How much should you spend on cyber defense, recovery, and insurance? A recent research study from WEIS [PDF]—a collection of cyber security researchers—analyzes the costs of cyber crime and how it has changed over the years. While the report mostly covers world e-commerce losses and how governments can combat them, it also reports cyber security trends, and their findings match ours. We see many more phishing emails and credential stealing attacks than ever before. The report also shows that with more user information online, the price for cyber security vulnerabilities goes way up. Good network security practices are more important than ever. The damage done after a cyber attack is far more than just the revenue garnered by the perpetrators. For example, the report shows that banks spent an estimated $98,000,000 just to replace compromised credit cards in 2018.
We found some other interesting facts in the rest of the report. Here are a few big ones and a quick description on how to deal with them:
- There has been an uptick in fraud based on SMS (text) message interception. – Don’t rely on SMS for 2-factor authentication (2FA). If attacker gets malware on you phone, they can read your SMS messages. They also commonly swap your SIM card (a practice of covertly changing the SIM card associated with the account) to gain access to your data. These two attack methods make reading users’ SMS messages easy. Rather than SMS-based 2FA, use multifactor authentication (MFA) apps like WatchGuard AuthPoint to protect your accounts. In addition, ensure you have a pin to lock your cell phone account to your carrier to prevent SIM swaps.
- Attackers stole $36 million with fake ICO (initial coin offering) scams (or $1 billion in value at the time of the theft) – Cryptocurrency hasn’t had enough time to identify companies that can be trusted the way we trust certain banks. Many of the ICO offerings are not really legit. Avoid the temptation to get rich quick and stay away from shady, unvalidated ICOs.
- Users lost $52 million to malicious cryptomining. – Just like ICO scams, if it sounds too good to be true then it probably is.
- The FBI’s Internet Crime Complaint Center (IC3) received over 14 thousand tech support scam complaints in 2018 -These scams resulted in $38 million in loses, which is a 161% increase year over year. The IC3 notes that most of the victims were over 60 years old. While some of these scams start over the phone, you encounter others on malicious websites. WatchGuard’s DNSWatch can help prevent your users from reaching those malicious web sites. You should also educate your user about fake tech support calls to make sure they don’t fall for this costly social engineering.
- CEO scams rose from $260 million in losses during 2014 to $1.3 billion in 2018 – The FBI also received eight times more CEO scam complaints. In this scam, you receive an email that appears to come from your CEO, but the address is spoofed. Often, mail clients like Outlook will tell you that the spoofed email actually comes from an address outside your company. If you see such a warning, you should avoid the email. If you aren’t sure, it never hurts to confirm the sender through some other communication medium like phone or text. In short, if you get an email from your CEO asking you to transfer a million dollars to some account, double check with your real CEO before doing so.
- The FTC’s Consumer Sentinel recorded over 20 thousand romance scams – The Consumer Sentinel is the FTC’s database of reported consumer scams. Recently, they had tens of thousands of reports of romance scams, which cost victims $143 million in losses during 2018. That’s up increase the 8,500 reports in 2015. You should make your employees aware of fake online wooing so they avoid becoming a victim.
- Cyber insurance has reached $4 billion in premiums during 2018 – This is about double the premiums from 2015. While you should focus on preventative defenses, cyber insurance makes a great additional layer to your cyber security strategy.
In conclusion, the report recommends we spend more time catching and punishing cyber criminals. While you can’t apprehend these criminals yourself, you can do your part by reporting online crimes. You should also balance your cyber security budget to better protect your company. Our CTO, Corey Nachreiner, wrote an excellent article on security budget allocations last year. In his article, he recommends spending 50 percent on preventive measures, 30 percent on tools to identify an attack quickly, and 20 percent on recovery in case of a successful attack. Cyber security insurance should be part of the recovery budget.
For the full report, please see this link.