Criminalising Cybercrime and Raising the Risk for Cyber-attackers
January 2022 by Dave Russell, Vice President of Enterprise Strategy, Veeam
Over the past few years, cyber-attacks have become something which the general public is increasingly aware of. However, a perception still exists, certainly outside the IT industry, that cyber-attacks are just something that happen on the Internet. It’s difficult to relate to and equate the impact of cybercrime on its victims – whether it’s an individual who has fallen foul of an online scam or a company that has been forced to pay a ransom to restore its systems. For this reason, it doesn’t always seem that cybercrime is viewed or treated like a ‘real’ crime.
While we acknowledge that cybercrime is an actual crime, for some it might be difficult to get onboard with. The thought of being totally outraged by a hacker taking down a multinational corporation could seem a bit farfetched. This is possibly because of the stereotypes about cybercriminals being painted as disgruntled computer science whizz-kids with nothing better to do than ‘stick it to the man.’ Consider that the majority of cyber-attacks are the work of huge, organised and wealthy crime syndicates. They are highly sophisticated operations with the aim of stealing money from the business that pays your salary and the government that collects your taxes. Does that sound like a crime?
Are we guilty of victim blaming?
The fact is that cybercrime is an actual crime and businesses that fall foul of it are victims. They have suffered a crime committed against them. However, the level of sympathy towards organisations that get breached is very different to what we would give to an individual. If someone tells you they’ve been hacked, had personal information compromised, and money stolen, your natural reaction probably isn’t to say it’s their fault. However, cyber breaches are a source of lasting reputational damage to businesses. We tend to assume they did something wrong or acted carelessly. As somebody who has worked in the data protection industry for over 32 years, I would tend to agree with this. The vast majority of cyber incidents are avoidable and the result of organisations failing to follow best practice, poor digital hygiene, and/or outdated or unpatched software.
However, is there any other type of crime that focuses almost exclusively on blaming the victim and so little on bringing the criminals to justice? Businesses are viewed as the guilty party rather than victims and it is accepted that the criminals are unpunishable due to the lack of an agreed global legal framework and justice system. If a criminal from another country travels to the USA, for example, and commits a crime against a business on American soil, there is an entire diplomatic process to ensure this person is brought to justice and the victim is compensated. This simply isn’t the case when it comes to ransomware.
International and intercontinental co-operation is the only way to create an environment where the risks are higher than the rewards for cyber-attackers. The scourge of ransomware accelerated during the pandemic, increasing the appetite of government and business leaders to break the geopolitical impasse that has enabled cybercriminals to run riot. But it won’t be easy, and a workable holistic solution is still years away.
In the absence of a justice system that completely protects us from the bad guys, basic human survival instinct demands that we learn to defend ourselves. In the context of cybersecurity, that means focusing on a few fundamentals. Firstly, every enterprise needs a dedicated IT security lead in place with access to business leadership and the authority to lead the security initiative. For smaller businesses, you absolutely need to have a resource with designated responsibility for cybersecurity and specializing in data protection. Secondly, businesses need to practice impeccable digital hygiene. This includes mandatory training for all employees so that they recognise potential attacks, understand who to report them to, and understand why this is important. The more people buy-in to the need for good digital hygiene, the more alert and willing to take the blinkers off they become.
Finally, never ever pay the ransom. Organisations who pay ransoms feed the ‘easy pay day’ perception that means cybercriminals keep doing it. As soon as businesses stop paying ransoms, we’ll see a reduction in the popularity of ransomware as an extortion technique. While businesses who suffer cyber-attacks are indeed victims, they are responsible for protecting any data that they use, process and store. Paying off cybercriminals to get systems back online is an unsustainable defence strategy. As governments become more active in seeking to prevent the spread of ransomware, we may see businesses who do so investigated and reprimanded by independent regulators.
Clearly, dealing with the relentless and mass scale of cybercriminal activity against businesses and individuals will be an international effort across both the public and private sector. While it is important that cybercrime is properly ‘criminalised’ and that the perpetrators are brought to justice, businesses must understand the responsibility they have to their customers and employees to protect any data within their jurisdiction. This can only be done by implementing a Modern Data Protection strategy that combines effective front-line cybersecurity defences with a comprehensive approach to data backup and disaster recovery.