By Jim Gee, Partner, Head of Forensic Services and Andrew Penketh, Head of Pensions, Crowe UK LLP
Cyber criminals know that if a ransomware attack took place which encrypted their data, the pressure to pay the ransom demanded would be enormous.
The development of small and medium sized cybercrime ‘businesses’ into national and international ones over the last decade or so, and their growth and profitability, has led to phishing becoming so much more sophisticated and targeted than it was at its inception 20 years ago. Ransomware also continues to develop very quickly with cybercriminals even using version numbers to be clear which, as yet, have no counter measures.
When these ‘businesses’ look at Government statistics on the prevalence of cybercrime (now more than 50% of all crime in the UK with incidents increasing by over 110% since COVID and almost two thirds of medium and large organisations suffering cyber breaches in 2020) they are massively encouraged for the future and in the effectiveness of their ‘business’ model. 39 pensions schemes reported actual cybercrime-related breaches (not just attacks) to the Information Commissioner’s Office between April and November 2020.
This article looks at the future of cybercrime in the short and medium term. Underlying what is likely to happen is how the cybercrime ‘businesses’ themselves will develop – sometimes those seeking to protect organisations against cybercrime focus on the latest techniques but fail to look at the organisations who are developing and implementing them.
First, there is likely to be greater ‘commercialisation’ of what they do. They will seek to do what they do more efficiently and to reduce costs and they will seek to increase their revenues both overall, through further growth, and on an attack by attack basis. The resultant increased profitability is also likely to result in an investment in the development and implementation of even more sophisticated cybercrime techniques.
There are key signs that this is already happening.
Artificial intelligence (AI) and machine learning are already being deployed to increase the automation, speed, frequency and efficiency of attacks, as well as the potential for tailored attacks targeting specific groups. There’s also scope to use AI to identify fresh vulnerabilities in networks, devices and applications as they emerge. By rapidly identifying opportunities for human hackers, the job of keeping information secure is made much tougher.
The Cybercrime-as-a-Service (CaaS) market has also matured over the past few years. What began as a few lone rogue hackers selling user credentials in chatrooms or darknet forums has now evolved into cybercriminals offering a ‘menu’ of services to those who might be interested in having an attack mounted.
A diverse range of cybercrime offerings caters to anyone with sufficient cryptocurrency to pay for them: from access brokers who sell pilfered credentials for compromised accounts, to bullet proof hosting providers that can deliver reliable and anonymous infrastructure to conduct offensive criminal cyber operations.
The prospect of this happening is not one which helps any of us to sleep better at night, and should impel every pensions organisation to ensure they are properly protected. However, it would be wrong not to reflect on some more positive trends.
Some progress has been made and it is also encouraging that there has been a real growth in the level of understanding of the problem of cybercrime – Who is behind it? How does it manifest itself? What needs to be done to protect pensions organisations, to manage an attack if it happens and to recover and mitigate any damage?
There is also a growing understanding that cybercrime is not like other static risks which appear on risk registers alongside mitigating controls. It evolves and develops more like a clinical virus than other risks and cybercrime protection measures need to be equally dynamic.
Finally, more and more organisations are understanding that this is not just a technology problem – there is no magic technology ‘bullet’ which can provide 100% protection. As The Pensions Regulator (TPR) says, it is a question of when an attack happens not if, and it is a governance issue. How and with what metrics will those in governance positions assess and manage (the requirements for Trustees in TPR’s new draft single joint code) levels of cybercrime protection and respond when an attack occurs?
This understanding needs to continue to develop, and at a speed commensurate with the evolution of the problem, so that the challenge of staying properly protected is met. It is hoped that this article plays its part.
|