Cyber security, in its broadest sense, refers to the application of techniques, protocols, and policies designed to safeguard systems against unauthorized access. Protecting computers, data, internet networks, and programs from cyberattacks is the aim of cyber security. The term "cyber-attack" describes the repeated, intentional attempts made by hackers to access and compromise computer systems. In order to make the security system susceptible to ongoing attacks, terrorists and criminal gangs are always working to discover its most important secrets. The possibility of cyberattack has increased along with the number of organizations that are doing business online. The corporate community has found that cyberattacks are extremely harmful, especially in industrialized nations (Gercke, 2012). Cybercrimes have been identified to have damaging effects on trade, competitiveness, and the overall global economic growth. Hackers, whose main aim is to cause damage to the cyberspace, have ruined several multinational corporations’ good reputation. Corporations lose their intellectual property rights due to cyber-attacks which have resulted in enormous losses. Cyber-attacks also lower dividends which deal with innovations and inventions because businesses are unable to maintain their competitive edge. When the company loses personal information then it cannot take comparative advantage and edge. For instance, in 2013, The United States of America has spent 400 million US dollars for cybercrimes. Studies in the United States also revealed that 200.000 American jobs are lost annually in the export sector (Anderson & Barton, 2012).
The review of literature analyses cybercrime, its phenomena, background, and challenges. The paper discusses the various reviews on the different types of cyber-attacks, the financial cost of being attacked, and the existence of defending institutions against the attacks in the cyberspace. The research assesses the cyber security in business on the basis of specific three categories presented further in the paper.
Types of Cybercrimes
According to the report by The Information Security arm of CGHQ (2015) cyber-attack is carried out in four distinct stages. In the publication titled Common Cyber Attacks: Reducing the Impact, the first stage involves the survey of all the potential organizations or business. This stage encompasses the thorough and detailed analysis of the information system in order to identify the loopholes and vulnerabilities. The second step presents the report on the identified weak areas in the system. The point of exploitation is reflected at the above-mentioned level. The next is breach where the hackers gain unauthorized access to the information system. The final level is affect stage where the hackers carry out their intended harm into the system. Essentially, all the organizations are potential victims of cybercrime. Kramer (2017) also points out four stages in the execution of the cyber-attack which include: reconnaissance, knowledge harvesting, initiation of the attack, and finally, its success. Evidently, cyber-attacks are not abrupt and instantaneous, but rather the meticulously calculated process. The Kaspersky report (2015) discusses the below types of cyber-attacks which are the commonest every year. However, the above findings, despite identifying the types of cyber-attacks, are unable to predict new types of attacks. Before a new type of attack is established, the damaging effects are evident.
Service Interruption
According to the Kaspersky report (2015), the main aim of service interruption is to ensure that the computer or device does not perform its duties optimally. The cyber- criminals indicate that the devices record down which result in losses of the organization. The effect of the attack is also damaging as far as the reputation of the organization is ruined. The eventual system’s failure is the ultimate goal of the hacker as the rival firm is able to flourish and overtake its competitors.
Data Exfiltration
The objective of the attack is to access and steal confidential and sensitive information from the target organization. This has been reported as one of the most damaging forms of cyber-attack because its risks to the target farm include theft of intellectual property. Private data and information are exposed to the public by hackers. Loss of financial data and consequent decrease of money has been proved to be caused by this form of cybercrime (Kramer, 2017).
Bad Data Injection
The Kaspersky Report (2016) points out that the aim this attack is to report false information without detection. The hackers access the central data storage center and make damaging alterations. Large organizations with high data volumes have been used as the targets for this form of cyber-attack. The consequences are highly catastrophic for the victim organization. Loss of customers and eventual bankruptcy may occur especially in the banking sector.
Advanced Persistent Threat
The aim is to gain extended access to the device or networking system. The third parties are able to control the system from remote and invisible control centers. The hackers can alter the data system without being detected because they can log into the system without being visible. Cyber-attacks are hitting the users at the alarming rate. As indicated by the Kaspersky Security Bulletin in 2015, each third personal computer is encountered with the attack. The Kaspersky report fails to acknowledge some instantaneous attacks which do not need the four stages of the implementation.
According to Ponemon Institute Report (2013), cybercrimes are constantly cost burdens to the organizations. The research carried out from the representative of 60 leading US firms had the following findings: the cost of cybercrime is increasing every year as more businesses go online. The report points out that $ 11.6 million are lost in the United States in 2013 while in the previous year – only $ 809 million. The companies under study had 122 successful attacks every week. The survey points out that the most detrimental cyber-attacks are those caused by web-based attacks and denial of service. The study was duplicated in the other European countries such as France, Germany, United Kingdom, Japan and Australia culminating into a sample of 234 organizations. The survey indicated the lowest cyber-attack cases in Australia, and the highest- in the United States which shows that cybercrime differs in the various states but the common types are duplicated in almost all the countries sampled.
Kaspersky (2016) and the Ponemon Institute Reports (2013) state that the organizations fall victims of cybercrimes at different levels. Industries in the banking, manufacturing, and service sectors told about the cyber-attacks. Organizations in the banking and energy sector reported the highest level of hacking. The common attacks are the denial of service which includes downtimes and web based onsets. They account for more than 60 percent of the attacks in the cyberspace. There is the positive relationship between the size of the firm and the annual losses because of cyber-attack according to the report. There is also the correlation between the time taken to resolve an attack and the company’s cost. For instance, attacks, which take more, time before they are detected wreck more havoc than those identified in their early stages. Recovery and detection accounted for 50 percent of the total internal cost annually. Budgetary allocation relating to IT activities and network security are the highest. This reveals the cost of combating cyber-attacks. The report also points out that the deployment of security intelligence systems and a strong security posture greatly alleviates the cost of combating cyber-attacks. Detica Limited (2013) in the United Kingdom publishes similar findings in a report. The finding report cybercrime to be a national issue, which should be given more attention. The estimated loss in the UK because of cyber-attacks is 27 Billion Euros annually. Cyber-attacks take place in the following ways according to a Kaspersky report (2016).
Identity Theft
The attackers have been reported to obtain personal information and use it to open fake bank accounts where they get mortgages and loans. The victims are not aware until they are confronted for default.
Online frauds are also on the increase where cyber criminals fraudulently trick innocent citizens into buying into their fake deals. Individuals are also fooled into giving their private information such as their credit card information, which ends up under the control of the fraudsters.
Scare Ware
Fraudulent individuals misguided individuals into downloading software, which causes more havoc than good into their computer systems. Mostly the scare ware comes in form of antivirus that they use to gain access to the system.
IP theft has been identified to be one of the most dominant forms of cyber-attack. Other forms of cyber-attacks published in the report are industrial espionage mostly used by rival organizations to gain entry into key information such as bid price before the release of new product. Fiscal fraud has also been widely used in tax evasion in the UK. This has compressed public expenditure on development projects. Online stealing of revenue has been largely reported in the UK. Cases of extortion where companies have been held at ransom have resulted in the loss of billions of monies. Customer data loss in an organization because of cyber-attacks has greatly damaged the reputation of many organizations and loss of customer confidence. Cyber criminals mostly target high-value intellectual property, key company information, and bulk business data to cause damage and achieve their ill-advised goals (Gai, Qiu, & Elnagdy, 2016).
The studies by Kaspersky lab and Ponemon Institute are in a liaison that, cyber-attacks can occur to any institution and takes place at different degrees depending on the size of the firm. The two reports also point out the commonest forms of attacks.
The Cost of Defense and Mitigation against Cyber Attack
The aversion of digital criminal attacks is the most basic viewpoint in the battle against cybercrime. All the clients should be mindful of the threats posed by cyberspace hackers before sharing or transacting any online businesses (Giri, Jyoti, & Avert, 2006). An appropriate security precaution is the best guard against cybercrime. Each individual in the organizational system must know about the dangers of cyber-crimes, and ought to be trained on the accepted procedures to embrace with a specific end goal to diminish vulnerability to attacks and consequently moderate the dangers. The costs of defense against cyber-attack are both dire and indirect. The direct costs include the detection of cyber-attack, the cost of investigating the nature of the attack, containment cost, the price for recovering from the digital assault, and ex post response cost. Anderson and Barton. (2012) summarize indirect costs as information theft or loss, business disruptions as down times, equipment damage, and revenue loss.
According to the Kaspersky Lab report (Namestnikov, 2015), the normal direct expenses equal to $40,000 which incorporates the spending of downtime, lost business prospects, and the expert who charges small companies to contract and alleviate the security break. The examination demonstrates that, overall, small ventures can expect to pay $10,000 in proficient professional fees following a cyber-attack. These charges can incorporate the procuring of IT security advisors, risk administration experts, lawyers, physical security specialists, inspectors, and accountants. Other than the expert fees, the examination gauges that cyber-attacks cost organizations $5,000 in lost business opportunities and $23,000 in downtime. Notwithstanding the immediate costs, large companies encounter various circuitous costs following a security break. The examination by Kaspersky Lab Report (2015) found that big organizations spend, largely, $8,000 attempting to avert similar occurrences in future. This incorporates hiring new staff, training current employees and making IT framework upgrades. Most organizations likewise endure reputational impacts after an assault. The research gauges the reputational harm of a security rupture could cost small companies $8,653
The study conducted by Vince, McCarthy, and Raysman (2011) identify the investment in computer security and protection measures as a paramount measure in any institution. Any organization ought to put resources into the security hardware and strategies to deflect or counteract digital assaults which incorporate the most up-to date IT security measures, for instance, having the organization's database on an alternate web server than on the application server; applying the most recent security patches, maintaining strict information approval, developing system security engineering and monitoring exercises, and methodology of third party access to the system. According to Ponemon Institute Report, (2016), detection, investigation containment, and recovery from the cyber-attack is the significant internal cost in any organization. The Global Report points out that some attacks take more time to be recovered using the high cost. The price for upgrading the system in order to avert future related attacks is another significant expenditure. The cost of business interruption incorporates lessened employee efficiency and business process disappointments in the wake of a digital attack; this has been observed to contribute to 36 percent of the cost on average in any organization. Revenue loss and hardware harms take after at 20 percent and 4 percent of the total cost of cyber security cost respectively. Companies and organizations also spent significant amounts in the detection of cyber-attacks. The detection process incorporates IT gurus who have to be paid by the organization. This mostly happens when the company’s security department is unable to detect an attack.
Education and training of personnel come at a very high cost. However, this being a key precautionary measure, expenditure on training of all workers is inevitable. All employees must be made aware of security procedures in the system. Ignorance can be fatal to an organization and therefore the emphasis on training of all staff is a critical preventive measure. While end-user training and accreditation are basic to tackling the present attack on computer systems, it is imperative that associations of all sizes keep on investing in preparing and affirmation for the general population particularly in charge of developing and keeping up a safe system. Very regularly, associations that do send their IT staff for training are sending that staff to classes where they can learn the modern state of art security procedures (Kramer, 2017).
Changes in organizational structures put a company at a higher risk of attack for instance in cases of mergers or adoption of some new technology. Such advancements can build the danger of displeased and careless workers; subsequently, acquisitions should trigger organizations to be watchful and to maintain strategic approach to digital attacks. This calls for increased expenditure in the security department, which comes as an unanticipated operational cost to the organization (Tomner, 2012; Stockwell, 2012).
Tomner (2012) emphasizes on the assertion by Kramer (2017) that a comprehensive system should be put in place to avoid data breaches. Stock well advocates for encryption in data security. The encryption should ensure there is vetting of the third user, data retrieval should be restricted to authorized personnel, and a policy should be put in place within an organization to ensure that all access is approved. This, however, is a form of indirect cost, which has to be incurred by any organization, which is ready to safeguard the health of its system.
Conclusion
All the findings and researches discussed above coalesce into the common focal point that cyber security is the fundamental issue in any organization. Cyber security has been developed as one of the basic issues of the present time; nobody is debating this fact. What keeps challenging organizations is that cyber- attacks are evolving every day. However, the escalation in cybercrimes can be attributed to reluctance in the investment in cyber security, using old and outdated techniques in combating cyber-attacks and lack of well-trained personnel in counteracting cybercrimes. The reviews discussed do not indicate the companies which are willing to spend money on combating cybercrime. Another deterrent to winning the cybercrime war from the reviews above is that the public still perceives the cyber-attacks as problematic. They need to be aware that every individual should declare total war. The organization can be qualified as cyber secured if it has to foresee the possible security which breaches prior to engagement in any business. It should employ mechanisms to thwart data loss which has been identified to have a huge cost implication. Cyber security can be achieved through data backups. In addition, the firm should be aware of all insider threats, protect its system against the third party risks, and invest in the security department to avoid huge losses which will, otherwise, damage the organization’s reputation.
Preventive measures are significantly less costly than curative procedures. It is prudent for the organization to adopt cost lessening preventive measures rather than waiting for the imminent damaging attack. Moving forward, cyber security should be everyone’s responsibility. Constant training in order to identify the various sources of loophole should be prioritized.
References
Anderson, R., & C. Barton. (2012). Measuring the cost of cyber crime. Retrieved from http://www.econinfosec.org/archive/weis2012/papers/Anderson_WEIS2012.pdf
Detica Limited. (2013). The cost of cyber crime. Guilford: Guilford Surrey. Retrieved from https://www.uc.com/Public/crime/THE-COST-OF-CYBER-CRIME-SUMMARY-FINAL.pdf
Gai, K., Qiu, M., & Elnagdy, S. A. (2016, April). A novel secure big data cyber incident analytics framework for cloud-based cybersecurity insurance. New York: Routledge.
Gercke, M. (2012). Understanding cybercrimes: Phenomena, challenges, and legal response. New York: International Telecommunication Union.
Giri, B. N., Jyoti, N., & Avert, M. (2006). The emergence of ransomware. New Zealand: Auckland.
Kramer, J. (2017, June 27). A culture of cybersecurity: The only way forward. Retrieved from http://www.cyberdefensemagazine.com/wp-content/uploads/2016/10/A-Culture-of-Cybersecurity.pdf
Namestnikov, Y. (2015). Kaspersky security bulletin 2015. Retrieved from https://securelist.com/kaspersky-security-bulletin-2015-evolution-of-cyber-threats-in-the-corporate-sector/72969/
Ponemon Institute Report. (2013). 2013 cost of cyber crime study: United States. Retrieved from https://media.scmagazine.com/documents/54/2013_us_ccc_report_final_6-1_13455.pdf
Ponemon Institute Report. (2016). 2016 cost of cyber crime study: United States. Retrieved from http://www.ponemon.org/local/upload/file/2016%20HPE%20CCC%20GLOBAL%20REPORT%20FINAL%203.pdf
Stockwell, T. M. (2012). Defending against data breach. Retrieved from http://www.cyberdefensemagazine.com/wp-content/uploads/2015/04/GoAnywhere_Defending_Against_Data_Breach_white_paper.pdf
Tomner, T. (2012). The biggest cybersecurity threats of 2013. Retrieved from https://www.forbes.com/sites/ciocentral/2012/12/05/the-biggest-cybersecurity-threats-of-2013-2/#7baceb653d1b
Vince F., McCarthy, B., & and Raysman, H. (2011). Cyber attacks: Prevention and proactive responses . Retrieved from https://www.hklaw.com/files/Publication/bd9553c5-284f-4175-87d2-849aa07920d3/Presentation/PublicationAttachment/1880b6d6-eae2-4b57-8a97-9f4fb1f58b36/CyberAttacksPreventionandProactiveResponses.pdf
Type your email