Cybercrime – The Human Element Beyond IT
ybercrime is on the rise. Not only are rates of cybercrime increasing but its breadth and depth have reached a level of sophistication that is disproportionate to our defences. It has now become a well-organised operation perpetrated by highly skilled professionals with the capability to undermine organisations large and small.
The American based Target Corporation was the object of one particularly damaging case of cybercrime. In December 2013, Target publicised that the credit card details of 40 million customers had been the subject of cyber theft; and an additional 70 million customers had personal information including their names, addresses, email addresses and phone numbers stolen.
Closer to home, organisations are regularly scanned for weaknesses in their defences as the sophistication of cybercrime evolves, with harmful malware having the capacity to sit unnoticed for weeks before an actual theft takes place.
Our very real problem that we are now faced with is that organisations are not necessarily able to compete with this new level of sophistication. Moreover, the risk of cyber attack has always been viewed as a function of IT and responses to cyber threat have been acted upon as such.
But the IT security function alone is not an adequate enough to safeguard against this new sophisticated cyber threat. In order to build a strong defence, organisations must look beyond the IT based nature of conventional cyber crime and understand the contribution that humans often make in cyber breaches.
Organisations have become extremely savvy at building robust fire walls that are able to block just about any potential threat; however these defences are redundant if they have not been able to predict what may be planned against them. It is critical that organisations maintain a channel into the cyber community networks where potential attacks are being plotted, in this way they will be armed with information about where their potential weaknesses are as a business.
In order to stay ahead of the cyber criminals, organisations need to acknowledge that its people that commit crimes, not computers; and that unfortunately it can be people from within organisations that are complicit in these crimes. Cyber criminals are able to infiltrate at any point of weakness, which can often mean exposing the vulnerabilities of staff or someone close to the organisation who is able to access, test and deploy malware into the system.
The Three Lines of Defence model is the ideal way to mitigate risk across an organisation. The first line of protective controls includes building a strong fire wall to secure the network. This line of defence acts as the gatekeeper of the traffic which may or may not pass through. The second line of defence revolves around watching out for external threats such as analysing conversations in chatrooms, and engaging in network vulnerability tests. Lastly, measures must be taken to protect the organisation from internal threats. This may include conducting background checks of staff, ensuring that sensitive information is only available to a select few.
The Three Lines of Defence model is a great start to circumventing any potential cyber threat. However this can only take an organisation so far, as the unpredictable nature of the human condition can ultimately leave an organisation vulnerable to cyber threat, especially in the current environment where threats may emanate from within and outside of the organisation.