The rapid evolution of cybercrime has become a major threat not only to individual businesses, but to global infrastructure and the economy. Last month’s credit card data theft has proven exactly how hard-hitting the effects of such attacks can be.

Recently, the three companies at the center of the data theft scandal have had their punishments dealt to them. KB Kookmin Bank, Lotte Card and NH NongHyup Card have each been fined 6 million won, and have been suspended from issuing new credit cards and extending loans for three months, severely denting their recovery.

Aside from the financial losses cyberattacks can cause, the companies are also in danger of losing their customers’ trust, thus damaging their reputations. 

Despite assurances that no real damage was done as the key information needed to produce fake cards, passwords and card validation codes, remained safe, customers are still angry.

As a result, the three bosses of the credit card firms involved have also made public apologies for the breach, and several executives of each company have either already resigned or have offered to step down over the issue.

The aftermath of these events shows how essential it is for companies to put effective defense strategies in place to prevent such attacks from happening again in the future. So what can these companies do to put themselves in a position to combat cybercrime?

We’re living in an age of information and it has become standard procedure for companies to gather and store as much data from their customers as they want ― often without questions asked.

Though we are reaping the fruits of this data-heavy society, we also have to deal with the dark side of these practices. A lot has changed in the past several years.

Criminals no longer need to be physically present if they want to steal something. If you want to rob a bank, you no longer need to go to the premises to force open the safe.

As the chief executive of a major banking group was quoted as telling a Korea Herald reporter last month following the credit card data breach, “We feel like we’re walking through a minefield, because we can’t predict where, when or who’s involved with the wrongdoing.”

With geography taken out of the equation, and with a greater variety of ways to access information, companies must ensure they have a guard at every door.

Unfortunately, combating cybercrime is still a concept that is relatively unfamiliar to many businesses, and as a result, most are ill-equipped to counter it effectively.

The first element to address is the training of all staff in following security procedures.

The failure of staff at KB Koomin Bank to comply with the FSC’s most basic security procedures when dealing with customer data was undoubtedly a key contributing factor to the data breach.

By only loosely following guidelines in order to gather as much information as possible for managers who did not really understand the consequences of the big-data hunger, the appropriate security measures fell by the wayside in the interest of gathering information quickly.

This is where the real problems lie and where solutions need to be sought.

Furthermore, as hackers get better at designing malicious software to infiltrate company ICT systems ― and as most jobs require some computer work ― there is a real need for all staff within an organization to be well informed about their company’s IT security procedures.

Companies should also ensure that those monitoring their cybersecurity are not just from within the IT department, but from all departments at all levels, making the entire company responsible for spotting and responding to security breaches.

A common weak spot for many companies is how they structure their ICT systems. IT professionals are often encouraged to design neat, simplistic system architecture for companies to be easily understood by the staff using them.

Though this is appealing to management, these designs are ideal for hackers as they make it easy to locate the information they’re looking for.

Instead, IT professionals should be encouraged to ensure their companies are cyber-robust. By employing a method of strategic disorganization to their system architecture ― deliberately creating a more chaotic structure ― hackers will find it harder to break in and locate the information they wish to steal.

Another potential weak spot in a company’s defense strategy can be found in the practice of outsourcing IT work to external suppliers.

Companies must consider the potential vulnerabilities of sharing their data outside of their own protection systems as by doing this they are both relying on the security measures employed by the outsourcing company and sharing the data with any other company using the same provider.

The same can be said for companies that allow staff to bring their own devices into the workplace. Though such measures encourage flexible work routines, they also introduce an element of danger: Employees can become a security risk if their equipment isn’t properly protected.

In the modern office, of course, this cannot be avoided as it has become common for staff to log in on mobile devices or take their work home with them. But, the potential problems such measures can cause only highlight the need for all staff to be fully up to speed with the company’s IT security procedures.

Of course, there is no surefire way to defeat cybercrime.

But by taking steps to implement a personalized method of protecting ICT systems and by ensuring all staff are fully trained in how to respond to security breaches, companies can give themselves the best chances of resisting cyberattacks and minimizing the damage of those attempts that do break through. Delaying a breach, even for a few minutes, could mean the difference between a minor IT fault and a full-scale disaster.

By Jan Veldsink

Jan Veldsink is a cybersecurity expert who developed and teaches the Business and Cyber Robustness module at Nyenrode Business Universiteit in the Netherlands. ― Ed.