|MAKING SENSE OF IT ALL: Boom time for cybercrime|
December 13, 2011
By John Ginovsky, contributing editor
In a highly charged banking environment of tightening regulation, escalating competition, and fragile economics, technology has been embraced as a positive differentiator. However, just as it has provided whole new service channels, quicker processing capabilities, and unheard-of efficiencies, it also has boosted an undesirable companion industry: cybercrime.
In just the past few weeks, numerous analysts have measured the impact of financial cybercrime. The numbers and observations speak for themselves:
• Pricewaterhouse Cooper reports that 40% of the directors and senior executives it polled said cybercrime had affected their businesses in the past year. Sixty-one percent indicate their perceived risk of cybercrime increased over the last 12 months.
• In a separate report PwC estimates that $60 billion will be spent globally this year on cyber security systems, with the United States accounting for half of that. Spending is predicted to grow 10% annually over the next 3-5 years.
• Gartner Inc. predicts that, through 2016, the financial impact of cybercrime will grow 10% a year. The combination of new vulnerabilities and more targeted attacks will lead to continued growth in bottom-line financial impact because of successful cyber attacks.
• Booz Allen Hamilton, in its list of Top 10 cyber security trends for financial services, sees next year as “pivotal for banks and investment firms as they try to stay ahead of the IT security curve.” The top three threats include the exponential growth of mobile devices, increased targeting of top executives, and the use of social media.
Which gets to where the new cyber threats are emerging. In a word: everywhere.
• Aite Group says mobile fraud is the next frontier. Two thirds of the bankers they queried said they already are working on increased fraud prevention measures for the mobile channel. “Mobile banking is rapidly increasing its penetration and capabilities, and fraud mitigation capabilities must keep pace. Financial institutions should be prepared to deploy the same type of layered fraud mitigation for mobile that is applicable to the online channel,” says Julie Conroy McNelley, senior analyst at Aite.
• Grant Thornton surveyed a wide range of company executives and found that three fourths of them do not have clearly defined policies for social media security, and 61% do not have an incident management plan to deal with fraud or privacy breaches. “Management often thinks of breaches as stemming from lost laptops or hacking events. These are usually brought to someone’s attention immediately after the event. Social media allows for small disclosures over a period of time that, when taken in aggregate, could run afoul of applicable regulations,” says Grant Thornton’s Mark Sullivan.
• The software company Mortgage Builder says in a release that “the threat posed by cyber criminals has become an increasingly real and growing concern in mortgage lending.” Adds the company’s CEO, Kevin Smith, “Cyber criminals have become more sophisticated as the amount of information available in cloud computing environments has grown.”
• Well-known analyst Bob Meara, writing in a Celent blog, says that, for consumer remote deposit capture, even though there has not yet been many cases of fraud, banks have been slow to sign on due to perceived criminal risk. He points out a curious situation: Because actual fraud losses have been low, financial institutions have been slow to buy consumer RDC protections, even as they have feared potential risk. Vendors, in the meantime, have been slow to provide solutions.
• Even the old tried and true pioneer of electronic transactions, automated teller machines, have been prone to cyber crime—so much so that the ATM Industry Association recently issued its own Top Ten Immutable Laws of ATM Security. Among its conclusions, it says: “Technology continues to evolve in amazing ways, but as long as human nature is vulnerable, technology will remain necessary but not sufficient for optimum ATM security.” Not exactly reassuring.
If you really want to become paranoid about cybercrime—which probably would be a good thing—read the recent white paper issued by Deloitte Development LLC titled “Cyber Espionage: The harsh reality of advanced security threats.”
Such threats, already widely known as APTs, for advanced persistent threats, take cybercrime into political and organized crime levels capable of throttling whole governments, not to mention entire corporations. Simply put, APTs, through sophisticated technological methods and old-fashioned spycraft, are insinuated into an entity’s computer operations. While there they quietly lurk and observe, copying the most confidential and sensitive information, and sending it back to the bad guys.
Says Deloitte: “APTs flourish because of an outdated organizational mind-set that paying the compliance minimum mitigates the potential for threats. Unfortunately, many key decision makers may view taking action as an unnecessary and cost-prohibitive effort.”
So what would be an adequate approach in this new cybercrime world? Deloitte lists the following elements:
• Conduct emerging threat research.
• Establish partnerships to share intelligence.
• Assign threat focus areas.
• Establish live, dynamic intelligence feeds.
• Implement a holistic approach to cyber threat identification.
• Actively track the cyber criminal element.
• Perform daily emerging threat reviews.
• Maintain awareness of the changing technology and business environment.
• Patch operating system, network, process, and application vulnerabilities.
• Deploy and maintain signature- and behavioral-based controls.
• Produce metrics and trending data for multiple key threat indicators.
• Continuously improve automation capabilities.
It’s a lot. But, as PwC’s Didier Lavion says, “Cybercrime has emerged as a formidable threat, thanks to deeply determined, highly skilled, and well-organized criminals, from nation states to hacktivists, from criminal gangs to lone-wolf perpetrators. Organizations need to be aware and adjust to this changing landscape.”
Sources used for this report include:
PwC’s 2011 Global Economic Crime Survey assesses U.S. fraud picture with a focus on Cybercrime.
PwC’s report, Growing threats trigger sharp increases in M&S.
Gartner reveals top predictions for IT organizations and users for 2012 and beyond.
Booz Allen Hamilton reports top ten cyber security trends for financial services in 2012.
Aite Group report: Mobile Fraud: The next frontier.
Grant Thornton report: Social media study finds tremendous growth but little development of risk or compliance policies.
Cyber threats to sensitive information a growing concern in mortgage industry.
Celent blog: Wanted—A few good fraudsters.
Ten Immutable Laws of ATM Security. (Free, but requires registration.)
Cyber Espionage—The harsh reality of advanced security threats.
| TechTopics Plus