Defending Against Cybercrime
The topic of cybercrime is daunting, but the very first step to defend your organization is to know what level of risk you are operating at, both technologically and programmatically.
In This Article
Organized crime can be defined as simply as a group of individuals working together to make profit through illegal and/or disruptive methods. It can be traced all the way back to the street gangs of the 1800s like the Forty Thieves or the Dead Rabbits — or even the The Peaky Blinders who were an urban street gang based in Birmingham, England. When you think of organized crime, you probably visualize mobsters, organized crime gangs or even famous names like Al Capone “Scarface,” Bonnie Parker and Clyde Barrow (aka Bonne and Clyde), Japan's Yakuza or Russia's Solntsevskaya Bratva.
In terms of cybergangs, famous names include the Cobalt Cybercrime Gang, who is suspected of striking banks in more than 40 countries and costing organizations billions in damages. We know that the financial community always has been a prime target in every theater around the globe. The types of attacks on the financial sector are very broad. One example is a stunning 38 percent of surveyed financial institutions experienced an increase of island hopping, which is an attack wherein an organization’s information supply chain is enlisted to attack the institution from within. This represents a 13 percent increase from 2020. Cybercrime cartels have studied the interdependences of financial institutions and now understand key attributes of them.
You might have also heard about the Lazarus Gang, which many believe has strong links to North Korea. The FBI has stated in the past that the Lazarus Group is a North Korean "state-sponsored hacking organization." According to the FS-ISAC, nation-states and cybercriminals could very well be leveraging each other’s tools, techniques and methods, leading to an increase in attacks targeting financial services and its suppliers.
Then there is REvil. REvil recruits partners to distribute the ransomware on their behalf. As part of this arrangement, the partners and ransomware developers typically split revenue generated from ransom payments. REvil is thought to be based in Russia because they never target Russian organizations. In general, and according to a report by Chainalysis, the total amount paid by ransomware victims increased by 336 percent in 2020, to reach nearly $370 million worth of cryptocurrency.
According to cybersecurityventures.com, cybercrime will cost the world an astonishing $10.5 trillion annually by 2025, and what is even more disturbing is that 78 percent of organizations lack confidence in their security postures.
The topic of cybercrime is daunting, but the very first step to defend your organization is to know what level of risk you are operating at, both technologically and programmatically. The bottom line is every organization's management team has a duty to control risks. As digital and security transformation has become an increasingly important enabler, it has become imperative to apply the notion of risk management to organizations. A risk-based approach to management can lead to greater accountability and a better change management environment. Moreover, beyond the core purpose of assessing risks, risk management serves to demonstrate organizations serious efforts toward compliance and/or industry best practice.
Business impact and risk analysis are used as the foundations for understanding operational vulnerabilities, as well as the platforms from which to explore risk mitigation and contingency-planning activities. Risk management should be applied to all parts of the enterprise’s operations and should be coordinated through an operational risk management committee. These processes must be built on a foundation of cultural and process change to explicitly identify and manage operational risks.
To compete successfully in today’s global, interconnected business environment, organizations must continuously reevaluate their product, software and service offerings, as well as the mechanisms to deliver real business value to customers, partners and suppliers. In addition, organizations must constantly reassess their overall business risk appetite and tolerance to ensure conformance with various standards, regulations, frameworks and global data protection laws.
Given the challenges of operating in today’s business environment — such as competitive markets, electronically enabled global network businesses, corporate governance reform and rigorous security and privacy mandates — risk management and governance has become a critical, fundamental business imperative. Businesses are moving to a more mature position in which risk management is integrated into the DNA of an organization. Risk management is a C-suite priority because it is one of the single most important determinants of business value realization. Risk management is the system by which an organization’s portfolio is directed and controlled. It accomplishes the following goals:
- Identification of threats (IT threats, business threats, internal and external threats) to an organization.
- Identification and justification of risk controls for possible threats and vulnerabilities.
- Development and institutionalization of rules and procedures for making and monitoring decisions on strategic concerns, specifically, internal and external threats to businesses.
The benefits of performing this function are as follows:
- Improved confidence in operational and financial integrity. The focus is to allow management to understand and deal with events that can create uncertainty in the organization’s operational and financial performance. Enterprise risk management allows your management team to quantify and justify risk decisions to support accurate response and decision making.
- Maintaining accurate and timely information. Risk management provides mechanisms to measure and respond to negative impacts and seize opportunities for growth and competitive edge. This is accomplished by providing consistency in measurement, terminology and communication.
- Maintaining a holistic measurement of risk throughout the organization. Risk is measured not only at the system project level, but at the business process and business unit levels, as well as from an organization-wide perspective.
- Staying on Course. Enterprise risk management is focused on making sure an organization meets and exceeds its goals and runs according to plan. Understanding risks improves confidence and strategic advantage and keeps organizations from being caught off guard.
- Bringing lower cost. The unexpected is costly; identifying risk and implementing appropriate controls allows an organization to control unwanted costs. Furthermore, successful risk management will increase an organization’s ratings and public perception of efficiency because the organization is prepared and not caught off guard. This enables the business stakeholders to best understand security using terminology they understand. In addition, it allows the justification and defense of security budgets and resources.
A thorough understanding and a holistic picture of effective enterprise risk management practices are necessary to ensure that businesses not only maintain but sustain their strategic advantage. Therefore, we can work with your teams to employ a balanced approach in ensuring that an organization’s line of business is competing for today and competing for tomorrow.
To satisfy an organization’s requirements, WWT can provide three distinct but complementary consulting services.
Step 1: Organization assessment and establishing the business context
- Capture relevant information about the organization’s appetite and tolerance for risk, goals, objectives, line of business, assets, applicable or required regulations, standards, frameworks and likely threats to assets.
- Identify likely risks.
- Analyze these risks to determine what is driving them, how great their impact might be and how likely they are.
Step 2: Develop and implement a risk program
- Develop the risk management program, specifically, a threat matrix module to weigh the varied risks to the organization’s line of business.
- Prioritize and map the risks so that the organization can choose those that are most important to resolve.
- Plan how the organization will take action against the risks on this short list.
Step 3: Institutionalize the risk management program
- Develop and recommend a process and flow through which the organization will be able to, on a regular basis, monitor progress on its action plans, terminate action plans for risks that have been adequately resolved and look for new risks.
Overall, WWT can help develop and implement a framework and process to assist organizations in determining the risks to their line of business. This framework will answer the questions of where, why, who, how and what as they relate to the risks to the business. Additionally, we can assist organizations in creating viable technology solutions and options to mitigate high-risk profiles and further recommend strategies to control medium- and low-risk exposures to their line of business. The desired outcome is to ensure that organizations sustain and continue to create their competitive advantage within their market space and industry.
Sound risk management practices are not only a key competitive differentiator for companies, but they are also essential for controlling cost and facilitating the profitable delivery of products to the market. Moreover, organizations that ignore risk management run the gamut of failed shareholder and market expectations, increasingly incur regulator wrath and lose competitive traction.