NCA cybercrime report: Industry reaction

Following today's report from the National Crime Agency saying that criminals are winning the "cyber arms race" against businesses and law enforcement agencies, various industry professionals have offered their reaction and analysis.

Ben Harknett, VP EMEA, RiskIQ:

“There are numerous forms of cybercrime making up those 2.64 million incidents. Research we carried out at RiskIQ revealed that malvertising, as just one of those, jumped up over 300 percent year on year between 2014 and 2015 following a string of major publishing sites such as Forbes.com, Huffington Post and The Daily Mail being exploited by malvertising campaigns.

"We live our online lives ‘in the moment’ and although most people know better than to click on a link from an unknown source, malvertising attacks are disguised as trusted brands on trusted websites and so by their nature are much more difficult for a conusmer to spot.”

David Emm, Principal Security Researcher, Kaspersky Lab:

"The National Crime Agency’s new research confirms what we have understood for some time – that cybercriminals are becoming more resourceful and efficient in attacking corporate and government systems.

"The NCA’s findings are a warning to all organisations that it is simply no longer enough to protect the perimeter of a corporate network. The business environment has changed significantly in recent years; mobile working has created more fluid business systems and companies need to develop an in-depth defence strategy, including how to minimise the impact of a breach – rather than simply relying on blocking threats at the perimeter.

"It’s also vital that businesses develop processes to restrict the room for manoeuvre of attackers. For example, not providing blanket admin access to all employees and segmenting the network to limit the scope of a breach. I would also stress that as individual consumers we need to be more aware of the cyber-security threats being carried out around us, with more people than ever trying to steal our personal and corporate information."

Luke Brown, VP and GM EMEA, India and LatAm, Digital Guardian:

"It’s no surprise that the NCA warns that criminals are winning the cyber arms race: the IT security industry simply doesn’t have the troops to fight back. For many years, the industry has faced a recruitment drought and individuals who meet the required training standards are hard to come by and highly sought after. In fact, the unemployment rate amongst information security professionals is effectively zero.

"The issue is that businesses can’t simply deploy security technologies and expect to be protected from every kind of attack, they need to work with security experts. The UK government’s plan to open a new National Cyber Security Centre is certainly a step in the right direction, but without more widespread investment to train more cyber security recruits, this war will continue to rage on."

Paul Simpson, Principal Consultant, Verizon RISK:

“Our 2016 Data Breach Investigation Report found that many businesses still lack basic security defences, or have implemented or configured them incorrectly – this is unbelievable when we are aware of the cybercriminal activity around us. For example, we saw 63 percent of confirmed data breaches involving weak, default or stolen passwords.

“Some of the reasons behind this are reliance on old security policies; security being more of an afterthought in a business’ strategy rather than a priority or even just down to lack of good employee education. Often businesses forget that their employees are often an easy route for any opportunistic hacker looking to find their way into an organisation via phishing emails, as they commonly make mistakes that leave their doors wide open.

“Awareness is the first and best line of defence against cyber-criminals - CIOs also need to stay in touch with the latest security threats, and share that knowledge throughout the organisation. My immediate advice to any company is to ensure that the security basics and procedures are already in place to help mitigate the impact of a future cyber-attack. Prevention is often better than cure and the effectiveness of implemented security and incident processes should be tested and measured for effectiveness. This can be done via a concentrated security approach.”

Wieland Alge, VP & GM EMEA, Barracuda Networks:

“We see multiple cyber crime assessments of this kind carried out across Europe – all of which show the same patterns – and yet companies are still not taking the necessary actions to protect themselves and their customers. Many companies are still ignorant to the fact that everyone has become a target. An astonishing number are still surprised that they have been attacked at all. The simple truth is that the digital transformation of crime is outpacing the digital transformation of companies and also the transformation of cyber defence.

"That said, modern cyber threats are no longer simple to defend against. The crucial change in recent years has been that cyber criminals are shifting towards more targeted scams and more advanced malware that cannot be detected by traditional scanners. What’s more, the increase in mobility and sheer volume of devices has exponentially increased the potential attack surface. We are in a kind of golden age for digital crime. The business has injected change at accelerating speed into all elements of IT and many organisations are simply trying to keep their security stable. It has become quite easy for attackers to find an unprotected door."

Ryan O'Leary, Vice President, Threat Research Centre, WhiteHat Security:

"It is a step in the right direction for the UK government to invest more money in cyber defence. In our experience, money is always better spent in the defence of an attack rather than in trying to find the culprit. Those who can pull off cyber attacks are prevalent on a global scale, as the NCA’s annual assessment has proved; if one individual or group were able to execute an attack, it is very likely many others could do the same. The issue is not the attacker – they are always going to exist – it’s the system that is susceptible to the attack. Fix the issue and your attacker problem goes away.

"Finding and prosecuting attackers can also be a challenge. Many of the attackers operate out of countries that make it near impossible to instigate legal action. Finding the individuals responsible also gains the company nothing.

"As proven by the large number of breaches and fraud incidents quoted by the NCA, fear is not a deterrent to international attackers. These individuals have nothing to fear since they know they cannot face legal action or be extradited from their home country.”

Image Credit: zimmytws / Shutterstock