Cybercrime: German companies a popular target for attacks
On a global scale, cybercrime causes economic damage amounting to more than €400 billion. Medium-sized companies in Germany are a popular target.
E-mails containing controversial opinions about the company's high-profile partners are published, files are leaked and spread on the net, an international group receives terror threats, the products sold to customers don't work at Christmas of all times, and then on top of that, the regime in North Korea is said to be involved. The FBI is investigating. What might sound like an excerpt from a satire screenplay for a Hollywood movie actually happened to Sony Pictures Entertainment. The film production company was the victim of one of the biggest and most sensational cyberattacks in 2014. The attack on its servers badly damaged the company's reputation, forcing Sony to delay the release of its film 'The Interview', millions of Sony Playstations stopped working a short time later due to a Denial-of-Service attack (DoS attacks). The company has yet to announce just how much financial damage it suffered. Growing cybercrime is causing ever-greater problems for companies.
What is cybercrime?
- that are directed against the Internet, data networks, IT systems and their data and
- which are carried out using this IT Technology.
In a narrower sense, this also includes computer fraud, fraud using access rights for communication services, document forgery, deception in legal transactions during data processing, data manipulation or computer sabotage, as well as data espionage and interception, including the related preparatory acts. In the wider sense, it also refers to cyberstalking, harassment, child predation, extortion and cyberterrorism. Internet criminals covet digital identities. These criminals phishfor all kinds of access data, for instance, for e-mail accounts, online banking, accounts for company networks or cloud computing.
Focus on German medium-sized companies
In terms of gross national product, Germany appears to be the most attractive playing field for cybercriminals. A poll conducted by industry association Bitkom showed that 38 percent of Internet users in Germany fell prey to cybercrime between just March 2013 and April 2014. This means that 21 million people were affected and every tenth person suffered a financial loss as a result.
In recent years, these attacks have not only been directed against private individuals, but also increasingly against companies and their intellectual property. According to a study entitled 'Industrial Espionage 2014', more than half of all companies in Germany reported that they had been the victims of a real or suspected espionage attack. More than one third of these companies suffered financial losses. Medium-sized companies working in the automotive, aviation, shipbuilding and engineering sectors are popular victims. Experts assume that a much higher number of cases have gone unreported. Many attacks are not publicised for fear of damage to the company's reputation. In its draft IT Security Act, the Federal Government has included mandatory reporting of cyberattacks. The aim is to ensure minimum standards for operators of critical infrastructures and vital functions of the community.
Despite the highest security requirements, government offices are susceptible to cyberattacks. At the beginning of January 2015, the websites of Germany's Chancellor Angela Merkel, the German Bundestag and the Foreign Office were blocked and inaccessible for several hours. The CyberBerkut hacker group, which is closely linked to Pro-Russian Separatists in East Ukraine, attacked the servers in an effort to force the German government to stop its support for Kiev.
The attackers and their motives
The number of cybercrimes has risen steeply in recent years, between 2013 and 2014 alone by 48 percent to 42.8 million. Every day, 117,339 attacks were reported; this was found in the study on the Global State of Information Security conducted by PwC. And it comes as no surprise, after all, criminals around the world earn more with stolen data than selling drugs. It is claimed, for instance, that Russian hackers stole 1.2 billion passwords in 2014. According to experts, a dataset with a digital identity is worth one cent on the cyber black market. This would mean that thieves had earned €12 million.
But attackers are not always interested in money. The Lizard Squad hacker group, for instance, claimed that, while also entertaining the public, they wanted make Sony and Microsoft aware of security loopholes in their systems for the Playstation and Xbox game consoles.
Present and past employees are the biggest risk factor
Victims of cybercrime frequently report present and past employees to be the reason for security incidents, not least due to growing digitisation and mobility in the working world. In more than 35 percent of cases, they were responsible for the losses suffered and their criminal acts were not always intentional. But things like BYOD and the possibility to use the company's mobile terminal devices for private purposes or when on the move are factors that increase the risk of attack. Despite current developments, companies, and especially medium-sized ones, still fail to take the necessary precautions and to make their employees aware of these risks by providing information and training for security-conscious behaviour. Present and former business partners and service providers who are given digital identities to access the company network are another potential threat.
Consultancy firm PwC has estimated that companies are not preparing themselves sufficiently to deal with rising cybercrime. Global spending on IT security had even declined slightly. Investments in IT security fell in 2013 by four percent, while small and medium-sized companies cut their budgets even more dramatically, in some cases by up to 20 percent. All in all, IT security accounts for only 3.8 percent of the overall budget for information technology. Only 50 percent of companies examine the risks related to third parties with access data for the company network. Only half of those polled said that they had a comprehensive overview of all external service providers who manage customer or employee data. The experts believe that there is still a need to act when it comes to prevention, protection, identification and response to cybercrime.