Judging from articles in the press, there appears to be a steady increase in the frequency of cybercrime. Whether it is one country attacking the infrastructure of another, or a payment processor losing credit card data, nearly a day does not pass without a new, scary story about cybercrime. To add some perspective to this issue, let’s examine the categories of cybercrime and how one might deal with each.

Let’s first set aside cross-country “cyberwarfare” – those attacks from one country against another's information infrastructure. These attacks are really a category of their own, and one that most private organizations rarely have to worry about. Instead, let’s focus on activities not designed to cripple an institution, but instead to seek financial gain though criminal activities, delivered via information technology. In this regard, cybercrime tends to fall into three categories.

The first is some form of identity theft, typically via account takeover. In this scenario, criminals gain access to person’s financial accounts and use that access to withdraw funds directly, to transfer funds out of the account, or to make unauthorized purchases. By the time the account holder discovers what is happening, the funds are gone and it may not be possible to replace them. Even if the bank or merchant has liability for reimbursement, this may be limited and the consumer may simply have to bear the loss. Criminals may gain access via phishing, or via social engineering that tricks a consumer into providing account credentials.


The second category is due to some type of malware, planted on the corporate network. This may be a keylogger that captures account numbers and passwords, or it may be some other form, as in the Heartland Payment Systems data security breach example, that captures payment card numbers as they reside on a server. The malware may in fact be in place for quite some time, operating quietly and regularly sending captured data to an external domain. These attacks can be very difficult to detect, as they do not generate enough traffic at any one time to be noticed.

The third category of cybercrime is due to the malicious insider, the trusted user who has rights to access confidential data, and then uses that access to steal and sell that data. Privileged users can be trusted employees such as database administrators, finance administrators, etc. They can also be trusted outsiders such as IT contractors, outsourcing partners, or distribution or supply chain partners. These activities can also be difficult to detect, because the user does in fact have access to the data or applications in question. The point is to understand the difference between normal and authorized use, and irregular or unauthorized use. Gaining the necessary context can be difficult, though new solutions make this much easier.