B without accounting for consequential costs and was likely much more [11]). For everyone on the receiving end of a cyber-criminal fraud, this can’t be soon enough.
We need to act, collectively
References:
- https://www.weforum.org/centre-for-cybersecurity
- https://www.munichre.com/topics-online/en/digitalisation/cyber/cyber-attack-are-you-ready-for-an-attack.html
- https://www.nationalcrimeagency.gov.uk/news/all-news
- https://duo.com/decipher/magecart-group-refines-attacks-nabs-more-sites
- https://www.itpro.co.uk/security/32434/did-british-airways-accidentally-break-its-own-security
- https://www.nato.int/cps/en/natohq/topics_110496.htm
- https://www.europol.europa.eu/newsroom/news/andromeda-botnet-dismantled-in-international-cyber-operation
- https://www.theyworkforyou.com/lords/?id=2018-10-18b.568.1
- https://researchbriefings.parliament.uk/ResearchBriefing/Summary/LLN-2018-0102#fullreport
- https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/732110/the-economic-and-social-costs-of-crime-horr99.pdf
