Microsoft’s chief security advisor, Sarah Armstrong Smith, told a London Security conference that Vole blocks a staggering 250,000 password attempts a minute or 360 million per day.
She said that Microsoft is a prime target, and if only a minuscule fraction of these attempts succeed, cybercriminals can make a comfy living at the expense of their victims. And indeed, they do. Password spraying is just one weapon in their extensive arsenal.
Armstrong Smith came armed with more alarming statistics. Over half of all criminal activity in the UK is related to cyber or fraud, yet a measly per cent of police resources are allocated to tackle this class of crime.
Cybercrime is an invisible world. It’s not very visible to the public regarding what is reported to the police, and the lion’s share of cybercrime (80-90 percent) involves identity-based attacks, including phishing and business email compromise (BEC).
“Identity-based fraud and crime is going off the scale,” she warned.
Fraud cases are notoriously complex and costly to solve, often crossing jurisdictions and requiring evidence that is difficult and expensive for law enforcement to obtain. This makes cyber and fraud low-risk activities for criminals. Drug gangs around the world are moving into cyber, as there is a lower chance they will be caught.
Unlike identity-based fraud, ransomware is in the public eye, but the common perception that only large organisations are targeted is incorrect. Eighty to ninety per cent of victims are small businesses, Armstrong Smith said, in part because they lack the tools and expertise to defend themselves. Again, the perpetrators are unlikely ever to face justice.
Additionally, nation-state actors are increasingly willing to target their adversaries’ businesses, organisations and infrastructure.
Since prosecuting cybercrime is difficult, victims’ chance of recompense through courts is limited. This puts even more impetus on prevention.
According to Jadee Hanson, CISO at trust management platform Vanta, only nine per cent of UK organisations’ IT budgets are spent on cybersecurity. Based on a survey of 500 businesses, this figure is far from commensurate with the risk, she said.
“It’s not enough at all. I would recommend a 30 per cent target.”
She said cyber teams are well aware of the risks, but the challenge is getting the board to understand. “They’re just bumping up the constraints of the business. Trying to justify spending for something that might happen one day is hard when [the board] want to see the return on investment. They’re saying, ‘I could just give those dollars to a sales team, and they’d make six times that’.”
Market intelligence platform Zoominfo’s chief compliance officer said that a way to drive cybersecurity up the agenda is to build metrics for compliance and risk management into the sales process, said Simon McDougall, chief compliance officer.
“We want to be able to give evidence that we’ve shortened the sales cycle and accelerated the process, so we’re always looking at how we can get involved in a sale.”
This might include the compliance or security department offering advice to a large corporate client, providing detailed data under NDA for a fee, or supporting a sale.
“In that way, we’re helping with the top line rather than trying to prove a negative, which is always hard,” McDougall added.