This is the final installment in a three-part series on cybercrime. See part one, "Cybercrime is big business now, avoid becoming a victim" and part two, "To prevent cyber thieves, think like them." The third installment, below, focuses on how to use ROI to defeat cybercrime.

Connected systems and mobile computing have revolutionized business over the last decade, but they have also created vast new opportunities for criminals. Instead of stealing individual identities or credit card numbers, they are now going to the source and stealing thousands or even millions at a time. By mimicking and adapting to the strategies of successful businesses, cybercrime is thriving, and it can’t be stopped. But that also means you can apply business tactics to discourage cyber criminals from attacking your organization. As discussed in this earlier article of this series, if you can take away the return-on-investment (ROI), attackers will bypass your business in search of more profitable targets. The trick is to pinpoint where and how they may strike. Here are a couple of scenarios and tips on how to mount a strategic, data-driven defense.

Scenario 1: Retail cyber therapy

You don’t have infinite resources to spend on data security, but you do have the knowledge to mount an effective defense. We know that part of the ROI equation for cyber attackers is how long it takes to compromise a system — most will move on if it takes more than 40 hours to get in — and we have a good idea where attacks will come from. A previous article in this series looked at cybercrime trends and found that there are clear attack targets and tactics in different industries.

Let’s imagine you manage privacy and security for a large retail organization. We learned from the 2016 Verizon Database Incident Report that 64 percent of cyber attacks on retail businesses are through their point-of-sale (POS) systems. (And POS attacks were predicted to increase in 2016.) Another 26 percent of retail attacks come through the web. So you know that cyber criminals are most likely to try to steal credit card numbers from your business, and you know the two most likely attack vectors.

You also know that criminals control their costs by reusing tactics that work, so you can research attack trends to predict how they’re likely to attack your business. Symantec reports that malware readily available on the dark web is a primary way that criminals attack POS systems. The malware is introduced into the POS terminal, and right after the card is swiped, the malware transmits the card number and other personal information to the attackers. There are several mechanisms to combat this kind of malware. Malware often exploits security holes, so the cheapest and easiest defense is to make sure your POS system is running an up-to-date operating system and that your IT team is applying security patches as soon as they are available. Experts also recommend deploying secure card readers that enable point-to-point encryption of card data within your networks, but you may be better off going straight to chip card (EMV) technology since that never transmits data unencrypted. If your business has its own loyalty program with credit cards, you should go to chip cards with that as soon as possible.

Ideally, you would stop malware before it gets into your POS systems. POS malware is typically introduced either through SQL injection or, more commonly, through phishing campaigns. You can use input validation, good privilege management, and other information security best practices to stop SQL injection. Phishing is harder to stop because it just takes one mistake by an employee or a business partner or vendor’s employee to reveal a password or download a bad file. Still, a Ponemon study showed a 50x ROI on anti-phishing training and awareness programs. Phishing is also a major tactic used in web-based attacks, which is the other big risk for retail businesses. If you can combine phishing resistance with good system security, you stand a fair chance of throwing up enough barriers that attackers will give up and look for targets elsewhere.  

Scenario 2: A prescription for healthcare

Now, let’s apply the same ROI model to healthcare. We know that healthcare data is worth more on the black market than credit card numbers, so attackers will likely invest more time and effort to get it. Privilege misuse accounts for about a third of healthcare data breaches because attackers go to the trouble to steal credentials through phishing or other tactics. Stolen assets (19 percent) and miscellaneous human error (22 percent) are the other big factors in healthcare data breaches.

Healthcare today is a high pressure, very complex environment. Healthcare staff is spread thin between patient care and the demands of meeting insurer and regulatory requirements. On the IT side, in addition to back-office systems, you now have point-of-care systems that are comparable to point-of-sale systems in that they can expose sensitive personal data in an unencrypted form. You also have providers using personal mobile devices at work, which poses multiple risks: a personal device could introduce malware into your systems, or a device could be stolen along with any patient data on it.

According to the Ponemon Institute’s Sixth Annual Study on Privacy & Security of Healthcare Data, at least half of healthcare breaches involve human error or misuse, so you know that staff training and awareness has to be a priority in your privacy and security efforts. And because HIPAA makes you responsible for business associates, you need to include them in your training programs. There are also steps you can take to mitigate human error. Forcing internal users and customers to have strong passwords and change them often is a good practice because it puts a time limit on the usefulness of stolen passwords. You could set up your networks to verify that security patches are up-to-date when a user attempts to connect their device, and you can make sure that point-of-care applications are thin clients, so that if a device is stolen, there is a minimum of sensitive data on it to be exploited. (Also, the less data present, the less chance a disgruntled employee could transfer it to a USB and walk.) Beyond that, segmenting networks, encrypting data both in transmission and at rest, and carefully managing privileges on data and applications will help contain damage. While cyber attackers may be willing to work harder for valuable protected health information , you can still make your organization an unprofitable target.

Outrunning the Bear: Using ROI to defeat cybercrime

There’s an old joke about two hikers running away from a bear. One of the hikers runs faster, and when the other laments that they can’t outrun the bear indefinitely, the one in front says, “The way I figure it, I don’t have to outrun the bear. I only have to outrun you.” It’s a cynical joke, and it would be great if we could find a way to stop cyber attackers once and for all. But that’s not going to happen any time soon, so your best defense is to stay ahead of cyber attackers and hope they choose to make a meal on some other organization that’s easier to catch. And the best way to do that is to understand the business of cybercrime, study attack patterns so you can be strategic in your defense, and hit the attackers where it hurts: the bottom line.

photo credit: Visual Content Malware Infection via photopin (license)