Cybercrime is not just a tech problem
As Cybercime is increasing in frequency, size and sophistication, it is clear that technological defences alone are no longer sufficient to protect a business from attacks. Cybercrime has evolved from being a vertically integrated, individualistic activity, to an extremely sophisticated and well-organised, distributed operation, where stolen data is traded and matched on exchanges, and highly specialised professionals are coming in on the action.
Previously copycats or ‘script kiddies’, provided malware by way of exchanges. Today cybercrime is a big business conducted by high quality professionals with the ability and qualifications to cause significant damage.
The potential losses are considerable
In December 2013, the Minneapolis-based Target Corporation announced that payment card information for 40 million customers had been stolen over a two-week period during the holiday shopping season, along with the names, addresses, email addresses and phone numbers of an additional 70 million customers. And in Australia, businesses are routinely scanned for weaknesses, with the potential for sophisticated malware to sit dormant and undetected in infected systems for months, before an actual theft. The issue is that as criminals are becoming more sophisticated at circumventing business controls, organisations are not necessarily keeping up.
Not just an IT problem
The biggest problem is if businesses treat the risk of a cyber-attack as an IT problem that only warrants an IT response. While cyber security is an important part of an organisation’s ability to keep its data safe, the IT security function alone will not be sufficient to guard against today’s threats. The ‘people’ factor is often ignored, yet it is a critical element in building a strong defence. Dealing with cybercrime is more than just dealing with cyber security. Security is an important function, but it is only one facet of the whole. Many organisations spend significantly on building strong fire walls, but don’t necessarily monitor the development of potential threats against their business, nor the risks that can, and do, emanate from their own people.
Firewalls are breached: IQ is C21
Most organisations put the castle walls up very high, but if they aren’t aware of what is being planned against them, they can’t adjust. They can only hope that their defences are adequate for the attack. Intelligence is the key. It is important to be plugged into the networks and chat rooms where attacks are being planned. Only then can you understand what is going on in the cyber community and where your potential weaknesses are as a business.
Organisations also need to get behind the network and focus on the human element that is inherent in cybercrime. Computers don’t create crimes. It is the people who are using the computers that commit the crimes. And people in the organisations can be, and often are complicit. Usually there is a lot of engineering going on, and it is not just somebody, somewhere, out there, who is involved. There needs to be intelligence gathering; a vulnerabilities assessment; and someone inside the organisation ay even be creating the weakness, to test how the malware in question can be inserted.
Combating the threat
Companies should ensure they employ a Three Lines of Defence model to cyber risk management across the organisation. The first line is protective controls. For example, Firewalls are an important first line of defence in securing a computer network. They determine which services, and what traffic can pass through the check points. Strong, secure software development controls, to prevent vulnerabilities in systems being exploited, would also be in the first line. The second line of defence revolves around monitoring potential external threats, for example by analysing communication in internet chatrooms, and engaging in network vulnerability tests.
The third line of defence includes measures taken to ensure the business is safe from internal threats. This includes simple steps such as periodic background checks of employees to ensure access to sensitive information is only provided on a ‘need to know’ basis, etcetera. In many cases, these very basic activities are not necessarily being done across the whole organisation so the dots of the three aspects are not being joined up enterprise-wide. Even with very high castle walls and a sense that you have done everything you think you should do with cyber security, you probably still are vulnerable. This is because the game has changed and organisations need to know what is happening both on the outside and on the inside.
- Companies need to assume they will be successfully hacked and make preparations for such a scenario.
This could entail steps to preserve data, provide threat intelligence, or ensure business continuity in the case of a sustained denial-of-service attack
- Organisations need to address security within their own culture.
Staff should be aware of procedures and understand the implications of unsafe practices. This is even more relevant with the shift to staff bringing in their own devices and software
- Companies must get the basics right in securing routers and servers.
Common vulnerabilities include failing to apply updates and patches to applications and operating systems, poor web coding and failing to restrict access to sensitive information
- Businesses should evaluate which parts are critical to continuity and spend more security on those elements.
No organisation has unlimited funds to spend on security and not everything has to be protected to the same level. Security should be risk – based
- How fast and how smartly can you respond to a breach?
The Corporate Affairs and Communications team must be able to respond swiftly both through social and traditional media to assist protect reputation in the market and maintain the trust of the clients.
Ivan Zasarsky leads Deloitte Australia’s forensic financial crime practice. With more than 20 years experience applying advanced technologies and analytics, He provides advisory services and solutions across the spectrum of regulatory change. This includes financial applications, case tools, detection methodologies, algorithms and platform development. Ivan has worked with major clients across several industries on a global basis.
This article was first published in Australian Banking & Finance.