Fighting cyber crime together
It is too important to leave the security of your organisation to just one department. Everyone needs to take responsibility. It is not just looking internally at defences but also what counter measures do you have at your disposal to respond to a cyber attack? Having a plan in place, perhaps as part of a larger Disaster Recovery plan, will ensure that you can respond effectively should an attack be successful.
In 2015 the number of security breaches rose with 90% of enterprise organisations having experienced a security breach according to a survey by PwC. Cyber Crime is growing exponentially. A report from Deloitte estimated that Cyber Crime costs businesses over $400bn every year with the average financial impact estimated to be between $2 – $4m. Worryingly, human error and deliberate action are still the main causes.
Cyber Crime targeting financial institutions is on the rise. This year alone, Vietnamese and Bangladeshi banks connected to the SWIFT network have suffered significant fraud losses, in the one case, amounting to $101m, less than half of which has ever been recovered.
It is not just institutions that are being targeted. According to a report in the Financial Times, cyber criminals are trawling through wealth managers’ websites as well as social media networks to target the super-rich and trick them into parting with millions of dollars each year.
In a technique known as “whaling” efforts are directed specifically at senior executives and other high-profile targets within businesses. The goal is to trick users in organisations into disclosing personal or corporate information through “social engineering”.
A common practice is making the individual believe that a high level executive such as a C-Level contact has authorised a payment to be made which circumvents the normal internal financial procedures, thus bypassing standard security and payment processing controls.
Whaling attacks are highly sophisticated and can be very difficult to prevent. For example, if the CEO’s email account is cloned, any emails sent from the fraudulent account will look like genuine requests from the CEO, and how many junior finance managers will ignore a request from their CEO?
It is therefore vitally important that we raise awareness levels across the industry which extends to victims reporting incidents of Cyber Crime. Cyber extortion is a growing threat but the reality is the practice is largely hidden because many firms will pay what is needed and hope news doesn’t leak out for fear of damage to their reputation. It is likely that the figures quoted at the start of this article may even be an underestimate.
Being alert to the risks
All financial institutions need to be alert to the risks posed by Cyber Crime. Every company has what is called a ‘digital shadow.’ This is information that is exposed on a personal, technical or organisational level and is used within whaling research. It is often highly confidential and not something that the company would be happy knowing was available to those who know where to search.
Yet look at the LinkedIn profile of many employees and they often inadvertently reveal details of the systems and firewalls protecting their organisation. A hacker that is armed with the knowledge of a particular firewall might direct specific attacks against unpatched weaknesses using this knowledge.
It is not just criminals that are using cyber intrusion techniques. Attacks by nation-states and industry competitors are the fastest-growing cyber threats. State sponsored (or at the very least authorised) hacking attempts are on the rise. It can become global news such as the recent case where alleged Russian hackers released the private medical records of scores of Olympic athletes.
What steps should businesses take to reinforce their defences against cyber criminals?
According to the Cyber Risk division of Deloitte, there are three critical elements of effective and agile cyber security:
Aware – you need intelligent insight to monitor evolving threats and anticipate risks
Prepare – setting and implementing the right technology and cultural strategy to manage evolving cyber threats
Respond – crisis management, diagnostics and solutions so that the material impact of cyber attacks can be minimised in real time at any time
According to Deloitte, the financial industry faces more cyber attacks than other industry sectors. Unfortunately institutions with legacy systems or those that are not maintained and fully up to date are most at risk.
This is a very real and present danger for the wealth management industry. With confidential financial and tax records, wealth managers, private banks and trusts are likely to be a prime target for cyber attackers in the future, looking for potential targets.
While large global organisations typically have a sizable budget to address cyber security, for smaller institution such as niche wealth managers, the costs can be prohibitive.
Polly Pickering cyber security advocate and CEO of eShore in the Caribbean, Bermuda and Latin America adds, “Cyber attacks on business email and data breaches continue to rise at an unprecedented rate. This year alone we have seen the Federal Deposit Insurance Corporation reporting a security breach that had occurred via a malware attack and payroll giant ADP fall victim to a hacking attempt. To protect themselves, companies need state-of-the-art teams and technology but critically, it is awareness and training – coupled with executive buy-in that really makes the difference.”
It is vital that organisations look at the problem of cyber security holistically. For example, there needs to be a cross department team with relevant stakeholders that meets on a regular basis to review and discuss aspects of information security. You need to understand the risks that you face and only with the resulting knowledge can you begin to formalise a defence strategy.
More valuable advice comes from the Deloitte Advisory Cyber Risk Services division, who say it is vital that organisations develop better situational awareness of the threat landscape and the overall attack variables; companies need to develop the ability to derive “intelligence” from their myriad of data sources which will ensure organisations can spot an attack and launch their defences without delay.
The best advice I saw on the topic of cyber security is that if you don’t have a dedicated cyber security team with representation from other functional departments, then it might be worth investing in setting one up. And if you already have such a team, it might be worth spending more to beef it up.
It is likely to be money well spent if you can mount an effective defence against the next cyber intrusion attempt.