The TalkTalk hack on October 22 saw the personal details of 4 million of its customers stolen, including their bank details and credit card numbers. It was the latest in a long line of major hacks that have been steadily increasing in both scale and audacity, with Carphone Warehouse suffering a breach in August and adultery platform Ashley Madison’s 37 million customers having their details leaked shortly before that. In England and Wales alone, there were 2.5 million cyber crime offenses last year, and one recent survey found that nine out of every 10 big British companies have suffered a cyber attack.
To cope with this surge in cyber crime, companies are greatly increasing their security budgets. The onslaught of media around huge attacks, however, does not offer much hope that this money is being spent wisely. A new high profile security breach is reported in the media on almost a daily basis despite supposed safeguards being in place, and companies are increasingly concluding that when it comes to combating the cybercrime threat, it's a case of ‘when, not if.'
And it’s hard to argue against this. We now know that 90% of computer hacks go entirely undetected, and of the 10% that are detected, there are few examples where the awareness of the breach happened sooner than 6 months after the fact. The average is two years. The sophistication of most hackers, and their ability to operate under such a thick blanket of anonymity mean they are hard to catch, and even harder to stop. The breadth in motivation is another problem, with most seeking money but many seeming to do it just for the sport. Those responsible for the ‘Fappening’, for example, seemed motivated purely by a desire to impress other members of hacking chat rooms, while the Sony hack was ostensibly just an attempt to stop the release of a film.
The reality is that there are no clear answers. Business’s attempts seem to be failing, and government attempts to legislate the problem out of existence seem equally banal. John McAfee argues that Cybercrime occupies ‘a realm of the real world that transcends, and is immune to the influence of law. You can no more diminish cybercrime and its effects through enacting laws, than you can defeat a heavily-armed Islamic State (Isis) in battle through the use of harsh words.’
This is not to say the government isn’t trying and there aren’t things it can do. A UK government spokesperson told the Financial Times that £860m of public money had been put into cyber security, and a range of schemes is offered designed to help UK businesses improve their security measures. The Bank of England is also this week holding a ‘war game’ to stress test the preparedness of financial firms for a cyber attack. The so-called ‘Resilient Shield’ test will simulate a hack on financial firms, testing whether banks can withstand sustained attacks in a bid to breach security.
It could be the case that companies are simply not spending their money in the correct way. Despite the huge increase in data attacks, network security technology investments still dominate security spending at 38%, while 16% going on application security. Another 16% on database security, and 13% to identity management. yet just 1% of total IT security technology spend goes on data protection. According to the PWC’s 2015 Information Security Breaches Survey, 33% of large organizations say that they do no know who is responsible for ensuring data is protected.
The fight against cyber crime is ongoing. For all the technological advancements designed to combat it, the answer could simply be to invest heavily in education around it. A survey of UK police forces last year found that less than one-third of key cyber-crime staff had the skills or technology to address the threat reported to them. Organizations such as the National Science Foundation already run initiatives which try to spread knowledge around the issue, and this year lessons on the subject became part of the National Curriculum. Ultimately, time will tell whether they are successful.