Stuart Madnick, John Norris Maguire professor of information technology at the MIT School of Engineering, spoke at Securing Our Future: Cambridge Cyber Summit.
The cyber threat is real.
If you have control of valuable assets, including trillions of dollars of transactions, as the Society for Worldwide Interbank Financial Transactions (SWIFT) does, your company will be attacked. It’s a matter of when, not if, it will happen. That means you need to develop a sophisticated and multifaceted approach to cybersecurity.
Only a few years ago, corporate cybersecurity might have been limited to installing the latest software patch—an activity on par with, say, facilities management.
However, given the increasing number and magnitude of cyber crimes, as well as new types of threats, cybersecurity now requires a coordinated effort between companies, government agencies, and advanced academics with cutting-edge insights into the future of technology. In a networked world, no one can afford to go it alone.
While there still may be lone-wolf high school students hacking into systems in their spare time, most of the current serious attacks are initiated through use of an elaborate cybercrime ecosystem. There, techies create cyber-weapons that cyber-criminals can buy on the “dark web” – often for remarkably low costs. Recently it has been reported that cyber-weapons developed by the NSA were stolen and are up for sale.
Cybercrime poses a real and persistent threat to business, government and financial institutions. The February 2016 theft of $81 million dollars from the Bank of Bangladesh’s holdings at the New York Federal Reserve via the SWIFT network serves as an important reminder of how effective and damaging these attacks can be. The thieves used the bank’s own computers to make what appeared to be legitimate transfers of millions of dollars.
Attacks such as these are increasingly multi-pronged and require extensive knowledge of the organizations and systems being attacked.
For example: After the malware attack on the Bangladesh Central Bank sent the fund requests, it deleted the database record of the transfers, took steps to prevent confirmation messages from revealing the theft, and even altered the reports that were sent to the printer. Similar elaborate schemes were used in a December 2015 attack on Ukraine’s power grid.
Although all the details of the Bangladesh event are not known, we do know that 50 to 80 percent of all cyber-attacks are aided or abetted by insiders, most commonly by an email message that asks a relevant party to click a link or open an attachment.
It is highly likely that almost everyone has received one of these phishing attempts. Some are the fairly obvious: “I am a Nigerian prince with millions to give you.” These have a 1 to 2 percent success rate. Meanwhile, the more subtle messages, like “you have exceeded your email quota and you need to take this action to continue getting email” can have a 10 percent success rate.
But, the real challenge is “spear phishing,” where success rates can exceed 70 percent. These are carefully crafted messages that appear to be coming from trusted individuals, such as a known executive in your company, and make use of detailed knowledge about you and your job.
Sophisticated threats and attacks such as these require a multi-pronged response. And while each organization will fashion its own customized response, we believe that all companies, institutions and government agencies should think holistically from end-to-end.
It is up to senior business leaders to take the lead in protecting their organizations, and in the dark and complex world of cybercrime that can only be accomplished by working together with government, industry, and academia.
This article originally appeared on CNBC.