The rising threat of cyber crime

aat comment

Cybercrime is a thief’s dream – high reward and low risk. Better watch out says Collin Mars…

In the good old days, all you needed to rob a bank was a pair of stockings, a sawnoff shotgun and nerves of steel. But a latter-day Butch Cassidy is more likely to come armed with a computer and a few lines of code.

Despite some high-profile cases, most financial crime goes under the radar. According to Peter Armstrong, executive director of cyber risk-management firm Willis Finex Global, financial services firms make an assumption that 2% of their cash is going to be lost through fraud of all types.

But, due to increasing cybercrime, they will soon face a tough choice between spending more on prevention and detection or increasing that limit.

It is not hard to work out the lure of the financial industry for the budding e-criminal. Rik Ferguson global vice president of security research at Trend Micro, says: “The aim is to make money – that is the driver for all cybercrime, apart from politically driven and nation-state stuff.” PwC cybersecurity partner Richard Horne also points out a slightly dubious ethical attraction: “Often, people see it as a victimless crime, compared to burglary or mugging.”

Ferguson recommends that companies undertake thorough penetration testing to identify unwanted intruders. “Once inside, the criminals generally explore the network using legitimate user accounts – sometimes they can be there for months harvesting information.”

Understanding that systems are not impenetrable should also lead to a more mature approach to the classification of information, according to Armstrong. He says: “Companies need to make the hard yards on looking at their information – what is the most important and how they protect it. You need to recognise you can’t defend everything and take a layered approach to protect the most important stuff.”

Information-sharing between rival firms, although it might seem uncomfortable, can also help. “Companies need to recognise that financial crime is a community issue and they must participate in cyber information exchange,” says Armstrong. “When the first case arises, the ability to tell others about it can reduce the overall value of the loss to the industry.” To that end, the British Bankers’ Association is launching a realtime alert service for members which will pool information from domestic and international bodies, including government and crime agencies, to provide intelligence to ICT security chiefs in banks.

Matt Allen, director of financial crime at the BBA, says: “The critical point is that it allows law-enforcement agencies to act with a range of banks to identify issues and respond to threats more quickly.” Such schemes are likely to be a big help, but the main risk is, as always, human frailty. Horne says: “Most of the time, cyberbreaches start with someone who clicks on a dodgy link or opens an attachment.” Ferguson agrees, recommending mock attack exercises to raise awareness among staff, which will in turn increase the reporting of potential events to security departments. “Your greatest weapon is training…”

A BRIEF HISTORY OF CYBERCRIME

1988 Robert Tappan Morris releases the first ‘worm’ distributed by the internet, resulting in his conviction under the US Computer Fraud and Abuse Act of 1986.

1994 Russian Vladimir Levin conducts the first known bank robbery conducted over computer networks, transferring $10.7m from clients of Citibank to his accounts.

2003 Phishing attacks begin hitting customers of retail banks in the US, UK, mainland Europe and Australia.

2004 The chip and PIN system is rolled out on UK credit and debit cards. The US still lacks the system, meaning most cloned cards end up there.

2005 More than 40 million accounts are exposed to potential fraud due to a security breach that occurred at a third-party processor of transactions by MasterCard International.

2013 The UK introduces the National Cyber Crime Unit as part of the new National Crime Agency, aimed at fighting serious and organised crime.

2014 The Russian government is implicated in a wave of cyberattacks against several US financial institutions, including JP Morgan.

2015 The EU Network and Information Security Directive imposes mandatory data-breach reporting regulations on the financial sectorEnter your content here. Financial e-crime is a growth industry. This is unsurprising when you consider that almost seven billion online banking transactions were made in the UK. The financial services sector is now recognising that prevention alone is not the answer, according to John Salmon, head of financial services at law firm Pinsent Masons. “It used to be that they would try to put a ring of steel around themselves and focus solely on preventing anyone getting access to the network,” he says. “But they now have accepted that is not going to work, and that they need to focus on detecting people once they are inside.”

 

Colin Marrs is an independent writing and editing professional.

Related articles