5 challenges of managing Cybercrime

Cybercrime has been reported as the greatest threat to every company in the world. This post focuses on cybercrime as an "industry", not on cybersecurity itself.

There are 2 types of internet related crime:

1. Advanced cyber crime or high-tech crime. These are sophisticated attacks against computer hardware and software.
2. Cyber-enabled crime. These are traditional crimes that now leverage the internet for execution . e.g. financial crimes, terrorism, crimes against children.

In the past, these crimes were done by individuals or small groups. Today it is reported that highly complex cyber criminal networks are networking individuals from across the globe in real time to commit crimes en masse and en scale.

The average global cost per each lost or stolen record containing confidential and sensitive data was $154. The industry with the highest cost per stolen record was healthcare, at  $363 per record. “Cost of Data Breach Study: Global Analysis” | IBM/ Ponemon

There are 5 challenges with the management of cybercrime.

1. Consumer vulnerability - It is reported that 99% of computer users are vulnerable to exploit kits / software vulnerabilities thanks to Oracle Java, Adobe Flash or Adobe Reader. This means that it takes just one wrong click on an infected banner or a Facebook link to give access to a hacker.
2. The business model - Cybercriminals have anonymity, low cost of operation and cheap ease of access for execution via social media. As a result, hackers see low risk from cyber crime, with the added benefit that as companies move up the value chain from manufacturing to services and R&D IP-based research, so too will their ROI. Unfortunately, this only gives criminals more incentive to hack. Unless we see a change in the business model - particularly around the alignment of incentives, the loss from cybercrime will continue to increase. Attacking is much easier and cheaper than defending.
3. Time to detection - Cisco defines “time to detection,” or TTD, as the window of time between a compromise and the detection of a threat. The average time to detect an incident is a global average of 146 days. In Europe, the Middle East, and Africa it's 469 days. In the Asia Pacific companies take an average of 579 days (TRTWorld, 2016). The longer it takes to detect, the longer the attacker is embedded into the system.
4. Regulation - The new global privacy regulations (GDPR) is one example of regulation driving the transparency of Pii losses from large companies. Another is the harmonisation of corporate governance and disclosure standards across the Asia Pacific. These types of initiatives ensure a minimum level of transparency and reporting from the companies. This is a critical incentive for both companies and the safety of their customers and their investors.
5. Lack of a complete data picture - Most cyber crimes go unreported and few companies come forward on the losses. Companies need to be transparent with authorities, so that governments, vendors and not for profit agencies can begin systematic efforts to collect and publish data on cyber crime to help boards and their senior leadership teams, make informed decisions on cyber security, risk management, and policy. It's very difficult to adequately assess the risk when you have incomplete data.

There is no doubt that people are the weakest link in any cybersecurity strategy. For more insights on this, check out my next post on the 9 takeouts from our cyber breach simulation at the Thomson Reuters 2nd ASEAN Regulatory Summit.

---

I appreciate that you are reading my post. Here, at LinkedIn, I write about board related issues - corporate strategy, human capital, reputation risk, technology and innovation, corporate governance and risk management trends.

If you learned something from reading this post, please click the thumbs up icon above and let me know. If you would like to read my regular posts then please click 'Follow' (at the top of the page). If we have met, do send me a LinkedIN invite. And, of course, feel free to also connect via Twitter.

If you are interested in more effective reputation risk management, improving corporate governance, using the Reputation Institute's RepTrak model to benchmark your company's reputation, or developing your digital, communications, responsible investment or sustainability strategies, do connect with us at RL Expert Group.

For more on this topic, check out my other recent LinkedIn Influencer posts on the Reputation Risk Management agenda:

• 10 steps for future proofing reputation
• Make sure your boss get's the message
• Most risk managers don't understand reputation risk
• Can you explain in one minute?
• Financials hidden in plain sight - Ask "Why?"
• 5 steps to take if your supply chain is morally corrupt
• Getting boards into reputation risk management
• Carmakers python - a matter of outrage and trust
• Social License to Operate Risks Matter in Mining
• Facts Everyone Should Know about Child Labor
• Reputation Risk in Banking
• Addressing McDonald's $39B Reputation Risk Challenge
• Challenges for CxO's with APAC's top 10 Risks
• Reinventing Risk for an Asian Century
• New weapon of choice for complex global supply chains?
• 5 steps for effective due diligence in Asia

About Leesa Soulodre: 

Managing Partner and Director of RL Expert Group, an international reputation risk management think tank and consulting practice and Asia Associate of the Reputation Institute. An Innovation Advisor to the European Commission and to the University of Illinois Urbana Champaign Advanced Digital Science Centre, Singapore. Board Advisor to Belgian PR Software firm, Prezly, Korean Fashion Analytics firm FashionMatch, and the US Sports Analytics firm, Autoscout.

As a serial en/intrepreneur, Leesa has worked for 20 years on the cutting edge of strategy, communications, technology, cyber security and risk consulting. She has advised more than 400+ multinationals and their start-ups in 19 sectors across Europe, Asia Pacific and the Americas. She has led companies with turnovers from $4M to $14B USD into new markets and has shared the exhilaration of one IPO, numerous exits and the hard knocks of lessons learned.

Connect: Leesa Soulodre, Managing Partner RL Expert Group