Cyber criminals are becoming increasingly creative and have diversified their attack strategies significantly in recent years. For more than a decade, complex and sophisticated cybercrime organisations have focused on infiltrating the online platforms of financial institutions. When those organisations responded by implementing stronger authentication controls, cyber criminals broadened their hunting ground and began attacking corporations across all industries. Companies that have antiquated or insufficient cyber security controls have been left exposed.
Small businesses are particularly vulnerable; a 2013 study by Symantec revealed that half of all targeted online attacks were aimed at businesses with fewer than 2,500 employees. But large, multinational corporations face equally serious risks and cannot afford to be complacent. The customer data breach experienced by Target last December affected up to 110 million people and resulted in significant reputational damage, profit loss, and high-profile resignations.
Following the breach, Target’s profits were down 46 percent from the same period a year earlier. Factoring in the costs of reimbursement, reissuing millions of cards, legal fees and credit monitoring for customers, one estimate totalled Target’s losses as up to $420m. The episode serves as important proof point that sophisticated criminals are able to infiltrate systems and wreak havoc in some of the world’s largest corporations.
Counting the costs
This marks an important change. In the past, security breaches didn’t necessarily have a significant or even fatal impact on a company’s reputation or bottom line. Today, there is increasing recognition by C-suite executives that cyber security is a major corporate risk they can’t afford to downplay. Cybercrime costs businesses an estimated $445bn yearly – almost one percent of global income – according to the Center for Strategic and International Studies, a Washington think tank.
Direct losses are only one component of this staggering number. Companies must pay substantial recovery and opportunity costs following a cyber attack, potentially losing customers and facing the possibility of lawsuits over lack of controls or due diligence.
The forecast isn’t getting any brighter, with both the likelihood and financial toll of cyber attacks continuing to mount. PwC ’s Global State of Information Security Survey – polling 9,600 senior executives across 115 countries in 2013 – cited the number of detected information security incidents increasing 25 percent in the past 12 months. The same respondents claimed the financial costs of those incidents rose 18 percent, with large liabilities increasing faster than smaller losses.
Six steps to preventing cybercrime
Behaviour monitoring tools:
A bank’s back office behaviour monitoring controls are not always visible to customers but help protect businesses from loss on a daily basis.
Fraud prevention products:
A comprehensive suite of fraud prevention products and features is essential to safeguarding against payments fraud. For example, Bank of the West’s Positive Pay solution uses payee line matching to protect client accounts against check fraud.
Education and training are essential to generating awareness and compliance with fraud-preventing measures across all levels of an organisation.
Installing a dedicated, actively managed firewall and setting up robust detection tools is critical to preventing fraud.
Requiring a second approver for large financial transactions or sensitive administrative functions is critical. Using out-of-band authentication via a different network adds a layer of security to ensure transactions are legitimate.
Cash vault and armoured car services can mitigate exposure to employees handling and transporting large amounts of cash unprotected.
The good news is that more companies are paying attention to these escalating risks. In June, The Wall Street Journal reported that 1,517 companies that traded on the NYSE or Nasdaq “listed some version of the words cyber security, hacking, hackers, cyber attacks or data breach as a business risk in securities filings… That is up from 1,288 in all of 2013 and 879 in 2012.” In turn, the PwC security survey reported information security budgets rising 51 percent in 2013 to an average of $4.3m.
What exactly are businesses today guarding against? What tactics are cyber criminals using to initiate fraud? Once upon a time, business was conducted and deals were closed with handshakes. Today, with the majority of business and financial transactions taking place online and by email, cyber criminals are focusing on business email and communication systems, compromising them when robust processes are not in place to verify the legitimacy of transactions.
Specific industries – including agriculture, municipalities, aviation, and more – are being targeted one at a time by what we call masquerading. This social engineering tactic can involve cyber criminals cloning company email systems and using social media channels to learn about internal relationships and the activities of company executives so they can make fraudulent requests look legitimate to unsuspecting company employees. We are also seeing cyber criminals pretending to be vendors so they can fraudulently obtain funds, or setting up email addresses that closely resemble customers’ to make requests look authentic.
We have also seen a significant evolution in malware. Historically, it was used to attack banking websites, but now we are seeing fit-for-purpose malware attacking specific point-of-sale systems and software used in a particular vertical. Criminals scan the internet for software they know is vulnerable and stage attacks on companies of all sizes across an entire industry. Recent targets have included restaurants, taxi services, and construction, to name a few. The sophistication of malware continues to increase. In addition to stealing user names and passwords, the malware is sometimes able to assume control of a company’s computer system in order to execute fraudulent transactions from a company’s own computers.
Ransomware and distributed denial-of-service (DDoS) attacks are additional tools criminals use to encrypt company data or flood sites with traffic and extort a payment. Ransomware attacks skyrocketed 500 percent in 2013, and criminals are increasingly using DDoS attacks to distract companies’ IT staff while stealing funds or intellectual property. This can take a severe toll on a company’s operations, leading to compromised customer service, reputational damage, and lost revenues.
Unfortunately there is no silver bullet to preventing fraud. As the internet continues to evolve and expand, the attack space available to criminals is only getting bigger. The presence of additional devices allows more options for perpetrating fraud. Above all, businesses need to stay aware of cybercrime trends and existing scams, and put in place robust business processes, approvals and controls to verify the legitimacy of all transactions. Financial institutions in particular need to partner with their customers to help educate on the increasing threat of cyber attacks and the prevention strategies they should implement.
As a relationship-focused bank, Bank of the West takes a holistic approach to fraud prevention, partnering with commercial clients to help educate and safeguard them against fraud. Obtaining information as quickly as possible for clients is paramount in this effort.
By maintaining open lines of communication with law enforcement organisations, we have effective information sharing mechanisms in place so we can stay aware of known risks, alert our customers, and modify our processes as needed.
We use direct communications and social media to keep our clients informed about the latest security-related news and fraud prevention best practices, including updates on the Heartbleed virus and wire fraud prevention strategies in recent months. Speaking with our clients about security also hands us important feedback that we have used to modify and strengthen our products and back office controls.
Our goal is to keep our clients strong and financially viable so we can growth alongside them over the long term. In today’s business landscape, where technology and the cybercrime tactics continue to evolve at lightning speeds, we view fraud prevention as critical to every company’s competitiveness – and its survival.