Richard Anning* Technology brings a lot of great opportunities for business, enabling companies to do things today that were unthinkable only a few years ago. However, as with most opportunities, there are associated challenges. Over recent years, cyber crime has become big business – the cost has been calculated globally at $114 billion a year, and it was one of the major world threats discussed at the last couple of World Economic Forum events in Davos. It is especially relevant to the Middle East, according to the president of McAfee Europe and Middle East last year, the Middle East is one of the areas with the highest cyber crime activity. There are various reasons for this. Firstly, the world is ‘cyber' now; almost everything and everyone is online, whether business or personal. What has really changed the game has been the development of mobile technology – smartphones and tablets – which are especially popular in the Middle East. In the UAE, for example, smartphones have around 73 percent penetration. Smartphones and tablets typically have fewer anti-virus protections than computers and are therefore easier to hack. Moreover, culturally it can be the case that people are not as security-aware with mobile devices as they are with, for example, their laptops. Secondly, social networking has really raised the bar. The world now spends around 110 billion minutes each month on social media. Twitter has more than 200 million users, whilst Facebook has over one billion. This has given rise to what is termed ‘spear fishing', where criminals can approach potential victims posing as people that they know in order to gain their trust or private details. Finally, we have seen tremendous growth in developments like cloud computing and ‘Bring Your Own Device'. Combined with the increasing prevalence of outsourcing, and more people have access to companies' important data, on a variety of devices, with varying degrees of protection and security awareness. Many users are not as security conscious as they might be with traditional internet platforms such as computers. As people have more devices, it seems they are becoming more relaxed about security; a survey by Norton Cyber crime found 41 percent of users in Singapore did not use complex passwords or change their password frequently. When cyber crime attacks are successful, they can have potentially catastrophic consequences. In August 2012 a virus wiped 30,000 computer hard drives at Aramco, the Saudi national oil producer. It is estimated that around 75 percent of cyber crime is financially motivated rather than vandalism, and there are a number of attractions for criminals. The most lucrative is financial fraud, but data theft is also a motivation. This is no longer limited to commercially sensitive data or intellectual property. Departments like HR and Legal Affairs used to be viewed as comparatively low risk, but the data they hold can be very useful to criminals. Customer data, if stolen, can be sold on to third parties. And finally, simple business disruption can be an end in itself. Potential losses are not limited to the value of something stolen, or business missed. The cost of investigating, reporting, analysing solutions and replacing protection technology can also be significant. Companies could also face fines in some jurisdictions, for example in the Dubai International Financial Centre, if they are judged to have negligently breached data protection laws. How can businesses protect themselves against cyber criminals? ICAEW's recent Audit Insights: Cyber Security report suggests it is critical that a business identifies their key information assets and take extra care to protect those. It is estimated that getting the basic cyber hygiene right can reduce the risk of a cyber breach by as much as 80 percent. It is therefore vital that those at the top are aware and sensitive to cyber threats and best practice. As technology is constantly shifting, it can be that some employees are not completely up to speed with the latest developments. However, they are also the most likely targets for criminals. As the tone in companies is set from the top, having cyber-savvy leadership should translate into a cyber risk-aware culture throughout the organization. Cyber skills should be shared and regular training made available for employees. It is critical that they have access to the knowledge and processes that will allow them to protect the company. Regular re-assessment of potential threats is also needed. Unfortunately, the nature of technology means that threats are constantly changing, and the ways in which a company can be attacked changes frequently. These are all good preventative measures, but companies also need to make sure that there are plans in place for when something does go wrong. This means having clear and transparent policies on how to respond in the event of a cyber-attack, or if a crime is discovered. After all, many companies have good response plans to ensure business continuity in the event of other disasters, and cyber crimes can and should be treated in the same way. Companies should also be prepared to share knowledge internally and with peers, as this will contribute greatly to fighting against cyber crime more widely. This enables companies to build a picture of the reality of the threats facing businesses, governments and consumers alike. Cyber crime can sometimes seem like a frightening and mysterious threat, partly owing to the high levels of technical knowledge involved in understanding exactly how it works, or the fact that it takes place in a virtual environment. Moreover, rapid and continuous developments in technology mean that it can seem like it will be impossible to ever counter. The fact is that it is not that different to other crimes, except the medium and method. Technology has enabled businesses to do many things that were unthinkable half a century ago, but along with this has come the potential to abuse these new methods of data storage and communication. By ensuring they are more aware of the potential threats and countermeasures, companies can make sure they are in a position to manage the risks of cyber crime as they would any other threat. *The writer is head of ICAEW's IT Faculty
