Cybercrime is headline news. Open any news site, and you’re almost guaranteed to read a story about the latest hack or scam.
Unfortunately, the coverage is overwhelmingly bad news. While stories of financial losses and data breaches at the hands of ruthless hackers are commonplace, it’s incredibly rare to see any news about a win against the tide of cybercrime. When was the last time you saw a report about a cybercriminal being convicted or sentenced for their crimes?
More commonly, commentators in the news bemoan the lack of legislation to deter or prosecute malicious hackers, or the inability of courts and legal processes to apply legislation in a timely manner. Politicians routinely issue statements and policy briefings on the topic, and several years on an incremental outcome may emerge - if we are lucky.
It’s true that businesses who implement a good information security strategy can reduce the risk of internal and external threats. But we must consider what these businesses are up against when it come to the threat landscape.
Digital criminals are highly organised with significant agility. Like natural predators, they tend to target organisations with suitable size or niche value (e.g. specific kinds of services or data), that will give them the best reward to feast off. They are faster and smarter than the laws that are supposed to deter them, and often work beyond the jurisdiction of their victims, rendering any legal or policing action essentially non-existent.
So, what should business leaders do to keep their systems and data safe and secure? While individual organisations can erect substantive defences as forms of “walled gardens” against risks, unless you completely close your operations off from the world, cybercriminals will continue to evolve their methods until they can find a way in. That’s why, in this interconnected digital world, it’s almost impossible to grow and compete as a business, without entertaining some degree of risk.
The reality is that we can’t fight digital crime in the traditional way. There is strong evidence that traditional approaches have not worked. The proceeds of digital crime will soon be the third largest global economic force after those of the US and China by 2025 according to some analysts, exceeding USD$10.5 trillion.
We need new or substantially different mechanisms – but achieving new deterrent factors against digital crimes is not going to be easy.
I envisage two potential futures – one where businesses only operate within that “walled garden” environment with strong defences – but at the expense of innovation, agility and growth.
The other is where governments and organisations, both public and private, work together to evolve new deterrents to digital crime. Perhaps this looks like new forms of inter-jurisdictional investigation and cooperation; or maybe greater transparency or stringency on cross-board money transfers. Certainly, there needs to be some alternative to traditional digital law enforcement.
Whichever future emerges, one thing is clear; standing still means the probability of being a victim of digital crime approaches 100%.
This blog is an abridged version of a research article on the Aura Information Security research blog.