Cybercrime: A lurking threat to companies

Digitisation continues to transition companies from brick and mortar models to hybrid models, balancing digital and physical innovations in several sectors. But as businesses evolve, so do criminal elements who prey on organisations through fraud and cybercrime.

Cybercriminals are now more advanced, sophisticated and capable of crippling businesses with the use of ransomware and other technical methods.

PriceWaterhouse Coopers’ (PwC) global economic crime and fraud survey for 2022 highlighted this fact stating that out of a survey of 1,296 businesses worldwide, 46 per cent have reported some sort of fraud, corruption or economic crime in the past 24 months.

Statistics from independent software review platform Finances Online say that cybercrime cost businesses worldwide about US$190,000 per second and about US$16.4 billion a day in 2021. Cybersecurity Ventures, leaders in research in the global cyber economy predicted that cybercrime costs will grow year on year by 15 per cent, reaching a total of US$10.5 trillion by 2025.

In TT, the costs of cybercrime are also hefty, costing businesses millions of dollars.

But while businesses worldwide have taken up the mantle to stand against cybercrime, PwC senior accountant Anthony Zamore said many local businesses are not taking cybersecurity seriously enough. He said there is a need for CEOs to get more involved in cybersecurity, or fall prey to lurking predators on the web.

Cyberattacks could cripple businesses

The cyberattack on Massy Stores last week is a good example of how cybercriminals could have businesses at their mercy even when many checks and balances are put in place.

Last Thursday, all branches of Massy Stores, one of the largest supermarket chains in TT, fell prey to a cyberattack forcing the group to close all 23 of its stores nationwide.

A release on Thursday confirmed that technical challenges experienced at the supermarket chain were a result of a cyberattack which affected technical systems in the supermarkets. Connected businesses such as Moneygram and Surepay were also affected as management advised the public that they find alternate means to transfer money.

The chain was unable to get back to full operation until Sunday when all its stores were re-opened. The supermarket’s loyalty point system was still out of commission up to press time on Wednesday.

Zamore said when businesses like Massy Stores are targeted people can be affected in more ways than one. Outside of the direct losses, downtime for businesses, and the cost of responding to attacks also comes as a cost to businesses which amounts to millions.

He said cyberattacks have become more prevalent in the region, especially in TT with significant increases in attacks locally.

In TT, ransomware and business e-mail compromise attacks are the most common.

“In the case of ransomware (malware that freezes all of a business's data and information), the direct loss would be the ransom that is paid. The ransom that is paid varies from a few thousand US to hundreds of thousands of US dollars.

"E-mail compromise (hacking into an e-mail account then monitoring it to impersonate it later) the value loss could be hundreds of thousands of dollars to millions.”

Zamore added that downtime for businesses could also be detrimental, especially as businesses are recovering from the economic effects of the pandemic.

“Companies need to stay active and they need their systems up in order to generate revenue. So when systems are not accessible for a number of days you lose income. Depending on the size of the company, that loss could be significant.”

He added that in order to respond to the attack, businesses would have to call in specialists which would also come at a cost.

Collusion and collaboration with employees is also a growing trend in cyberattacks. Zamore said cybercriminals pay top dollar to employees for their assistance in breaching businesses’ digital security.

“We have seen that employees may be swayed into giving away their credentials for money. Once those credentials are given away to these groups they use it to gain access to systems and environments,” he said. “It is really important to understand who they hired through vetting processes and monitor baseline account activity and be aware when access deviates from the baseline activity.”

TT Cyber Security Incident Response Team (TTCSIRT) manager Angus Smith said cyber attackers use whatever is beneficial to them to get into businesses’ systems and wreak havoc, some may also utilise various methods in tandem with each other.

“They may use a phishing e-mail to deploy malware which could release ransomware which could affect the organisation. Attackers also look at the institution and the organisation and the level of vulnerability that they have."

Ronald Walcott, managing director of Precison Cybertechnologies and Digital Solutions Ltd, said attacks on business' systems could come from anywhere.

"The reality is there is no hard and fast rule when it comes from cyberattacks. They are generally organised and use artificial intelligence. They can come from anywhere – Russia, China, the US, or it could come from right here."

In the case of Ansa McAl which was almost crippled because of a ransomware attack in 2020, the culprit was a Russian-based hacking organisation named REvil.

Ansa McAl fell prey to the hackers who held its IT systems and critical data necessary for the group’s operations hostage.

A Newsday report revealed that about 17,000 documents were sealed by the hacking group, who threatened to release the documents to a public server.

PwC: Take cybersecurity seriously

Despite the significant risk to core systems and a possible cost to the tune of millions of dollars some businesses still do not take cybersecurity seriously.

“What we don’t see is companies dealing with cybersecurity as a legitimate business risk. Many companies think of it as an IT problem,” said Zamore.

He said because of that, businesses often do not dedicate the right resources to cybersecurity and it is not as visible as it should be to members of the board.

He said quantifying the security risk is important for businesses to determine how much value a business should put on cybersecurity.

“What board members should ask is what is the potential loss to the business if a cyberattack were to happen. If they quantify those losses then adequate resources could be dedicated to mitigating those risks.”

Smith said while there have been more than 100 incidents of cyberattacks over the past five years, incidents are under-reported and those that do report incidents are not always forthcoming with information on losses etc.

“Two things could happen in a cyberattack. An entity could either report it or not. In the local landscape, it is under-reported. When they do report, you may get all the necessary information or you may not. But there is no obligation for people to report,” Smith said. “Some businesses think it hard to declare losses based on cyberattacks because they are worried about how it would affect their reputations. In other cases, maybe the businesses simply do not know how to quantify their losses due to a cyberattack.”

He said some systems could be put in place to quantify the losses.

Smith added that while all cyber attackers assess the security of businesses, some businesses do not, leaving holes in their security infrastructure.

“Some systems may not be configured or updated properly, or they have bad IT practices, their firewalls may not be updated and so on. Business owners sometimes think that just having a firewall and an anti-virus programme would be enough to protect an organisation. But some businesses need to take the threats more seriously.”

The Supermarket Association (SATT) seems to have taken the matter more seriously coming out of the cyberattack on Massy Stores. In a release sent to the media on May 4, SATT said it met with the TTCSIRT to discuss the attack and its ramifications.

“The virtual conference, attended by 50-plus persons within and connected to the supermarket industry discussed several strategies in dealing with the matrix of threats from cyberattacks in both traditional and novel means,” the release said. “The panel noted that the evolving sphere of cybersecurity posed difficult challenges which needed to be addressed in the wake of increasingly sophisticated attacks that now placed the supermarket sector in a position where it must evolve to meet a baseline level of defensive security measures.”

Methods such as updating systems, security awareness training for staff and two-factor authentication, where two different means of authentication are used to access businesses’ systems, are some of the best methods for protecting businesses from cyberattacks.

“A lot of companies use very old systems. Some are still using programmes that are over 20 years old,” Zamore said. “There are no patches for those systems. Those would have to be upgraded to systems that are supported by vendors.

“Using two-factor authentication where you would need a password and a unique code that could be generated in many ways, is by far one of the best ways to prevent the compromise of credentials.

“It is often said that employees are the weakest link in the security chain. Employees must understand the dangers and what exactly are the risks involved.”

New threats still loom

PWC’s report showed that while almost half (46 per cent) of businesses in its survey reported some form of fraud, corruption or economic crime, the rate of reports is on an incremental but steady decline, going from 49 per cent in 2018, to 47 per cent in 2020.

One exception, according to the report, is the tech industry which was able through its maturity to identify many attempts at fraud or cyberattacks since 2020. The report said nearly two-thirds of tech, telecommunications and media companies experienced some form of fraud over the past 24 months.

The report also indicated that big businesses were the most vulnerable with businesses with more than US$10 billion in revenue accounting for 52 per cent of incidents of fraud. The report said 18 per cent of these businesses in their worst reported cases incurred losses to the tune of US$50 million. For businesses with less than US$100 million in revenue, 32 per cent experienced some sort of fraud in the past 24 months, with worst cases resulting in losses of more than US$1 million.

Cybercrime accounts for the highest levels of fraud for most tiers of business, according to the report, with 32 per cent of businesses with less than US$100 million in revenue, 41 per cent of businesses with revenue between US$100 million and US$1 billion and 42 per cent of businesses with revenue more than US$1 billion making reports of cybercrime over 24 months.

The report also warned of recruitment from criminal groups who would want to use employees through social engineering to access businesses’ systems.

“Organised crime groups can recruit more easily in a down economy, bringing in new team members who are suddenly unemployed. As a result, there’s every reason to increase scrutiny on fraud risks in a downturn, with special attention to those the organisation may not have seen before.”

The survey revealed that attacks from external entities are quickly growing.

“Nearly 70 per cent of organisations experiencing fraud reported that the most disruptive incident came via an external attack or collusion between external and internal sources,” the report said. “External fraudsters are immune to traditional fraud prevention tools such as codes of conduct, training and investigations.”