Debating the full extent of cybercrime threats

Cybercrime is having a profound impact on businesses, but it’s difficult to capture and quantify the full extent of the threats companies face today. Our CEO Tim Sadler recently joined a panel of industry leaders, academics and journalists, at the Houses of Parliament, to discuss just this.

The event, organised by Parliament Street was a quick-fire panel format. Fellow panelists included:

  • Ayman El Hajjar, lecturer in cybersecurity and forensics from University of Westminster
  • Raj Samani, chief scientist at McAfee
  • Dan Raywood, contributing editor at Infosecurity Magazine
  • Spencer Young, Regional Vice President at Imperva

What is cybercrime today?

Kicking off the debate, Raj Samani stated the real problem is that people fundamentally do not understand why the theft of data is bad. He argued that to make the reality truly hit home, the industry needs to start talking about the real-life impact cybercrime has on individuals’ lives and businesses’ survival.

Dan Raywood added that cybercrime has continually evolved, and there have been clear shifts in the tactics used by cybercriminals, with spear-phishing and business email compromise (BEC) being the biggest trend at this moment in time.

For Tim, he argued that there hasn’t been a clear definition of what cybercrime actually is: “We often associate cybersecurity with computers and firewalls, but the fundamental problem is that a human is involved in the chain.” Tim went on to say that in business, we are reliant on people doing the right thing 100% of the time, but this completely unrealistic.

How can we mitigate insider threats?

A member of the audience asked about insider threats to which Spencer Young revealed that it can take “as long as 11 months for a company to realize a breach has occurred as the result of an insider threat.” Raj added that it is almost impossible to know whether the threat was a malicious act by an employee or a case of manipulation and social engineering.

The conversation turned to the positive impact machine learning can have in better recognizing insider threat and human errors, which could cause data breaches. The panel discussed how machine learning can allow businesses to analyze human behavior to determine what’s normal and, importantly, identify what’s not normal, therefore mitigating potential threats.

Does legislation need to change?

Discussions turned to whether current laws are up to scratch to deal with the current threat landscape. Naturally, the panel discussed the pros and cons of the General Data Protection Regulation (GDPR), with Raj arguing that, in some instances, the stricter privacy laws have actually made the catching of criminals a lot more difficult as websites that previously published information about known criminals went quiet.

The panel agreed current policies are inadequate to protect individuals and businesses. They affirmed there needs to be greater education and awareness, making the threat feel more ‘real’ in order for businesses to fully understand the risks at play.

Tim added that there are still many grey areas that need to be addressed, particularly when it comes to investigating incidents of BEC. Tim described a case to the audience whereby a senior executive had been duped by a hacker, impersonating the company’s CFO, to wire a significant amount of money to an account. Who is accountable here? The machines and software didn’t necessarily fail; the human did.

How do we encourage more people to get involved?

Talent in the industry was a big focus of the debate. Interestingly, Raj stated that there isn’t necessarily a skills shortage in the UK - which is the usual lamentation - but rather a lack of courage and level of enthusiasm for the industry. (We’ve written before about cybersecurity having an image problem.) Everyone acknowledged the need for more role models - particularly female role models - to encourage talented individuals to consider a career in this exciting industry.

It was clear that all panelists believe the future is bright for cybersecurity. The opportunity to be involved in the industry has never been more accessible, and we are increasingly seeing more start-ups entering the space with exciting approaches to solving these 21st-century problems.