“The recent field trial by the Office of National Statistics suggested that there could have been over 7.5 million cyber offences against individuals last year. 2016 will see cybercrime finally find its place in our official statistics. I doubt that even the headline grabbing statistics which follow will capture the true scale of cybercrime – with many crimes against organisations remaining unreported.
Extortion attacks make a comeback
“Extortion attacks have been making a comeback with criminals demanding significant sums for suspending denial of service attacks against targets; not going public with stolen data; and of course providing a ‘service’ which grants access to a ‘client’s data which they had previously hacked and encrypted. Although security firms and law enforcement have become savvier in disrupting the infrastructure being used by organised crime groups, cyber criminals continue to search for new ways to turn other people’s information into money.
HNWs, corporate treasuries and commercial banks face a bigger threat
“While phishing attacks, banking Trojans and large scale low value cash outs have characterised the last 10 years of cybercrime, new techniques are becoming part of the criminal arsenal while firms invest more and more in cyber threat intelligence in the hope of keeping up. In 2016 we predict that organised crime groups will become increasingly selective in targeting high net worth individuals, corporate treasuries and commercial bank accounts; as well as looking for new ways to profit. The recent US indictments of alleged market hackers show just how sophisticated manipulation of markets has become – whether through front running stocks using stolen market sensitive information, or pump and dump schemes using personal data acquired in bulk from unsuspecting banks, insurers and even governments.”
2015 has topped 2014’s unenviable record of bulk data breaches with some of the most serious large scale disclosures of personal information. Unfortunately this trend is likely to continue in 2016, with David Ferbrache suggesting that the patience of regulators is beginning to wear thin and there is a growing drive for transparency around business’ approach to cyber security.
A regulated response
“The much lobbied EU General Data Protection Regulation and the EU Network and Information Security Directives are likely to be finally agreed in 2016, firing the starting pistol for governments and firms to implement within two years. Together these EU interventions set the scene for greater transparency around data breaches, a more robust data protection stance and a Europe wide nudge towards greater cyber security regulation.
“While large international firms are no strangers to an increasingly complex and uncoordinated global tapestry of national cyber security initiatives; smaller firms are likely to come under increasing pressure in 2016 as their larger cousins embed cyber security requirements into their contracting and procurement processes – fuelling both a supply chain security industry and the growth of third party cyber insurance.”
“The expected launch of a new National Cyber Security Strategy in 2016 has the potential to signal a new relationship between UK governance and industry, with the new National Cyber Centre at its heart. In 2016 we can only hope for a nuanced approach to regulation which works with the risk mechanisms in the markets to drive the right behaviours and address the current market failure around cyber security.”
Following recent geopolitical developments it is likely that terrorism will spill over to the cyber world. This is something that was already raised by the Chancellor when he spoke at GCHQ recently. David Ferbrache, points out that:
“Terrorist organisations are becoming more and more tech savvy exploiting the internet for propaganda, radicalisation and communications. Often seen as dog which hasn’t yet barked, it seems inevitable that such terrorist groups will explore and exploit cyber attacks. While these attacks are likely to lack the visceral impact of the tragic bombings and shootings which have become all too common, they are likely to become more frequent in our increasingly interconnected and interdependent world.
“2016 is likely to be the year that cyber resilience starts to matter more than just cyber protection, as governments worry about systemic risks from cyber attacks and critical infrastructure firms start to pay more attention to just how resilient their business models really are to these new threats. The NIST cyber security framework will succeed in becoming the de-facto yardstick for cyber security amongst such firms.”