Have we had a day in recent memory when cybercrime was not part of the global news cycle? According to a newly released report from RSA, over 50 percent of phishing attacks in March 2014 targeted brands located in the United States, United Kingdom, India, Australia, and Canada; an April 2014 RSA report reviewing 2013 data noted phishing caused $5.9 billion in losses to global organizations that year, and 75 percent of data breaches were motivated by financial gain or fraud. Does vulnerability management have a role in reducing the likelihood of being a cybercrime victim? Oftentimes, it does.
What About My Company and Employees?
According to the IDC, more than one billion smartphones were shipped in 2013. Coupling that statistic with the Apple WWDC-2014 announcement that their app counts are in the millions and that downloads are exceeding 75 billion in iOS apps alone, it should come as no surprise that cybercriminals are targeting the application market and investing both in technology and methodology to increase their likelihood of success. Trend Micro, in their annual security roundup, put the number of new Android apps with malware (malicious software) in 2013 at about one million, noting that two of the targets for these efforts were personally identifiable information and unencrypted mobile data. Trend Micro updated their data in their TrendLabs 1Q 2014 Security Roundup, noting malware and high-risk apps are "growing at an even faster pace than last year" and that "the number of mobile malware and high-risk apps hit 2 million this quarter."
What Can We Do?
Know where your data is and who has access to it. When investigating cybercrime, the first questions any law enforcement entity will commonly ask are, "From where was the data stolen?" and, "How was it protected?" The fact that multiple entities within the security vendor space are all asking the same questions should illustrate that you should absolutely focus on remote access protocols and data protection of mobile devices that access or store company data.
Conduct a risk assessment of not only the technologies you use to protect your data, but also the processes and procedures you use. Know where beefing up your security posture, such as with vulnerability management, will give you the best bang for your buck and, above all, lower your risk of data compromise.
Similarly, if your product offering is subject to the nuances of technology advances, and if you occasionally have to resign yesterday's best practices due to today's vulnerability, evolve a process of vulnerability disclosure and remediation. Users are schooled to keep their operating systems and security software up-to-date. They are also educated to watch for announcements concerning vulnerability discovery in key applications running on their platforms or devices. Rolling out the vulnerability resolution in a transparent manner gives your customers a road map to resolution and also an estimate of the impact on their OPEX as they update their version of your product.
Law Enforcement Is There to Help
Law enforcement, by definition, enforces laws. The reality is that electronic crime is one of the most difficult crimes to enforce, and law enforcement often relies fully on the victim being able to produce information that will allow them to recreate what transpired. Absence of network and data access visibility by a company's IT team in the event of a crime markedly reduces the likelihood that law enforcement will be able to engage.
Smaller cybercrimes, in isolation, are less likely to garner law enforcement resources than those that impact a wider swath of the community. This writer was recently at an event where local law enforcement explained to individual users that if they believe they have fallen victim to a phishing attack, they are largely on their own, as the resources do not exist to pursue a transjurisdictional crime. That said, an individual entity, be it a person or a business, should report the crime to those affected—such as the bank and local law enforcement. As with anything else, when the number of complaints reaches a certain level, resources are made available, even if only to make the constituent population aware of the crime. Proper vulnerability management will help law enforcement crack down on cybercrime to the best of their ability.