Impact of cyber security breaches and how organisations should react
December 2019 | SPOTLIGHT | RISK MANAGEMENT
Financier Worldwide Magazine
December 2019 Issue
Cyber security and the threat of being hacked and losing internal data, intellectual property or customer information should be keeping many individuals in business up at night. These threats are on the increase, as is the sophistication of the attacks and approaches.
Recent findings, such as the facts that 16.7 million Americans are victims of identity theft each year, and that 30 to 50 percent of identity theft originates from the workplace, according to Javelin, starkly illustrate the size of the issue. While it is popular to imagine that hackers are usually young adults living at home, the reality is that these attacks are carried out by serious, organised criminal enterprises that are well funded, highly focused and usually a couple of steps ahead of countermeasures.
Looking at the threat facing financial institutions in general, the Capital One data breach made it very clear, if it was not already, that the financial industry is not safe from large-scale attacks. This breach stemmed from a cloud vendor, but the myriad threats facing the financial sector are growing. Today, a ransomware attack can destroy, exfiltrate or encrypt data. We saw this with the NotPetya attack in 2017. Other threats include DDoS attacks, social media attacks, spear phishing, point of sale (PoS) malware, ATM malware and credential theft. The increased use of biometrics also poses new security threats, as does quantum computing.
There continue to be threats stemming from employee error and carelessness. When employees use public Wi-Fi or a deficient private network, they also open their business up to hackers, as they do, of course, when they click on a spear phishing email. Business email compromise was the subject of a recent US Securities and Exchange Commission (SEC) warning. Nine public companies that fell victim to these scams lost a total of nearly $100m. The SEC noted that these scams were successful “at least in part, because the responsible personnel did not sufficiently understand the company’s existing controls or did not recognise indications in the emailed instructions that those communications lacked reliability”.
Once a hacker has obtained personal or business information, they often collaborate with one another through private, criminal marketplaces that are not available to the general public, which keeps their activities secret and locations secure. Criminals follow different processes depending on the fraud typology, but their common purpose is to look for current and valid data that can then be enriched and sold on to different groups. For example, once a list of extracted emails and passwords is made available, criminals can use maker-checker programmes to quickly test the email and password combinations against thousands of different websites with the aim of finding a valid combination. They can then go on to build profiles to obtain enough information to impersonate an individual and hijack their identity. Thus equipped, they can take out financial products such as loans or mortgages in the victim’s name, or more simply, carry out targeted ‘boiler-room’ type frauds.
Typically, attacks on organisations involve anything from targeting the C-suite for invoice fraud typologies, to the use of ransomware. The cost to an organisation is material in terms of financial losses, remediation activities required to diagnose and rectify the breach, reputational risk and customer confidence, and any fines that may arise from General Data Protection Regulation (GDPR)-type regulatory enforcement. However, there are several practical steps organisations can take to address these risks.
First, cyber security and data privacy need to be on the board’s agenda. The recent cases of high-profile companies such as Equifax, Uber, British Airways, Marriott and Facebook have resulted in exactly this. Guidance issued by the SEC in February 2018 around cyber-related disclosures and governance has also played a role in elevating the visibility of the issue.
Furthermore, when it comes to privacy, Facebook’s settlement with the US Federal Trade Commission also places a strong emphasis on accountability from the top. The settlement mandates the creation of an independent privacy committee, comprising independent directors who meet certain privacy and compliance requirements. These are requirements we have not seen before in these kinds of settlements. Organisations can examine this model and decide if it works for them from a privacy and security perspective.
Organisationally, designating a chief information security officer (CISO) is a wise option. Having the CISO develop a cyber security programme (instead of a chief technology officer (CTO) or chief information officer (CIO)) helps ensure that cyber security is an enterprise-wide risk and not just an information technology (IT) risk. We often hear that there is a communication gap between information security and IT on one hand and legal and compliance on the other. These teams need to work together and bridge that gap with clear lines of communication and no assumptions that each team understands all the terms.
Aside from governance, important components of a security programme include conducting regular risk assessments and implementing effective programmes that address access rights and controls, data-loss prevention, vendor management, training and incident response.
GDPR and compliance can be a minefield that is exacerbated by a company’s size and complexity. Businesses need to know where their data is and should, if they have not already done so, map where the data resides, who it is used by and for what purposes. Other crucial steps include reviewing third-party contracts – to get a handle on their third parties, some companies have had to look at a list of accounts payable, assessing whether a data protection officer is needed, and identifying the basis for processing data. It is also important to develop a procedure for answering data subject requests and making sure that the company properly preserves its defences for the legal basis of the data it uses under Article 6 of the GDPR.
Finally, some other key points to note are that cyber security is everyone’s responsibility. Constant awareness of current and new threats through training and simulated, company-wide activities are a good way to build protection and ensure everyone understands the threats and can act accordingly. Businesses should also look to understand their current exposure on criminal forums, which staff emails are out there being traded and whether key personnel are sufficiently monitored as part of any ongoing business-as-usual monitoring. Early identification of any potential exposure can be highly advantageous when it comes to fighting attacks.
The constant threat of cyber security breaches may mean that companies and senior management will never have complete peace of mind. But by being vigilant, taking the issue seriously and constantly evolving to meet new challenges, they may just sleep a little sounder at night.
Nick Parfitt is head of market planning at Acuris Risk Intelligence. He can be contacted on +44 (0)203 741 1300 or by email: info@acuris.com.
© Financier Worldwide
BY
Nick Parfitt
Acuris Risk Intelligence