Last week inadvertently ended up being a cyber security focused week. It started off with the post 8 Cybersecurity Payment Threats Highlighted by the EPC and on Thursday i went to the SWIFT Institute Cyber Security 3.0 – Better Together conference in London. I found it to be a fascinating day with cyber security insights from various authorities on the topic. In this post, i thought i would share some of the themes that caught my attention.
1. Cyber Crime is a BIG Deal & the Threat will only continue to Grow
The scale of the current threat is huge, and the threat will grow – check this out:
- All of the current cyber related stats that you see and hear about are only a subset of the actual cyber related crime activity – in short, the problem is much bigger
- Polymorphic malware is a game changer – its malware that modifies itself so each attack looks different and therefore tracing and defending against it is difficult
- All statistics and costs relating to cyber security and cyber crime run into the millions, billions and trillons!
- Mobile banking is growing at a phenomenal rate
- The number of connected devices are increasing at an astronomic rate – Gartner predicting 8.4 billion connected devices in 2017
2. Everybody talks about Collaboration, but then Forgets to!
When it comes to cyber security SWIFT, the banks, providers and even the bad guys talk about collaboration. Why?
- Often hackers attack multiple targets using the same methods. The theory is that if the victims share all details of what happened then there is a fighting chance that the methods used can be reverse engineered and the necessary safeguards can be developed and implemented to protect any other potential targets
- Hackers collaborate to plan, execute and prolong their attacks across borders – while often the target companies, industries and authorities in those jurisdictions do not
The problem is that Collaboration is easier said than done. It is easy and feels good to talk about collaboration at a conference, but when attendees go back to their day-to-day collaboration often gets thrown out of the window.
3. Compliance is Hard – Gottfried Leibbrandt
Gottfried often talks about practising good basic hygiene when it comes to cyber security, and he makes a good point. When experts talk about cyber security, they often describe humans as the weakest link – and yet some of the biggest risks simply require good Cyber Security Hygiene.
Next, cyber security risks are evolving:
- Technology can assist combat fraud through solutions such as AI and machine learning that can be programmed to recognise abnormal conditions
- But equally, newly connected digital devices present new risks – for example in Europe PSD2 will give new players access to bank accounts and enable them to make payments using APIs, and with this the payments landscape changes and new risks emerge
Of course, Gottfried and other speakers referenced the SWIFT Customer Security Programme – which i will not dwell on too much here.
4. The Amazing Geography of Cyber Crime and Cyber Security
When people talk about cyber crime and cyber security there are some countries and regional generalisations:
- Asian banks are often targeted by hackers as the recipient banks of fraudulent payments representing a new cyber crime frontline
- African countries lack sufficient cyber crime laws and in turn victims have little protection from cyber related crime
- Brazil has in recent years become a hot cyber crime capital with events such as the 2014 World Cup and the 2016 Rio Olympics
- North Korea is also believed to be behind many cyber security breaches, including the SWIFT related hack at Bangladesh Bank, or is it?
- Russian cyber crime market is infamous around the world, with according to the New York Times one of the most wanted cyber criminals in the world!
- Iranian based hackers have been charged with cyber attacks against US banks
You must check out the Norse – Superior Attack Intelligence interactive cyber security map – it is simply amazing!
5. Regulation is Fragmented, Inconsistent and as a result Inefficient
Regulation, or lack and inconsistency thereof, is a recurring and critical cyber security theme. Often the problem is that regulation relating to cyber crime is simply unable to keep up with the fast paced world of cyber crime. Asia is often cited as a particularly vulnerable region because:
- Anti-money laundering laws may be weaker in one country versus another
- Many potential target institutions have huge customer bases
- Regulation protecting individuals against cyber crime may be incomplete, weak or missing altogether!
- Differences in cyber crime and data protection laws in one country versus another country are often different and cyber criminals exploit these gaps and loopholes
Illustrations of some recent initiatives include:
- Europe – there is the GDPR – General Data Protection Regulation – more on this soon….!
- US – the top US banks have come together to form the Financial Systemic Analysis & Resilience Center (FSARC) – more on this soon, too…!
6. Cyber Security is no longer the sole Responsibility of the “IT Guy”
One of the speakers shared how a few years ago cyber-security days were typically attended by the IT guy and overall attendance was “okay”, but there would be some spare seats available. Today there are cyber security conferences attended by people from all levels of an organisation and with representation from different groups (IT, business, compliance) of an organisation.
When it comes to cyber-security organisations can not afford to operate in silos, they need to understand, monitor and react across the organisation.
Professor Richard Benham has compiled a couple of interesting reports for the Institute of Directors. If you do nothing else, read these:
- Cyber security: Ensuring business is ready for the 21st century
- Cyber Security: Practical Steps for your Business
And if you have time, take a peek at this Harvard Business Review article: The Biggest Cybersecurity Threats Are Inside Your Company. Lastly, look out for Symantec Internet Security Threat Report for a breakdown of the various types of threats.