The cliché of the hacker-in-a-hoodie lone wolf is out of date. Cybercrime gangs are now almost as sophisticated as the big businesses they are trying to steal from, leading to a new security arms race that companies are losing.
The increasing threat from organized cybercriminals and state-sponsored cyber espionage means companies need to forget about the idea of a lone hacker, think through the credible threats to their systems, and deal with them in order to disrupt their attackers' business models.
"It's time to think differently about cyber risk, ditching the talk of hackers, and recognising that our businesses are being targeted by ruthless criminal entrepreneurs with business plans and extensive resources -- intent on fraud, extortion, or theft of hard-won intellectual property," said Paul Taylor, UK head of cyber security at KPMG.
According to research by KMPG and BT, 97 percent of companies surveyed said they had been the victims of digital attacks, but only 22 percent were fully prepared to deal with future attacks.
Executives said they were hampered by regulation (49 percent), legacy IT systems (46 percent) and a lack of the right skills and people (45 percent).
"The industry is now in an arms race with professional criminal gangs and state entities with sophisticated tradecraft. The 21st century cyber criminal is a ruthless and efficient entrepreneur," said Mark Hughes, CEO of BT's security division.
"We're up against quite sophisticated organized criminality. Well-structured, real businesses, very efficient, very effective," said David Ferbrache, technical director of cybersecurity at KPMG.
According to Ferbrache, the last two years have seen some shifts in the patterns of organized cyber criminality, with fraudsters targeting top executives and trying to trick them into making bogus transfers that can cost companies millions.
"CEO frauds now have become a massive issue across many of our clients," he said.
"Organized crime is spending more time looking at targeting information available on social media. The phishing lures are much better crafted and tailored now, and they can pretend to be senior officers of the company when they know the chief executive is oversees at a conference," Ferbrache warned.
According to the research, over 90 percent of companies said staff could be open to blackmail and bribery -- but less than half have a strategy in place to deal with the threat.
"When you start moving into the big cashouts, the longer-term operations -- that's the point you see insiders coming into the picture, because you want information on the fraud control measures. Sometimes the way the systems are configured helps the operation along," said Ferbrache.
IT staff, as well as those with knowledge of finance, could be targeted: "Systems administrators, privileged users -- anybody with access credentials, anybody able to initiate financial transactions, anyone who might have an understanding of the fraud control systems and the way they are configured too -- they're all useful," he warned.
"We have traditionally thought of insiders and outsiders as two separate categories as you move up the tiers in organized crime. That's not the case. It blurs."
Crime groups tend to have a loose, federated business model. The heart of each gang will be the kingpin with the idea and the targets, but the organization around them will be a loose collection of different skills. That might include people developing vulnerabilities and exploits to attack services such as DDoS by the hour. Others will be experts in recruiting money mules to launder the cash, or they might be people who specialize in selling stolen information on the black market.
"The way you have to look at these organised crime groups is that most are running a portfolio of operations," said Ferbrache.