Why cybercrime is in the top three black market industries in the world
Tools like artificial intelligence are being used for evil as well as good.
The recent introduction of mandatory data breach reporting in Australia was a wake-up call for many organisations as to their obligation to keep customer data safe. But it has also alerted many to the increasing sophistication of the new techniques used by the world’s cyber criminals as they exploit both technical and human vulnerabilities.
According to Steve Ingram, partner and Asia Pacific Cyber Lead at PwC, we are living in an age of industrialised cybercrime.
“We are starting to see state-sponsored weapons being used by organised crime groups,” Ingram says. “They don’t need to own those resources or capabilities, they can access those in a leveraged or just-in-time market.
“It is growing significantly and would be one of the top two or three black market industries in the world along with arms dealing and drugs.”
Another significant change noted by Ingram is the willingness of cybercriminals to go after individuals. He knows of one executive in Europe who was cajoled into transferring €600,000 on the word of someone whom she believed was her boss, but who in fact had used publicly-available information sources to impersonate that person and demonstrate familiarity with her.
“These people had done some social engineering, appealed to her ego, and managed to pull off the fraud,” Ingram says. “They even called back to try and get a second payment through. The likelihood of them being caught is very low, and the punishments aren’t that high either.”
The technology that cybercriminals use is also becoming more sophisticated. According to Liming Zhu, research director for software and computational systems at CSIRO’s Data61, cybersecurity threats are attacking the overall trust of systems, using highly-automated tools that use machine learning to carry out attacks.
“For example, machine learning is used to make data-driven systems learn the wrong models by poisoning data, constructing counterexamples and inverting machine learning models to make them vulnerable to attacks,” Zhu says. “Other techniques on the rise include the use of “side-channel” information and game theory to mount attacks, and leveraging end-to-end encrypted traffic to steal data and conduct cybercrimes.
“Beyond traditional attacks, cyber-physical systems — or physical devices connected to the digital world — are increasingly under fire.”
The APAC vice president and chief security officer for cybersecurity technology maker Palo Alto Networks, Sean Duca, agrees that the tools available to cybercriminals are becoming more sophisticated. But he says that in many instances they don’t have to be.
“Many of the known issues are still impacting organisations, through phishing emails, credentials re-use and ransomware attacks,” Duca says.
Nor surprisingly then, he says the remedies that can prove most effective are also relatively unsophisticated, but effective if applied properly.
“All businesses need to maintain good “cyber hygiene” which includes a regularly backup of data, patching systems and applications and reducing the attack surface of digital assets as much as possible,” Duca says.
One common defensive strategy is to move applications and data into the hands of cloud providers, who often deliver a higher level of security than an individual business can afford, but this is not a set-and-forget strategy.
Duca says there are questions that every company should ask of itself and its suppliers, including knowing what sensitive data is stored in the cloud, who among employees and third parties has access to it, and how the data is protected.
“It starts with the basics; everyone must be doing them right,” Duca says. “With the rise in automated cyberattacks comes an increased need for organisations to be similarly automated and scalable, combating machine-generated attacks with integrated technology. We can’t rely on manual intervention to prevent a successful cyberattack. Security professionals need to focus less on manual defences and more on the big picture.
“Every business needs to understand that by living in a hyper-connected world, it’s foreseeable that someone will come looking for your information, but it’s up to you to manage the risk to your business.”
Increasing awareness is also driving a demand among business professionals to better understand the risks. Hence Data61 has partnered with the Australian Institute of Company Directors to deliver courses to lift the level of digital and cyber literacy at the executive level.
Ingram says he is also witnessing a change in how organisations structure themselves to account for cyber threats, based on the realisation that defence can’t be left to one business unit.
But just as cyber criminals have grown stronger through working together, Ingram says the same approach can be used to create stronger defences. PwC is working in close partnership with technology providers such as Palo Alto Networks and research groups such as CSIRO’s Data61, as well as with large technology and telecommunications companies.
“We need to get cross sector, cross industry information sharing,” Ingram says. “The banks and telcos are realising that we do need to work together to make it better.”
—
Content produced in association with Telstra Enterprise. Read our policy on commercial content here.
How top Australian law firms are leaning into generative AI
One of Australia’s biggest law firms says it will ‘responsibly’ push the use of artificial intelligence to its limits, while the industry grapples with productivity gains and concerns about security.
I’m still standing after hearing Elton’s lips smack
Custom-tuned in Ireland, these two Sennheiser audiophile headphones are perfect companions for a Sunday afternoon – if you don’t mind a few surprises.