CYBERCRIME TRENDS FOR 2014 and Reporting Cybercrime: The Case for Social Engineering.
We at the Saturn Partners bring you the latest updates in cyber security related crime for 2014. It is hard to believe we are past the midpoint of the year already, but as cyber crime never sleeps, organizations must be constantly vigilant of new methods of attack, theft and compromise of systems and data which constitute inside and outside threats.
Carnegie Mellon University recently published a compilation of cybercrime statistics to illustrate where we are at this point in 2014 regarding cybercrime in the typical network enterprise. After compiling results from over 500 participants who experienced an inside or outside attack, the following was discovered:
The size distribution of enterprises reviewed was aligned as follows: Twenty eight percent of the organizations had more than 5000 employees; forty three percent had less than 500 employees. While the percentage of INSIDER attacks reported in this group was down from 2013, thirty two percent reported that damage from insider attacks was more damaging than outsider attacks.
Of the insider damage, 82% involved private or sensitive information unintentionally exposed; 76% confidential records compromised or stolen; 71% customer records compromised or stolen, and 63% employee records compromised or stolen.
When it comes to the percentage of electronic crime events caused by either inside or outside involvement the percentages ran from 28% from insider events to 72% from outsider events. Interestingly, when it comes to electronic crimes in general the respondents voted 54% to 46% that outside attacks were more expensive and damaging.
What does this all mean? To us, it means that social engineering, via email, onsite and other means in our arsenal, can reduce both incidents and costs associated with prosecution when a solid and regular social engineering program is updated once or twice a year at least. When integrated with an organization’s overall security program, social engineering efforts directly address this sometimes touchy area of cybercrime, especially when it comes to prosecution. Read on:
The Carnegie Mellon study listed several areas by which insider intrusions are handled by the sample organizations. There were four areas examined with the following percentages for each method used.
- Internally (without legal action or law enforcement): 75%
- Externally (with legal action): 10%
- Externally (notifying law enforcement): 12%
- Externally (filing a civil action): 3%
Why weren’t more of these incidents weren’t referred for legal action?
The reasons we list below from the greatest percentage in 2014, to the smallest:
- Could not identify the individual/individuals responsible for committing the eCrime: 37%
- Lack of evidence/not enough information to prosecute: 36%
- Damage level insufficient to warrant prosecution: 34%
- Don’t Know: 21%
- Concerns about negative publicity: 12%
- Concerns about liability: 8%
- Prior negative response from law enforcement: 8%
- Concerns that competitors would use incident to their advantage: 7%
- Other: 8%
- Unaware that we could report these crimes: 6%
- Law Enforcement suggested incident was national security related: 3%
What this data suggests to us is that there is still a large gap in the perceptions of upper management of these organizations sampled regarding the methods needed to track, monitor, capture and collect evidence about insider threats as well as those from the outside. Indeed, inside theft and compromise is expensive, resulting in everything from stolen proprietary secrets, formulas and other competitive information via employee theft to theft resulting from employees either unintentionally or intentionally giving inside access or information to potential intruders who are not employees.
Just as important as training employees on spotting intrusions and reporting them is testing them knowingly (questionnaires regarding accepted security measures) as well as unknowingly (onsite and email social engineering practices conducted by an outside third party network security practitioner) to evaluate the strength of your overall security program.
Remember, it isn’t enough to just prepare your outside perimeter, either, with tools and static procedures instead of constantly updating security measures, practiced hands on. This is done not only by your IT management but outside third party experts who are not involved in sometimes delicate insider politics and can render an expert and wholly neutral opinion.
Security is a process and not a product, and with the ever growing threat of cyber crime from both internal and external sources, it’s not a question of whether or not to conduct social engineering processes as part of your overall security plan, but how best to tailor such a program to help mitigate risks from BOTH inside and outside intrusions.
Note: Please see our Social Engineering page for more information on this topic at www.saturnpartners.com.