While the Center for Strategic & International Studies and McAfee estimated the annual cost to the global economy from cybercrime at $375 billion conservatively and $575 billion maximally as of June 2014, at least one expert stands by cost figures that are many times those numbers.
"U.S. companies and the U.S. economy lose approximately $500 billion each year to theft of trade secrets and innovation. This includes all forms of economic espionage where cybercrime plays a major factor. When you factor the 10-year life of the investment in innovation, the total value of the theft reaches $5 trillion or one-third of the U.S. GDP - each year," says T. Casey Fleming, CEO, BLACKOPS Partners Corporation, a Washington, D.C.-based Information Security Advisor to senior executives & boards of the Fortune 500, U.S. government agencies, and universities.
While the enterprise can't stop cybercrime it can become a hard target. To that end, CSO maps the cybercrime economy with its major components, incentives, and seats of power, finalizing with the means for enterprises to avoid victimization by keeping cyber goons from absconding with their digital goods.
Cybercrime entities include countries such as India, France, Sweden, North Korea, Syria, Russia, and China as well as smaller groups inside eastern-block countries. "Organized crime includes the offshoots of the Russian Business Network, who have a very clear understanding of the financial payment supply chain," says Bob West, CISO Emeritus Fifth Third Bank & Bank One, now Chief Trust Officer, CipherCloud.
Cyber spying by public and private concerns is also a piece in the cybercrime economy puzzle. "Cybercrime targets include U.S. companies in the Fortune 500 & 100, small- to medium- businesses, universities, thank tanks, and government agencies," says West.
"The hyper-connected world, the adoption of digital banking, the connection of operational technologies to the Internet, and a surge in mobility have greatly increased the attack surface available to digital criminals, which has led to a gold rush mentality in criminal fraternities," says Colin McKinty, vice president of Cyber Security Strategy, Americas, BAE Systems Applied Intelligence.
The ready availability of free cybercrime applications invites participation in the cybercrime economy by just about anyone. "This creates a services-based cybercrime economy, meaning that even those with limited personal expertise can still achieve significant results," says McKinty.
In addition to a growing attack surface and increasing numbers of free tools, the cybercrime economy thrives due to the profit motives of the thieves who grab an organization's enticing personal identifiable information and intellectual property. "Cybercrime feeds on human weakness and on weak security controls, which are the result of enterprises choosing convenience over security. There are many people in large companies who don't understand what they need to do to protect information as part of their daily routine," says West.
To safeguard data, executives and employees must first know what is most precious. Then, learn good general security habits as well as the specific measures for protecting each type of data in so far as using those measures lies within duties and responsibilities you will face in your position.
Seats of power
"Cybercrime is a multifaceted, decentralized, global phenomenon," says McKinty. Still, there are stealthy leaders behind the attacks that criminal hackers carry out.
The nefarious heads of these hacker groups include Russians in seats of power and Chinese communists inside the People's Liberation Army. Members of various criminal syndicates globally work with little or no outside guidance or prompting.
People who want to avoid muggings don't walk dark alleys alone at night in the wrong part of town. People who want to stay safe travel in groups, take extra measures (carrying pepper spray), and have a game plan, such as run, dial 911, or scream, "fire!" to attract attention and help. Enterprises must be aware of how the information highway as the world itself has changed, and not for the better. They must do the 'must dos' of cybersafety: offer the least amount of privileges necessary to any one person or entity; trust no one; and segregate networks.
"Requiring the use of a reference model that includes governance, such as the NIST Cyber Security Framework ISO 27000, is a good starting point for comprehensively protecting critical infrastructure and the data it carries," says West.
Perimeter defenses alone are insufficient. Use methods instead that locate attacks in progress based on anomalous behavior that you measure against a baseline. "Companies such as Cyveillance, FireEye, and CrowdStrike offer useful technologies," says Fleming.
Methods and tools that remove incentives are very important. "The enterprise needs to attack the economics that drive and sustain cybercrime by making it too costly in terms of resources and time for cybercrime to be profitable," says McKinty. Use risk assessments tailored and targeted to cybercrimes. Make cybercrime too expensive a proposition for attackers by using two- and three- factor authentication, long, strong passwords, and stronger (higher-bit) encryption than your competitors (so you're no longer the lowest hanging fruit). "The enterprise should also find and fix its weakest links in the security chain," says McKinty.
"The CEO must be an information security change agent," says Fleming. Reward people who discover and help to close your vulnerabilities. "Stage annual assessments by unbiased, experienced, intelligence-based outside firms," says Fleming.
Non-technical options for pushing back against cybercrime are largely limited to trade sanctions against nation-states and prosecution of bad actors within the U.S. "The FBI will prosecute any U.S. firm acting in retaliation. The answer is for companies to redefine their information security strategy from perimeter security to data-centric security," says Fleming.
Unite to fight
"In the battle against cybercrime, shared knowledge is a crucial power for slowing digital criminals down," says McKinty. No enterprise should fight armies of cyber-villains, botnets, and nation-states alone. By broadly sharing threat intelligence, tools, and techniques with the global business and law enforcement communities, enterprises plug into a much stronger force for defending their data.