A computer-oriented crime, often known as cybercrime, is a crime that involves a computer and a network. The computer could have been utilized in the commission of a crime or it could be the intended victim. Cybercrime is defined as the use of a computer as a weapon to perform crimes such as fraud, identity theft, or invasion of privacy.
Cybercrime has grown in relevance as the computer has become important to every area, including business, entertainment, and government. Cybercrime can jeopardize a person’s or a country’s security and financial health. Cybercrime encompasses a vast range of actions, although they can be broadly classified into two types:
- Crimes that aim at computer networks or devices. These types of crimes involve different threats (like virus, bugs etc.) and denial-of-service (DoS) attacks.
- Crimes that use computer networks to commit other criminal activities. These types of crimes include cyberstalking, financial fraud or identity theft.
Europol’s European Cybercrime Centre (EC3) discusses the key threats in its 2019 Internet Organised Crime Threat Assessment Report (“the Report”), demonstrating that while criminals are developing innovative methods to commit cybercrimes, the majority of crime remains based on the use of well-established methods that have historically provided results.
Because of the continued employment of these technologies, the common obstacles for law enforcement have remained unaltered in recent years. The Report offers some insight into the five major difficulties.
Loss of data
Due to legislative changes such as the GDPR, law enforcement may be denied access to data or may only be able to access very limited data as part of a criminal investigation. Increasing technological development and internet use also present a challenge for law enforcement, resulting in extremely large amounts of data where it is difficult to distinguish a specific user.
Encryption is another tool used by criminals to stop incriminating data from getting into the hands of law enforcement, whilst the use of cryptocurrencies such as Bitcoin allows criminals to deal in the proceeds of crime with a relative level of anonymity.
Lack of data required by law enforcement has a significant detrimental impact on their work, often resulting in investigations being delayed or even discontinued.
Loss of location
Whilst the use of encryption, cryptocurrencies and other technologies such as the dark web or cloud storage may result in the loss of data, they also present significant challenges for law enforcement in establishing the physical location of perpetrators, criminal infrastructure or electronic evidence.
This raises complex jurisdictional considerations and makes it difficult to determine who is responsible for conducting investigations.
Challenges associated with national legal frameworks
Legal frameworks vary between countries in Europe, making effective cross-border investigation and prosecution of cybercrime extremely challenging. The main differences relate to which conduct is criminalized and how investigations may be conducted.
The latter has a great impact on the collection of electronic evidence and the monitoring of criminal activities online, which are critical to any cybercrime investigation.
Obstacles to international cooperation
Whilst differences in national frameworks present challenges for cooperation amongst European member states, the lack of a common legal framework throughout the world presents significant challenges for international cooperation more generally. This is particularly problematic in the case of large-scale cyber-attacks that span multiple continents.
Mutual Legal Assistance is perceived as being slow and ineffective, with evidence often not being secured in time to ensure the success of a criminal case.
Challenges of public-private partnerships
The private sector often holds the keys to providing law enforcement with crucial data to facilitate investigations and can play a key role in helping to dismantle criminal infrastructures. Despite the importance of public-private collaboration, there is no clear legal framework defining how the private sector may cooperate with law enforcement whilst ensuring that they are not breaching the privacy or rights of their customers.
Read Also: The Human Factor in Cybersecurity: Addressing Insider Threats And Social Engineering
Further challenges are associated with new and emerging technologies such as quantum computing and artificial intelligence. Whilst presenting opportunities for law enforcement and the private sector in detection and mitigation, there is also the potential for criminal misuse to fuel cybercrime.
Law Enforcement in Investigating Cybercrime
Cybercrime has an expansive definition that includes any crime conducted via the Internet, network or digital device. Capturing digital evidence, such as that found on cellular phones, GPS devices, computers, tablets, and network servers, is crucial to investigating and solving cyber crimes. Strong cybercrime investigative capabilities are also critical for solving traditional crime.
The chief plays an important role in ensuring officers and investigators are prepared to handle these complex crimes and investigations. Chiefs may need to consider:
Training officers on cyber crime protocol
Chiefs should ensure that officers, investigators, and other relevant personnel receive regular training on handling cyber crimes.
Cybercrime policies
Departments should develop policies and protocols for handling cybercrime investigations and what to do in case the agency is the victim of a hacking attack.
Jurisdictional issues
Cybercrime frequently crosses state and national borders. Chiefs should work with their federal law enforcement partners and local prosecutors to understand the jurisdictional issues involved with cyber crimes.
Creating partnerships with other public or private organizations
Agencies may be able to develop partnerships with other organizations to improve their cybercrime investigations. Chiefs should look into developing ties with other law enforcement agencies and private organizations. Partnerships are particularly important for smaller agencies that may have more limited resources. For example, law enforcement agencies across the country have successfully developed working partnerships with the private sector in a variety of areas.
The Federal Bureau of Investigation (FBI) has several cyber-related partnerships including the Internet Crime Complaint Center (IC3) and the National Cyber Forensics & Training Alliance. Private-public partnerships can enhance resources for both law enforcement and the private sector as well as create a network of contacts.
Ensuring officer/investigators understand digital evidence
Chiefs need to be aware of the wide variety of digital evidence their officers and investigators handle, and ensure that evidence is properly processed and stored.
Government Policies And Laws For Cybersecurity
Applicable Laws
Numerous federal and state laws include cybersecurity requirements. The Federal Trade Commission (“FTC”) has been particularly active in this space and has interpreted its enforcement authority under § 5(a) of the FTC Act, applying to unfair and deceptive practices, as a means to require companies to implement security measures.
The FTC has brought numerous enforcement actions against companies it alleges failed to implement reasonable security measures. The US Supreme Court, however, has circumscribed the FTC’s abilities to seek monetary penalties for potential violations of the FTC Act without first utilizing its administrative procedures.
Some federal laws, however, are sector-specific or extend only to public companies. Securities law generally prohibits fraud in connection with securities, and the Securities and Exchange Commission (“SEC”) has been rigorous in the enforcement of disclosure requirements for adequate public disclosures regarding cybersecurity risks and material cybersecurity incidents for both public companies and regulated financial institutions.
Moreover, the Gramm-Leach-Bliley Act (“GLBA”) and its implementing regulations require “financial institutions” to implement written policies and procedures that are “reasonably designed” to ensure the security and confidentiality of customer records and protect against anticipated threats and unauthorized access and use.
Recently, regulators including the FTC and SEC have adopted or proposed new regulations requiring that covered organizations adopt more specific cybersecurity measures. The Health Insurance Portability and Accountability Act (“HIPAA”) includes cybersecurity requirements applicable to protected health information in the possession of certain “covered entities” and their “business associates”.
At the state level, many states have passed laws imposing security requirements. Most of these statutes require some form of “reasonable security”. New York’s SHIELD Act, for example, requires reasonable security for personal information and specifies measures that may satisfy that standard. The California Consumer Privacy Act (“CCPA”) (expanded by the California Consumer Privacy Rights Act beginning in 2023) creates a data breach right of action for Californian residents with statutory penalties of $100 to $750 per consumer and per Incident if plaintiffs prove that the impacted business failed to implement reasonable security procedures to protect the personal information.
Data protection laws in Connecticut, Colorado, Utah and Virginia going into operation in 2023 also require “appropriate” or “reasonable” security measures and Massachusetts regulations have long imposed specific security requirements regarding personal information, including the implementation of a written security program and encryption of certain data.
Regarding defensive measures, including a Company’s ability to monitor for potential attacks, the Cybersecurity Information Sharing Act (“CISA Law”) has two primary impacts. First, it allows companies to monitor network traffic, including taking defensive measures on their own systems. Second, it encourages the sharing of cyber-threat information between companies and with the government.
Critical or essential infrastructure and services
The Cybersecurity and Infrastructure Security Agency Act created the Cybersecurity and Infrastructure Security Agency (“CISA”), a component of the Department of Homeland Security, and the federal agency responsible for protecting critical infrastructure in the United States. CISA coordinates between government and private sector organizations in protecting critical infrastructure and develops and transmits information to private sector entities regarding its expertise in cybersecurity vulnerabilities, incident response and cybersecurity risk.
In a significant development, in March 2022, Congress passed the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”), which will require reporting by covered entities within the critical infrastructure sector of “significant cyber incidents” and ransomware payments to CISA. Key details require further development through rulemaking, including the scope of covered entities required to report and the types of incidents requiring reporting, among other things.
The federal government has also issued sector-specific guidance for critical infrastructure operators, and the nuclear, chemical, electrical, government contracting, transportation and other sectors have detailed statutory and regulatory requirements.
Security measures
U.S. cybersecurity laws exist at both the federal and state levels and vary by commercial sector. For instance, several federal statutes have data breach notice provisions, but each state and four territories also have data breach laws. Many regulators expect regulated companies to have implemented “reasonable” security measures, taking into account factors such as the sensitivity of the data protected.
In light of the proliferation of standards, many companies rely on omnibus cybersecurity frameworks like the NIST Cybersecurity Framework, covering efforts to identify and assess material foreseeable risks (including vendor security), design and implement controls to protect the organization, monitor for and detect anomalies and realized risks, and respond to and then recover from Incidents.
In addition to general reasonable security requirements, some U.S. state laws or regulations are more prescriptive. For example, the New York Department of Financial Services Cybersecurity Regulation includes specific requirements such as annual penetration testing for covered entities.
The FTC’s revised Safeguards Rule applicable to certain financial institutions specifies certain measures for the protection of customer information, including encryption and multifactor authentication (or a reasonable equivalent approved by a designated individual responsible for overseeing the institution’s security program).
Reporting to authorities
All states and four territories have requirements for the reporting of Incidents and most of these statutes require reporting to state regulators. The nature and scope of the information that is required to be reported varies by state or territory.
For example, California requires the following information in notices sent to individuals: (1) the name and contact of the reporting person; (2) a list of the types of personal information breached; (3) the date of the breach (or estimated range); (4) whether notification was delayed by a law enforcement investigation; (5) a general description of the breach incident (if possible); and (6) toll-free numbers and addresses of the major credit card reporting agencies.
These state requirements are in addition to federal requirements that are sector-specific. For example, the Department of Health and Human Services (“HHS”) Office of Civil Rights (“OCR”) requires covered entities and business associates to report certain Incidents involving Protected Health Information (“PHI”). In February 2022, the SEC issued draft regulations that would require reporting of “significant adviser’ or “significant fund cybersecurity incidents” within 48 hours of reasonably concluding that an incident has occurred.
The SEC is currently reviewing comments regarding its proposed rules. Public companies must also report material events. Those reporting requirements will be further defined by regulations, also in draft, issued by the SEC in March 2022. These regulations, like those applicable to funds and advisers, await further regulatory action before they are finalized. Lastly, Congress passed CIRCIA in March 2022, which will create another reporting regime applicable to certain organizations within critical infrastructure sectors.
Timeframes for reporting vary by state or agency, with most requiring notification around the same time that individuals are notified (or sometimes in advance). Vermont requires any notification to its Attorney General to be sent within 15 days. Covered financial institutions are required to report breaches to the New York Department of Financial Services within 72 hours. At the request of law enforcement agencies, however, some notifications may be delayed.
Information about cyber threats generally need not be reported, although the federal government encourages participation in Information Sharing and Analysis Centers (“ISACs”) or Information Sharing and Analysis Organizations (“ISAOs”) where threat intelligence is shared within sector-specific groups of companies. CISA also strongly encourages sharing breach information with it, along with other cyber threat indicators.
Reporting to affected individuals or third parties
All 50 U.S. states and four territories have now passed breach notification statutes with varying requirements. Typically, breach notification statutes require notification to be sent to individuals whose electronic Personal Information, as defined therein, was acquired in an Incident, though some states require notification based on access to such information alone.
State definitions of Personal Information triggering data breach notification generally apply to the first name or first initial and last name in combination with another identifier, when not encrypted or redacted, such as social security number, driver’s license or identification card number, or account number, or credit card or debit card number in combination with any required security code, access code or password that would permit access to the individual’s account.
Increasingly, states are also including in the definition of Personal Information, health and biometric information, as well as usernames and passwords that provide access to an online account. Many states also require that notice be sent to Attorney Generals or other state agencies, often depending on the number of individuals impacted. Most states allow for consideration of whether there is a risk of harm to the data subjects, but some states do not allow for such consideration.
Timeframes for notification vary by state; however, 30 days is a common standard. Additionally, some sector-specific laws provide notification requirements. The HIPAA Breach Notification Rule, 45 CFR §§ 164.400–414, requires HIPAA-covered entities and business associates to provide notifications in the event of certain Incidents impacting PHI.
Responsible authority(ies)
The regulator varies by sector, law, and state. The FTC is the principal U.S. federal privacy regulator covering most for-profit businesses not overseen by other regulators. The SEC regulates many financial institutions and the OCR is primarily responsible for enforcing HIPAA. CISA plays an increasingly significant role in protecting U.S. critical infrastructure, and its role in notification will be expanded through the regulatory process implementing CIRCIA.
State Attorneys General have broad authority regarding the enforcement of cybersecurity matters. In addition, federal and state regulators in particular sectors, such as insurance, have further enforcement powers.
Penalties
The U.S. has no single framework for non-compliance with notice requirements, and penalties will depend heavily on the relevant law and regulator, many of which pursue violations as unfair or deceptive trade practices. In addition to regulatory penalties, private plaintiffs may file actions alleging non-compliance with relevant laws. For example, the CCPA provides for statutory damages of between $100 to $750 per consumer and per Incident in the event of a data breach caused by the failure to have in place reasonable security measures.
Enforcement
Hundreds of actions have been brought for non-compliance. For instance, Equifax agreed to pay at least $575 million as part of a settlement with the FTC, Consumer Financial Protection Bureau (“CFPB”) and 50 U.S. State Attorneys General, or other state regulators charged with overseeing data security, related to its 2017 data breach allegedly impacting approximately 147 million people. Government authorities alleged that Equifax failed to have in place reasonable security for the information it collected and stored.
Typical of the FTC’s enforcement is a case involving Uber in which it entered into an expanded settlement with Uber arising from a 2016 data breach, which the FTC alleged was not disclosed to the FTC for more than a year. The FTC had previously settled allegations related to an earlier 2014 breach. The FTC had alleged that Uber failed to live up to statements that access to rider and driver accounts was closely monitored, which, the FTC alleged, was not the case, rendering the statements false or misleading.
Best Practices to Prevent Strategies For Cybercrime
Cybercrime is an ongoing threat.
You might think that the only form of cybercrime you have to worry about is hackers stealing your financial information. But it may not be so simple. There are far more concerns than just basic financial ones. Cybercrime continues to evolve, with new threats surfacing every year.
When you hear and read about the range of cybercrimes out there, you might be tempted to stop using the internet entirely. That’s probably too drastic.
Instead, it’s a good idea to know how to recognize cybercrime, which can be the first step to helping protect yourself and your data. Taking some basic precautions and knowing who to contact when you see others engaged in criminal activities online are also important steps.
You might want to learn how to prevent cybercrime, but here’s the thing: You can’t. You can, however, take precautions to help protect against it.
Cybercrime is any crime that takes place online or primarily online. Cybercriminals often commit crimes by targeting computer networks or devices. Cybercrime can range from security breaches to identity theft.
Other cybercrimes include things like “revenge porn,” cyber-stalking, harassment, bullying, and child sexual exploitation. Terrorists collaborate on the internet, moving terrorist activities and crimes into cyberspace.
Anyone using the internet should exercise some basic precautions. Here are 11 tips you can use to help protect yourself against the range of cybercrimes out there.
1. Use a full-service internet security suite
It’s a good idea to consider trusted security software like Norton 360 with LifeLock Select, which provides all-in-one protection for your devices, online privacy, and identity, and helps protect your private and financial information when you go online.
2. Use strong passwords
Don’t repeat your passwords on different sites, and change your passwords regularly. Make them complex. That means using a combination of at least 10 letters, numbers, and symbols. A password management application can help you to keep your passwords locked down.
3. Keep your software updated
This is especially important with your operating systems and internet security software. Cybercriminals frequently use known exploits, or flaws, in your software to gain access to your system. Patching those exploits and flaws can make it less likely that you’ll become a cybercrime target.
4. Manage your social media settings
Keep your personal and private information locked down. Social engineering cybercriminals can often get your personal information with just a few data points, so the less you share publicly, the better. For instance, if you post your pet’s name or reveal your mother’s maiden name, you might expose the answers to two common security questions.
5. Strengthen your home network
It’s a good idea to start with a strong encryption password as well as a virtual private network. A VPN will encrypt all traffic leaving your devices until it arrives at its destination. If cybercriminals do manage to hack your communication line, they won’t intercept anything but encrypted data. It’s a good idea to use a VPN whenever you a public Wi-Fi network, whether it’s in a library, café, hotel, or airport.
6. Talk to your children about the internet
You can teach your kids about acceptable use of the internet without shutting down communication channels. Make sure they know that they can come to you if they’re experiencing any kind of online harassment, stalking, or bullying.
7. Keep up to date on major security breaches
If you do business with a merchant or have an account on a website that’s been impacted by a security breach, find out what information the hackers accessed and change your password immediately.
8. Take measures to help protect yourself against identity theft
Identity theft occurs when someone wrongfully obtains your personal data in a way that involves fraud or deception, typically for economic gain. How? You might be tricked into giving personal information over the internet, for instance, or a thief might steal your mail to access account information. That’s why it’s important to guard your personal data. A VPN — short for virtual private network — can also help to protect the data you send and receive online, especially when accessing the internet on public Wi-Fi.
9. Know that identity theft can happen anywhere
It’s smart to know how to protect your identity even when traveling. There are a lot of things you can do to help keep criminals from getting your private information on the road. These include keeping your travel plans off social media and being using a VPN when accessing the internet over your hotel’s Wi-Fi network.
10. Keep an eye on the kids
Just like you’ll want to talk to your kids about the internet, you’ll also want to help protect them against identity theft. Identity thieves often target children because their Social Security number and credit histories frequently represent a clean slate. You can help guard against identity theft by being careful when sharing your child’s personal information. It’s also smart to know what to look for that might suggest your child’s identity has been compromised.
11. Know what to do if you become a victim
If you believe that you’ve become a victim of a cybercrime, you need to alert the local police and, in some cases, the FBI and the Federal Trade Commission. This is important even if the crime seems minor. Your report may assist authorities in their investigations or may help to thwart criminals from taking advantage of other people in the future. If you think cybercriminals have stolen your identity. These are among the steps you should consider.
- Contact the companies and banks where you know fraud occurred.
- Place fraud alerts and get your credit reports.
- Report identity theft to the FTC.
What is the Main Challenge of Cyber Security?
Here are the top cyber security issues and challenges you may face in your business:
Cloud Attacks
Cloud computing has developed exponentially in recent years. Cloud Service providers now offer their customers a wide array of cloud platforms to maximize efficiency and reduce costs.
What started as merely an option for backup storage, cloud computing has since evolved into a comprehensive computing platform that has revolutionized the way organizations handle, store, and share data. It is, therefore, essential to know what constitutes a cloud cyber attack so your company can bolster its defense against them.
A cloud cyber attack involves malicious activities targeting an off-site service platform that provides storage, computing, or hosting services via its cloud infrastructure.
This further encompasses attacks on services utilizing service delivery models such as Software as a Service, Infrastructure as a Service, and Platform as a Service, and more. Each of these models offers its distinct features, making them prime targets for cybercriminals.
- One of the most used methods malicious actors use is exploiting vulnerabilities in the service software itself.
- By exploiting these weaknesses, attackers gain access to confidential information or disrupt business operations and cause havoc.
- Ransomware has also become a favorite tactic of malicious hackers. It works by encrypting users’ data and holding it hostage until they provide the ransom amount in exchange for a decryption key that unlocks their information.
Thus making it challenging for businesses to protect themselves since it requires extensive security measures both on-premise and within their cloud assets to ensure complete protection from attacks.
The most recent example is that – In March 2020, CAM4, an adult live-streaming website, faced the unimaginable when their cloud account was hacked to reveal a staggering 10.8 billion sensitive entries.
Compiling over 7TBs of data ranging from location details and email addresses to usernames and payment logs, no stone was left unturned in this hack. The magnitude of this attack illustrates how critical it is for companies to ensure the security of their cloud platforms. This example is a constant reminder that good cybersecurity practices are essential in protecting one’s users’ privacy and safety.
This is why cloud companies usually turn to Sprinto to get SOC 2 or ISO certified. After all, prevention is way better than cure!
Ransomware Attacks
Ransomware is malicious software that can cause irreparable damage to your computer and your data. It revokes your access to your data by locking the device itself or encrypting the files stored on it.
Moreover, ransomware has been known to spread from one machine to another to infect a larger network, as seen with the Wannacry attack that impacted the UK’s National Health Service in May 2017.
The perpetrators behind ransomware attacks usually demand payment for unlocking your computer or granting access to your data again. This is often done through anonymous emails or websites requiring payment in cryptocurrency.
Unfortunately, paying the ransom does not always ensure that access will be granted and victims may lose not only their money but also any sensitive information they have stored on their devices.
Moreover, there is no surefire way to guard against ransomware attacks, and even the best security measures may prove insufficient if hackers are determined enough. In addition, many new variants of ransomware are being constantly developed, so staying abreast of these developments is crucial for protecting yourself from them.
IoT Attacks (Internet of Things)
Given their versatility, IoT gadgets do not usually maintain the stringent security safeguards that would safeguard them against malicious activity when compared to other computational assets. As a result, attackers have exploited these weaknesses to access the systems. Though this is witnessing change, the change has not amassed mass adoption globally.
IoT devices are breached to gain access to confidential data and information. These breaches usually involve installing malware on a device, damaging or corrupting the device itself, or using it to access deeper levels of confidential data belonging to the concerned business.
For instance, a cybercriminal may use any weaknesses in an IoT device connected to an organization’s temperature control system. By taking advantage of the device, they could possibly alter the room temperatures associated with this particular machine. Consequently, organizations must prioritize security measures for their Internet-of-Things devices to protect themselves from attacks and malicious activities.
This attack can have severe implications for businesses as it could lead to increased energy costs and disruption of services due to damage caused by extreme temperatures. Furthermore, if successful, this attack could provide access for the assailant into more sensitive areas within the network and leave open doors for further malicious activities.
For example, this massive attack was one for the records, wreaking havoc on the internet as one of the most significant DDoS attacks ever orchestrated. Malware dubbed ‘Mirai’ was used to infect and commandeer IoT devices such as digital cameras, set-top boxes, and home routers so that it could cohesively operate them as a botnet.
This horde of enslaved gadgets then attacked Dyn’s DNS servers, effectively taking big-name websites like Twitter, Reddit, Netflix, and CNN offline while they scrambled to contain the confusion.
It was later revealed that lax security measures on these devices opened the door for Mirai malware to infiltrate them using their default name and password easily – hence bracing itself for further reconnaissance on other vulnerable IoT gadgets.