It came as something of a shock some years ago when the world realised that the illegal international trade in drugs was organised very much on business lines, with its own supply chain of growers, producers, finance, logistics, distribution and sales. There is something particularly unnerving in the thought of criminal activity on an industrial scale.
Now the world is struggling to come to terms with the fact that cyber crime is going the same way. According to consultants and security specialists with detailed knowledge of this shadowy world, it divides into software specialists, distributors of that software, hackers, network specialists, and financial experts capable of handling and laundering the ill-gotten gains. It has middlemen and sub-contractors who will offer hacking services to organisations that lack the required skills themselves. And it has distributors who will sell on information gathered illegally to organisations that had no direct connection to the crime itself and might not even know that the data was obtained illegally.
How do you fight back against cyber crime? It starts with knowing the threats and protecting yourself from them. Read our 'Financial crime and cyber security' page
For some time now Douglas Flint, Chairman of HSBC, has been using public platforms to warn that cyber crime is one of the most serious threats facing his bank, and by extension the whole business community. It is a challenge that the banks have been battling for years, and on which they spend hundreds of millions of pounds annually. But despite their huge expenditures so far, and a great deal of quiet co-operation between organisations that are otherwise commercial rivals, it is not a battle they would claim to be winning. At best, they would claim it is a draw.
“The sheer scale of what is going on is well beyond the popular imagination. It is no longer the province of the mischievous amateur showing off their computer skills”
The size of the threat is so great that some experts have questioned whether many smaller financial organisations – and particularly some of the new challenger banks, like Aldermore and Shawbrook – will be able to afford to put in place the appropriate level of defences. But against that there are experts who say smaller firms which outsource a lot may be less vulnerable than large organisations where everything is stored centrally on one large system. Some even suggest that the days of large systems – and by extension large organisations – may be numbered because of their vulnerability to attack.
The sheer scale of what is going on, and the intensity of the challenge, is well beyond the popular imagination. It is no longer the province of the mischievous amateur or petty thief showing off his or her computer skills. There are shadowy buildings with electronic wall maps in London, in Boston, in Israel, which light up constantly as they chart cyber attacks across the world.
The North Korean attack on Sony Pictures at the turn of the year was a timely reminder that attacks instigated by governments, agencies of governments or sophisticated terrorist groups are increasingly seen as a way to flex muscles or pursue objectives without resorting to force of arms. More discreetly, every time the West seeks to impose financial sanctions, be they against Russia over the Ukraine, Iran over its nuclear programme or Isis and Iraq over the war there, the western banks and financial institutions involved come under retaliatory cyber attack. The danger is such that the Bank of England is now seriously concerned at the systemic risk that might be precipitated by a cyber attack and has ordered financial institutions to test their resilience specifically with this in mind.
This underlines how cybercrime is not always about money. Governments have their agendas but another category of crime has its roots in industrial espionage. Typically, the objective is the theft of intellectual property or other economically valuable commercial secrets such as supplier and customer lists, contract terms and patents of new product developments. It may not even be an organisation’s own data that is the target – some are attacked to obtain data on third parties with whom they deal.
And then there are rogue employees – those who are simply disgruntled, or those who believe they are fulfilling some higher purpose by whistleblowing with, for example, the theft and publication of tax records.
Safer to assume
The real point is that even today few businesses are really focused on cyber security. There is a mismatch between the thinking of firms, few of whom think it is likely to happen to them, and experts who warn that every firm should assume it will come under attack sooner rather than later. There is a lack of routine staff training in the area, particularly when compared with time spent on money laundering or other areas of compliance. And there is a lack of appreciation – even after the HSBC tax avoidance row – of the reputational damage that can result. There is, in short, much that has to change.
The CISI is sponsoring a special section of this year's Cambridge International Economic Crime Symposium on 11-12 September, featuring 47 speakers from 15 countries over two days – its biggest-ever event. The Symposium itself, which last year attracted some 1,600 participants from around the world, begins on 6 September and runs for a week, and will be formally opened by Alderman Alan Yarrow, Chartered FCSI (Hon), the Lord Mayor and Chairman of the CISI, on 7 September. For further information, please email email@example.com
Look out for Anthony Hilton's First Person column in the June 2015 print edition of the Review.