Cybercrime and how to prevent it

The potential losses of a cyber-attack vary as much as the forms of the attacks or the resources and motivations of the attackers. The other factor to consider is the value of the target of the attack. If your PC gets infected by malware and all the data on your PC is lost, then your loss can be very limited if the PC had no valuable data or if you have access to a recent backup. On the other hand, if you have been attacked but you have no backup and the malware has destroyed all your family pictures and important emails, then your loss can be substantial. The same is true for companies. Depending on the attack, the loss for the company can range from a minor nuisance to a fatal blow that could mean the end of your company. In extreme cases, the impact of a cyber-attack can also impact human life. Just think of the recent attacks on the IT infrastructure of health care institutions.

The people behind cyber-attacks are as diverse as the attacks. On the one end of the cyber food chain you have the low-skilled hacker apprentice who is struggling to get his malware to run correctly. On the other end you may be facing state sponsored organisations with state-of-the-art resources. In its essence, cybercrime is not different from traditional crime, where you find the full range of criminals: from the street thug to a global terrorist organisation.

Before talking about specific actions to set up, you should have a clear view of the risks that you or your company are exposed to. A cyber risk management process should give you this risk oversight. Such a process consists mainly in identifying and evaluating risks that you are exposed to. If you identify risks that you are not comfortable with, then you will have to take action to reduce these risks. This approach can also be applied in everyday life where you may have identified a high risk of a burglar getting into your house. Once you are aware of this risk you can reduce the risk by different means like, for example, installing stronger doors or security camaras. In order to reduce cyber risks, it is best to define an overall concept to cover the risks and subsequently reduce the probability of the risk and/or limit the impacts of the risk. Such a cyber security concept should be based on key guidelines that are implemented in the different fields of IT (for example on network level, on system level, on data level, ...)

One key guideline is the “layered defence model”, where you have more than one security mechanism to address every major risk. Take the example of the buglers. In order to protect your house, you install stronger locks on all your doors but you add security cameras - just in case the locks are opened by the burglars. Another key guideline is to "stay up to date" on your IT infrastructure. Almost all of the successful cyber-attacks have at some point exploited a vulnerability in an IT system which could have been avoided with frequent updating. Get the latest updates on your systems and you’ll make cyber criminals’ life harder.

The "least privilege" guideline should also be implemented because it will only grant the minimum but necessary access rights to an employee and thus limiting the impact of a potential compromise or abuse of the employee's User Id. To limit the operational impacts on your business of cyber-attacks, you should also have a "assume compromise" approach which will focus on the aspects of what to do once you have been attacked.

The guidelines above are not to be taken as a complete set of methods and guidelines as cyber security is a very vast and complex domain.

But in order to be effective, you will have to proceed in a structured and proven way which is having cyber risk management identify and evaluate your biggest risks and then addressing these risks with a cyber security concept based on a set of clear rules.