Data theft, fraud and operational disruptions resulting in reputational damage and financial losses are, for the most part, the main objective of this type of cyber-crime. The other objective is simply the challenge of breaking into an organisation’s network (often with the same losses experienced). The result is uncertainty in the ability of an organisation to protect its information.
Hacking incidents – the scale of the problem
Hacking incidents are rife in the current global economic environment, as can be seen from the following statistics obtained from KPMG’s latest Data Loss Barometer and the South African Hacking Database:
- 105 505 536 people were affected by data loss as a result of hacking incidents globally in 2009
- 1 555 148 people were affected by data loss as a result of malicious insiders (eg, disgruntled employees) globally in 2009
- 12 700 South African websites have been hacked since 1 January 2010.
A common fallacy around the hacking threat is that these sort of attacks only happen from the outside (external to the organisation), whereas the real opportunity to cause harm or make financial gain will come from the unsuspected internal employee.
The current recessionary climate has resulted in organisations implementing staff restructuring and expenditure cutting initiatives, which has increased the insider threat (ie, the disgruntled, stressed and financially strained employee).
The ‘insider threat’ focuses their attention on defrauding their employer by obtaining and selling proprietary information to competitors, including that relating to customer relationships, levels of trading, pricing information and profit levels.
According to KPMG’s latest Data Loss Barometer and the 2010 Web Hacking Incidents Database, hacking attacks on the government sector are on the increase globally.
With the introduction of E-Government in South Africa, the number of attacks is also very likely to increase, which will certainly demand those charged with the governance of IT to pay careful consideration to the controls that will prevent and detect hacking attempts before criminals succeed in committing fraud with the information obtained.
The second most targeted industry is the financial sector. However, since 2008, the success rate of hacking and data theft attempts appears to have dropped by almost 67%. The financial sector is the frontrunner when it comes to the implementation of internal controls to protect their data and limit access to sensitive information systems. The decrease in successful attacks is a clear illustration of the value of this investment.
Stopping hackers in their tracks
Regular risk assessments and technical security testing (also known as ethical hacking) on an organisation’s critical systems, will help to identify the threats and vulnerabilities of these systems and protect networks and system resources. Understanding the vulnerabilities is key to actively managing the risks, reducing the chance of security breaches and limiting potential financial loss.