• wblogo
  • wblogo
  • wblogo

Cyber-crime: expected trends for 2015

Paul Stokes, Wynyard Group, Chief Operating Officer, London, 5 February 2015

articleimage

The Internet is a very dirty place, and about to get dirtier. What should private banks, trustees and fund firms do to protect their operations and data?

Paul Stokes, the chief operating officer of Wynyard Group, along with Andy France, the group's chief intelligence advisor, spoke to Compliance Matters about the cyber-security threats that many compliance departments are having to deal with. This article is the result of that interview. Financial firms would do well to heed their predictions for the year ahead.

* More and more firms will realise that no company is immune to cyber-attacks and that so-called perimeter security is no longer enough.

Today, organisations operate in a perimeter-less cyber-world and the idea that an organisation can throw a fence up at its edge to protect its inner parts is fiction. Many organisations continue to use security software (we cannot say whose for legal reasons) from the 1990s, which is useless. Sophisticated cyber-criminals have rendered traditional 'perimeter defences' such as proxies, firewalls, virtual private networks, and antivirus and malware tools ineffective.

A few years ago, a traditional company would have an IT department and all the software would be on its own machines. Then came the Internet, to which everybody wanted to be connected. This widened the threat horizon to take in all people who could be connected to each other by 'phone. People overseas were now connected to it in large numbers. The traditional company could keep locks on its old system but this did not make sense in a world where everybody was connected to everyone else.

Think of cyber-security as though you are planning to fortify your house. You can put locks on the windows and doors, perhaps also buying a burglar alarm and joining the Neighbourhoood Watch. If you do all that but leave your back door open as well, you only have yourself to blame. Cyber-security always was like that, but now people are digging through the wall! People are dismantling the roof! A wall, or a moat, does not work any more. Companies now need to detect threats inside the firewall and as they develop.

In today’s threat landscape, organisations face extremely sophisticated intruders who continually upgrade their skills. The means by which they can penetrate networks, and conceal their presence within those networks, are legion. When a criminal steals a manager's credentials, he looks like the manager – he is, after all, logged in as him. In cyber-crime, it is a good idea to steal identities. One of the hardest things to find in cyber-security is someone using someone else's password and appearing as them. 80% of all personal identification number (PIN) words are used by people for everything, that is to say that the typical person uses the same PIN for his phone, his cash card and everything else. The capabilities of insiders who abuse their access rights to manipulate and steal data should not be forgotten either.

Is cyber-security better in the securities and banking world than in, to take a random example, the insurance and life policy world? One might expect there to be glaring differences between these sectors but in fact there is little difference. No sector of financial services is as advanced as the people who are orchestrating attacks. All one can do is try to build more perimeters, meet the attackers inside the system and have tools to deal with them before they do damage.

Attacks often remain undetected until it is too late. Many uninformed bystanders believe that all cyber-attacks are over in a flash. This is a common misconception. To use a medical analogy, one develops the symptoms of catching a cold before he progresses to full-blown pneumonia. He has time to go to a doctor to ameliorate his condition. The process of lifting data out of someone else's system also takes time. The IT manager can spot the symptoms before the deed is done. This is a new way of thinking. It uses new technology and that technology is used for diagnoses as well as cures – it is impossible for a human to keep up now.

* Firms will have to invest more heavily than ever before in cyber-intelligence software that allows them to detect threats and respond to them rapidly.

According to Gartner, by 2020, 60% of enterprises' information security budgets will be allocated for rapid detection and response approaches, up from less than 10% in 2012. Some governments are no longer relying on the implementation of information security policies or traditional perimeter cyber-security tools. They are now actively “building cyber-intelligence capability” to reduce the “unknown unknowns” that are likely to affect their operations or economies.

One such government is that of the UK, which has its own cyber-security strategy. Other countries are doing the same. Wynyard deals with governments itself but does not want to identify them or the tasks it performs for them. Things used to be rules-based, but governments are now realising that they have to take a step back and take a risk-based approach, spending money on the more risky areas of cyber-security. Cyber-intelligence capability involves human planning, not leaving it up to a machine.

Technology has gone so far that there is a dearth of talent at large firms, so the limited number of people with the right skills have to work on the most important risks. The most skilful people often come from the government. [Editor's note: they also come from outfits such as CSG Government Solutions, which look after HM Government's systems. The pay at CSG is reputedly less than at some of the bigger consulting firms.] The government also encourages universities to sponsor cyber-security degrees – another source of skilled workers.

* The rôle of the Chief Information Security Officer (CISO) will become more important.

CISOs at financial firms are being “invited to the top table” more often as time goes on. This is an admission that in many cases a business's survival relies on the security of its technology. Organizations are now tending to elevate their CISOs to a par with their chief information officers or CIOs. This gives these cyber-security experts an equal voice in the formulation of resource-related priorities and decisions about various risks.

Is this a conscious policy, born out of careful research and consequent board decisions to take cyber-security more seriously? To some degree the answer is no; it is happening automatically. One tends to find that when security has been breached and things have gone spectacularly wrong, it is because a junior person has been given responsibility for cyber-security. During the times when the company ought to be preparing for attack, in the lulls between emergencies, top directors tend to ask their IT people leading questions about whether security is good enough at the moment, while also putting pressure on those same people to say 'yes, of course.' This is a recipe for disaster rather than good and timely problem-solving. Indeed, this is one of the most pernicious problems of cyber-security. The only remedy is to have someone senior in charge of security who can argue with/contradict his peers on the board from a position of equal status.

Another misconception that our corporate public has is the assumption that when cyber-attacks happen to them, their companies were targeted. Actually the process is fairly random – criminal software spends its time looking opportunistically for any weakness at any address.

* There is – and will continue to be – a massive shortage of people with the right 'cyber security' skills.

After a year in which many high-profile companies were hacked, financial firms are spending more on cyber-security and increasing the size of their cyber teams. There is no known research on which sectors are spending more than others as a percentage of turnover, or whether large firms are spending a smaller proportion of their turnover on it in the same way that they do with compliance. Having said this, it seems likely that economies of scale apply.

People who have direct, first-hand experience in identifying 'cyber risks' and improving organisations' defences against them are in high demand but the supply of these people is low and this will get worse as security teams increase in size.

* Governments and private enterprises will collaborate more to tackle cyber-threats.

The cyber threat landscape is changing rapidly. Governments are taking such steps as the Australian cyber security review to improve the defence of our businesses and crucial national infrastructure. We shall see this trend gather pace, with governments increasingly acknowledging their need to work with the private sector in the face of this growing problem.

The biggest change for many financial firms in recent years lies in the fact that the greatest asset they own is now intellectual property that resides in the data about customers that they store. This data is so valuable that it is no exaggeration to say that our financial business has moved from physical wealth to digital wealth. Criminals who attack this are increasingly sophisticated – they take a 'supply chain' approach.

For example, there is a huge black market on the Dark Web, formerly known as the Invisible Web. Our research suggests that it costs $103 to buy a credit card number and code that will allow the purchaser to siphon money out of a bank account. There is a large market for other data such as commercial secrets. Some companies, it is true, will reject any offers from criminals to sell them their competitors' plans or customer databases, but many will not. The manufacturing market is full of exact replicas of inventions to which copyright applies. This happened happened to Lockheed Martin, the aircraft company. It also probably happened to a species of Landrover, as a Chinese manufacturer has mysteriously begun building models that are very similar. In last year's Bitcoin Silk Road scam, someone bypassed the site’s escrow service and dealt directly with one seller named “Tony76″. This shortcut led to the disappearance of 20,000 Bitcoins in less than two weeks.

As we have said, the official Australian cyber-crime review is good, as is the UK's co-ordinated cyber-security strategy. The fight against cyber-crime is not just an Anglo-Saxon initiative, however – Europol, located at the Hague in Holland, has taken down some criminal websites, with police from Romania and Slovakia helping. [Editor's note: On the subject of private-public partnerships, Europol's European Cybercrime Centre has just signed a memorandum of understanding with AnubisNetworks, a cybersecurity and threat intelligence IT company, with the aim of fighting cybercrime. The MoU will facilitate the exchange of expertise, statistics and other strategic information.]

* Cyber risk management will become a priority for the boards of financial firms, if it is not one already.

One thing to note here is that some boards at financial firms – we cannot say which – are thinking of moving responsibility for network security from audit committees to risk committees. These days, cyber-security is coming to be viewed as a business risk rather than a compliance issue.

As we have said, people on the boards of firms have to shoulder responsibility for security policy. Organisations have to understand what their risks are and only senior people can be confident of a fair hearing. Board directors have to ask what attacks their companies have been experiencing over time rather than merely looking at trade press articles. This, too, represents a change – each firm must review everything that has happened to its own systems; there is no other good way to guard against attacks.

* The average firm will spend more time scrutinising other firms that supply it with crucial ancillary services or hold sensitive information on its behalf.

Many organizations do not assess the security practices of supply chains and so-called 'third-party partners' adequately. At the moment, most organisations do not include security provisions in contract negotiations with external vendors and suppliers but they should – we cannot, however, give any examples of firms that do this. Suffice to say that it is imperative for organizations to hold 'third-party partners' to the same cyber-security standards that they set for themselves, if not higher standards.

* Companies will react to 'cyber-events' in a more mature manner as those threats become more commonplace. Companies will also come to believe that security and privacy is everyone's problem.

Companies are increasingly admitting that advanced 'cyber-threats' are an insoluble problem, but they know that the benefits of being connected to the internet outweigh all the risks. Cyber-security is a responsibility shared and managed by all — the public sector, the private sector, and the general public. Some might think that this calls for a revamping of the Internet but, at the moment, nobody owns the Internet and it seems unlikely that people will give up on the present version.

[Editor's note: a Californian company, Javelin Strategy and Research, has looked into the problem of criminal networks harvesting personal data for the purpose of fraud. Their report, published in February 2014, states that “nearly one in three data breach victims in 2013 also became a fraud victim in the same year. This is up from one in four in 2012.”]

Latest Comment and Analysis

Latest News

Award Winners

Most Read

More Stories

Latest Poll