Criminalize cybercrime and increase the risk for cyber attackers

By: Dave Russell, Vice President, Corporate Strategy, Veeam

In recent years, cyber attacks have become something of which the general public is increasingly aware. However, a perception still exists, certainly outside the IT industry, that cyber attacks are just something that happens on the Internet. It is difficult to identify and assess the impact of cybercrime on its victims, whether it is an individual victim of an online scam or a business that has been forced to pay a ransom. to restore its systems. For this reason, it does not always seem that cybercrime is considered or treated as a “real” crime.

While we recognize that cybercrime is a real crime, for some it can be difficult to engage in it. The idea of ​​being totally outraged by a hacker dismantling a multinational corporation may seem a bit of an exaggeration. Perhaps this is because of the stereotypes that cybercriminals are portrayed as disgruntled IT kids with nothing better to do than ‘stick with the man’. Consider that the majority of cyber attacks are the work of huge, wealthy organized crime syndicates. These are very sophisticated operations with the aim of stealing money from the company that pays your wages and the government that collects your taxes. Does this sound like a crime?

Are we guilty of blaming the victim?

The point is, cybercrime is a real crime and the businesses that fall victim to it are victims. They have suffered a crime committed against them. However, the level of sympathy for organizations that are violated is very different from what we would give to an individual. If someone tells you that they’ve been hacked, personal information compromised, and money stolen, your natural reaction probably isn’t to say it’s their fault. However, cyber breaches are a source of lasting damage to business reputations. We tend to assume that they did something wrong or acted negligently. As someone who has worked in the data protection industry for over 32 years, I would tend to agree with this. The vast majority of cyber incidents are preventable and result from organizations’ non-compliance with best practices, poor digital hygiene and / or outdated or unpatched software.

However, is there another type of crime that aims almost exclusively to blame the victim and so little to bring the criminals to justice? Businesses are seen as the culprits rather than the victims and it is recognized that criminals go unpunished due to the lack of an agreed global legal framework and justice system. If a criminal from another country, for example, goes to the United States and commits a crime against a company on American soil, there is a whole diplomatic process to ensure that that person is brought to justice and that the victim is compensated. This is simply not the case when it comes to ransomware.

International and intercontinental cooperation is the only way to create an environment where the risks outweigh the rewards for cyber attackers. The ransomware scourge accelerated during the pandemic, increasing the appetite of governments and business leaders to break the geopolitical deadlock that allowed cybercriminals to rampage. But it won’t be easy, and a viable holistic solution is years away.

Learn Self Defense

In the absence of a legal system that completely shields us from the bad guys, basic human survival instincts demand that we learn to defend ourselves. In the context of cybersecurity, that means focusing on a few fundamentals. First, every business needs a dedicated IT security manager with access to corporate management and the authority to lead the security initiative. For small businesses, you absolutely need to have a designated cybersecurity resource who specializes in data protection. Second, companies must practice impeccable digital hygiene. This includes mandatory training for all employees so that they recognize potential attacks, understand who to report them to, and understand why this is important. The more people embrace the need for good digital hygiene, the more alert and willing they become to take the blinders off.

Finally, never pay the ransom. Organizations that pay ransoms fuel the perception of “easy payday” which means cybercriminals keep doing it. As soon as companies stop paying ransoms, we will see a decrease in the popularity of ransomware as a technique of extortion. While businesses that experience cyberattacks are victims, they are responsible for protecting the data they use, process and store. Paying cybercriminals to bring systems back online is an unsustainable defense strategy. As governments move more and more to prevent the spread of ransomware, we may see companies that do come under investigation and berated by independent regulators.

Clearly, dealing with the relentless and massive scale of cybercrime activity against businesses and individuals will be an international effort, both public and private. While it is important that cybercrime is properly “criminalized” and that perpetrators are brought to justice, companies need to understand their responsibility to their customers and employees to protect all data under their jurisdiction. This can only be done by implementing a modern data protection strategy that combines effective front-line cybersecurity defenses with a holistic approach to data backup and disaster recovery.

Martin E. Berry