Criminalize cybercrime and increase the risk for cyberattackers

Dave Russell, vice president, corporate strategy, Veeam, tells us that companies need to understand the responsibility they have to their customers and employees to protect all data under their jurisdiction.

Dave Russell, Vice President, Corporate Strategy, Veeam

In recent years, cyberattacks have become a reality of which the general public is increasingly aware. However, a perception still exists, certainly outside of the IT industry, that cyberattacks are just something that happens on the internet.

It is difficult to identify and assess the impact of cybercrime on its victims, whether it is an individual victim of an online scam or a company forced to pay a ransom to restore its systems. For this reason, it does not always seem that cybercrime is considered or treated as a “real” crime.

Although we recognize that cybercrime is a real crime, for some it can be difficult to get into it. The idea of ​​being totally outraged by a hacker taking down a multinational company might seem a bit far-fetched.

This may be because of the stereotypes that cybercriminals are portrayed as disgruntled computer prodigies who have nothing better to do than “stick to the man”. Consider that the majority of cyberattacks are carried out by huge, wealthy organized crime syndicates. These are very sophisticated operations aimed at stealing money from the company that pays your salary and the government that collects your taxes. Does this look like a crime?

Are we guilty of blaming the victim?

The fact is that cybercrime is a real crime and the companies that fall victim to it are victims. They suffered a crime committed against them.

However, the level of sympathy towards violated organizations is very different from what we would give to an individual. If someone tells you they’ve been hacked, personal information compromised, and money stolen, your natural reaction is probably not to say it’s their fault.

However, cyberattacks are a source of lasting damage to the reputation of companies. We tend to assume they did something wrong or acted negligently. As someone who has worked in the data protection industry for over 32 years, I would tend to agree with that. The vast majority of cyber incidents are preventable and result from organizations not following best practices, poor digital hygiene, and/or outdated or unpatched software.

However, is there another type of crime that focuses almost exclusively on blaming the victim and so little on bringing criminals to justice? Businesses are viewed as culprits rather than victims and it is accepted that criminals go unpunished due to the lack of an agreed global legal framework and justice system.

If a criminal from another country goes to the United States, for example, and commits a crime against a company on American soil, there is a whole diplomatic process for that person to be brought to justice and for the victim to be compensated. This is simply not the case when it comes to ransomware.

International and intercontinental cooperation is the only way to create an environment where the risks outweigh the rewards for cyber attackers. The scourge of ransomware has accelerated during the pandemic, increasing the appetite of governments and business leaders to break the geopolitical impasse that has allowed cybercriminals to run wild. But it won’t be easy, and a workable holistic solution is still years away.

learn self defense

In the absence of a justice system that completely protects us from the bad guys, the basic human survival instinct demands that we learn to defend ourselves. In the context of cybersecurity, that means focusing on a few fundamentals.

First, every company needs a dedicated IT security manager in place with access to company management and the authority to lead the security initiative. For small businesses, you definitely need to have a designated resource responsible for cybersecurity and specializing in data protection.

Second, companies must practice impeccable digital hygiene. This includes mandatory training for all employees so they recognize potential attacks, know who to report them to, and understand why it’s important. The more people embrace the need for good digital hygiene, the more alert and ready to raise their blinders they become.

Finally, never pay the ransom. Organizations that pay ransoms fuel the perception of “easy payday,” which means cybercriminals keep doing it. As soon as companies stop paying ransoms, we will see a reduction in the popularity of ransomware as an extortion technique.

While companies that are victims of cyberattacks are indeed victims, they are responsible for protecting the data they use, process and store. Paying cybercriminals to bring systems back online is an unsustainable defense strategy. As governments become more active in seeking to prevent the spread of ransomware, we could see companies that do so come under investigation and be reprimanded by independent regulators.

Clearly, tackling the relentless and massive scale of cybercriminal activity against businesses and individuals will require an international effort across both the public and private sectors.

While it is important that cybercrime be properly “criminalised” and perpetrators brought to justice, companies need to understand the responsibility they have to their customers and employees to protect all data under their jurisdiction.

This can only be done by implementing a modern data protection strategy that combines effective frontline cybersecurity defenses with a comprehensive approach to data backup and disaster recovery.

Click below to share this article

Martin E. Berry