What is cybercrime and how does it affect businesses?
The term cybercrime, or high-tech crime, refers to criminal activity conducted either using technology or against technology. For example, in the first category we would include issues like online fraud, while crimes committed against computers would include issues like computer break-ins and website attacks.
The impact of cybercrime is significant: in our recent survey Irish organisations reported a wide range of problems, ranging from employee harassment to attacks on their computer systems. One-third of Irish organisations reported cybercrime issues costing over EUR50,000 to correct, while 24 percent had problems which required over 50 man days of effort [to resolve]. This level of financial and personnel impact reflects the severity of the problem, since no organisation can afford that level of cost or distraction from running their business.
Should businesses - in particular SMEs - be concerned about cybercrime?
Overall, our data suggests that 98 percent of organisations have experienced cybercrime problems and 86 percent have had issues within the past year, meaning SMEs are definitely affected.
What is the fallout from cybercrime?
In our research Irish firms reported short-term consequences including loss of productivity and loss of data. Longer-term impacts included loss of significant business or profit, long-term loss of business and increased insurance costs. Perhaps most serious of all, over two-fifths of organisations reported the loss of staff due to cybercrime issues, due to either resignation or dismissal. We discovered that 97 percent of organisations have been forced to discipline staff due to internal cybercrime problems, which represents a substantial amount of management time and again is an unwanted distraction from running a business.
Who commits cybercrime? Why do they do it?
Many people have an impression of cybercrime as being committed by people with too much time on their hands and would think of the problem as a nuisance rather than a real issue. If this was ever true in the past it is certainly not the case today; cybercrime is now a mainstream criminal endeavour, carried out by criminal gangs and even more sinister groups. For example, there is evidence that certain terrorist organisations have funded their activities through online fraud and extortion.
How is it typically detected?
Our research suggests that Irish organisations are primarily stumbling across cybercrime issues rather than detecting them in an organised or deliberate fashion. For example, 68 percent reported issues coming to light through accidental detection and 58 percent had issues reported by end-user employees. External reports of cybercrime issues were also common, with 42 percent of organisations receiving reports from customers. When asked for their most common method of discovering incidents, a total of 67 percent felt that accidental detection or end-user reporting were most common.
What are companies doing to protect themselves? Is it enough?
We are recommending three actions that organisations can immediately take to protect themselves. The first recommendation is to reflect on the importance of reporting and accidental detection in uncovering cybercrime. We believe many organisations would benefit from reviewing communication channels to ensure that reports of cybercrime reach the right people in a prompt fashion.
Secondly, we suggest all organisations assess how well prepared they are to deal with the various types of cybercrime we have highlighted; for example, to consider how they would respond to an employee harassment issue or an internal incident of computer hacking. A small amount of effort spent preparing for issues will pay off in the case of an incident.
Lastly, since so many firms will need external assistance to deal with cybercrime issues, we believe there is a benefit in making arrangements to deal with law enforcement and consulting firms before an event occurs.
Are there signs that more businesses are taking action against cybercrime?
ISSA and UCD hope that by carrying out our research we will encourage Irish organisations to take the problem of cybercrime more seriously, and that in doing this they will invest more time and resources into information security. Unfortunately we are seeing currently that experience of cybercrime is virtually universal, with 86 percent of organisations affected within the past year, but we hope to see this figure reduce in future years and we aim to help organisations prepare for and respond to all types of cybercrime.