Dealing with the relentless and mass scale of cybercriminal activity against businesses and individuals will be an international effort across both the public and private sectors
Over the past few years, cyber-attacks have become something that the general public is increasingly aware of. However, a perception still exists, indeed, outside the IT industry. These cyber-attacks are just something that happens on the Internet. It isn’t easy to relate to and equate the impact of cybercrime on its victims – whether it’s an individual who has fallen foul of an online scam or a company that has been forced to pay a ransom to restore its systems. For this reason, it doesn’t always seem that cybercrime is viewed or treated like a ‘real crime.’
While we acknowledge that cybercrime is an actual crime, it might be not easy to get on board with for some. The thought of being outraged by a hacker taking down a multinational corporation could seem a bit farfetched. This is possible because of the stereotypes about cybercriminals being painted as disgruntled computer science whizz-kids with nothing better to do than ‘stick it to the man.’
Consider that most cyber-attacks are the work of huge, organized, and wealthy crime syndicates. They are highly sophisticated operations to steal money from the business that pays your salary and the government that collects your taxes. Does that sound like a crime?
Are we guilty of victim-blaming?
The fact is that cybercrime is an actual crime, and businesses that fall foul of it are victims. They have suffered a crime committed against them. However, the level of sympathy towards organizations that get breached differs from what we give to an individual. If someone tells you they’ve been hacked, had personal information compromised, and stolen money, your natural reaction probably isn’t to say it’s their fault. However, cyber breaches are a source of lasting reputational damage to businesses. We tend to assume they did something wrong or acted carelessly. As somebody who has worked in the data protection industry for over 32 years, I would tend to agree with this.
The vast majority of cyber incidents are avoidable due to organizations failing to follow best practices, poor digital hygiene, and/or outdated or unpatched software.
However, is there any other type of crime that focuses almost exclusively on blaming the victim and so little on bringing the criminals to justice? Businesses are viewed as the guilty party rather than victims, and it is accepted that the criminals are unpunishable due to the lack of an agreed global legal framework and justice system. If a criminal from another country travels to the USA, for example, and commits a crime against a business on American soil, there is an entire diplomatic process to ensure this person is brought to justice and the victim is compensated. This isn’t the case when it comes to ransomware.
International and intercontinental cooperation is the only way to create an environment where the risks are higher than the rewards for cyber-attackers. The scourge of ransomware accelerated during the pandemic, increasing the appetite of government and business leaders to break the geopolitical impasse that has enabled cybercriminals to run riot. But it won’t be easy, and a workable holistic solution is still years away.
In the absence of a justice system that completely protects us from the bad guys, basic human survival instinct demands that we learn to defend ourselves. In the context of cybersecurity, that means focusing on a few fundamentals. Firstly, every enterprise needs a dedicated IT security lead with access to business leaders and the authority to lead the security initiative. You need to have a resource with designated responsibility for cybersecurity and specialize in data protection for smaller businesses. Secondly, businesses need to practice impeccable digital hygiene.
This includes mandatory training for all employees to recognize potential attacks, understand whom to report them to, and understand why this is important. The more people buy into the need for good digital hygiene, the more alert and willing to take the blinkers off they become.
Finally, never pay the ransom. Organizations who pay ransoms feed the ‘easy pay day’ perception, which means cybercriminals keep doing it. As soon as businesses stop paying ransoms, we’ll see a reduction in the popularity of ransomware as an extortion technique. While businesses who suffer cyber-attacks are victims, they are responsible for protecting any data they use, process, and store. Paying off cybercriminals to get systems back online is an unsustainable defense strategy.
As governments become more active in preventing the spread of ransomware, we may see businesses who do so investigated and reprimanded by independent regulators.
Dealing with the relentless and mass scale of cybercriminal activity against businesses and individuals will be an international effort across both the public and private sectors. While it is important that cybercrime is properly ‘criminalized’ and that the perpetrators are brought to justice, businesses must understand the responsibility they have to their customers and employees to protect any data within their jurisdiction. This can only be done by implementing a Modern Data Protection strategy that combines effective front-line cybersecurity defenses with a comprehensive data backup and disaster recovery approach.
The author is VP - Enterprise Strategy at Veeam