The Cyber Risk Handbook: Creating and Measuring Effective Cybersecurity Capabilities

Book Preface

If cybercrime were compared to other global criminal enterprises, it would rank fourth out of five high-impact crimes in terms of the cost as a percentage of the global gross domestic product (GDP). Only transnational crime (1.2 percent), narcotics (0.9 percent), and counterfeiting/piracy (0.89 percent) rank higher in terms of financial impact. Cybercrime, however, is pushing toward the top, representing 0.8 percent of the global GDP, according to a 2014 study conducted by the Center for Strategic and International Studies. While many may not be aware of the worldwide cost of cybercrime, enterprises everywhere are certainly feeling the consequences of intrusions and compromise. It is hitting the bottom line in corporate financial statements.

Cybercrime is also gaining the attention of legislators, regulators, and boards as reports of intrusions and their consequences are released on a daily basis. Everyone is becoming alarmingly aware of cybercrime, as it is constantly in the news. Cybercrime is also very personal because each of us have probably had the experience of receiving notifications that our financial and other personal information may have been compromised in an attack. The incidence of cybercrime is eroding public trust as well.

The Global Cyber Crisis

We are in what can best be described as a global cyber crisis, and the future does not look promising. The June 2014 Center for Strategic and International Studies report estimated that the global impact of cybercrime was between $375 and $575 billion. As cyber incidents are frequently undetected and infrequently reported, it is difficult to arrive at a more accurate understanding of the extent of cybercrime. The Center’s best estimate is $445 billion, given that the four largest economies, the United States, China, Japan, and Germany collectively account for at least $200 billion of this amount.

Despite the lack of details on the extent of cybercrime, we know that it is having a significant negative impact on business and that instead of slowing, cyber attacks are escalating at what could be considered an alarming rate. Even without verified and complete numbers, we calculate that the Internet economy generates between $3 and $5 trillion dollars globally and that cybercrime extracts between 15 percent and 20 percent of this value. The Center for Strategic and International Studies commented that cybercrime is a rapidly growing industry because of the high potential rate of return on investment and the low risk of detection and prosecution. Many legitimate enterprises would love to have the same economic opportunity that cybercriminals currently enjoy.

The April 2016 Internet Security Threat Report produced by Symantec highlights the extent of the cyber crisis. According to their analysis, 430 million new and unique pieces of malware were discovered in 2015. This represents an increase of 36 percent from the prior year. While this is a huge number, we know that malware does not go out of style in the underground cybercrime community. Attack tools and malicious code that were produced over the past several years are still commonly used and remain very effective.

It is impossible to know the full extent of the library of malicious code that is either currently in use or available to hackers. The result, however, is that one-half billion personal records were either lost or stolen in 2015. This comes as the result of the known 1 million attacks that were launched against individuals each and every day in 2015. The state of cybersecurity can best be described as “hackers gone wild.” There seems to be no system that cannot be compromised and no information that is safe.

While the daily impact of cybercrime is alarming, the most significant impact cybercriminals can have is on emerging technologies and business activities. The history of cybercrime demonstrates that as technology advances, so, too, do attacks against systems and the resulting damage that attacks bring. We are in an early stage of global transformation where the combined impact of cloud computing, mobile technologies, big data, analytics, robotics, and the interconnected world of smart devices has the potential to change everything. We have seen demonstrations where self-driving cars can be compromised and hackers can access avionics systems in flight. We know that devices such as insulin pumps and pacemakers are vulnerable. How can we expect that advanced technology applications are safe when technologies that we have relied on and are business critical are not secure? The Symantec 2016 Internet Security Threat Report found that 78 percent of scanned web sites were vulnerable and that 15 percent had critical security flaws. The report also identified that zero day vulnerabilities increased by 125 percent between 2014 and 2015. If a technology with which we have long-term experience, such as web site deployments, is so ill protected from even traditional attack mechanisms, how prepared can we expect to be from zero day attacks and the even more insidious advanced persistent threats?

ISACA research recognizes that enterprises are more aware of the risk of advanced persistent threats (APTs) and are taking action to better manage this risk. Sixty-seven percent of respondents to the 2015 Advanced Persistent Threat Awareness survey were familiar or very familiar with APTs. Unfortunately, many organizations are relying on traditional defense and detection mechanisms, which may only be minimally effective against persistent threats. While Web intrusions resulting from configuration or other security lapses are possible and APTs are likely, there is a growing trend to attack mobile devices. The Symantec Threat Report indicated a 214 percent increase in mobile vulnerabilities in 2015.

While we see greater recognition of the cyber problem and its impact on business, this does not equate to implementing cyber defense better. What is needed is a rethinking of how information and cybersecurity are governed, managed, and implemented. What is needed is a more holistic, businessfocused approach to cybersecurity, and recognition that cybersecurity is a business issue and not just a technical problem.