WASHINGTON, D.C. — An educational session on Tuesday at the 2014 AFP Annual Conference examined trends in cybercrime, and what steps treasurers can take to protect their organizations.
Cybercrime has been hitting the headlines over the past year for all the wrong reasons. Jason Witty, senior vice president and chief information security officer at U.S. Bancorp, described how a growing list of retailers have been victim to cyber attack, while some 500 million financial records have been stolen in 2014 to date. With the vast majority of the world economy now digital, information security is vital.
There are a variety of different cyber threats operating today. One is the insider threat, which can be either accidental or malicious. The impact of the insider threat can be minimized by good management and human resources, according to Witty. While this type of incident does not happen very often, when they do they can be very impactful.
Another threat is organized crime. Witty commented that organized crime is a US$300bn a year industry. Around 80% of malware detections are trojans. Witty advised delegates to keep on top of the various software updates that vendors release, as these more often than not are updating security protocols to protect software against a new risk detected.
Hacktivists represent a third type of cyber threat. They are ideologically motivated, and Witty said that this group is actually responsible for more data breaches than cybercriminals today.
The final threat comes from nation states. Witty said that countries engaging in cyber sabotage are persistent and stealthy, and act in a way to weaponize software. He used the example of the Stuxnet attack that actually targeted centrifuges in the Iranian nuclear program and had caused them to fail, an example of a cyberattack manifesting in the physical world. With such a variety of threats operating, software security has never been more critical.
Following Witty, Bryan Sartin, director of risk at Verizon Enterprise Solutions, presented the findings of his company’s decade-long investigation into data breaches. The research found that, while there may seem to be an endless list of cyber threats that organizations face, a huge 92% of the 100,000 incidents analyzed could be described by just nine basic patterns. These are:
- Point of sale intrusions
- Payment card skimmers
- Web app attacks
- Insider misuse
- Theft or loss
- Denial of service
- Cyber espionage
- Miscellaneous error.
Echoing a point made by Witty, Sartin said that the motivation of the threat actors has evolved in recent years. While motivation used to be mostly financial, hacktivism has been a growing trend over the past two years. Even more recently, in the past 12 months, espionage has grown to be a serious motivation. Sartin said that this now represents 20% of all cyber threats, having rapidly grown from a low base. There is clear volatility in the threat landscape.
The pace of change has taken on a political aspect in the US. President Obama made it clear that he thought Congress was not legislating in a way that kept up with the pace of change by issuing Executive Order 13636 in 2013. Entitled ‘Improving Critical Infrastructure Cybersecurity’, the Executive Order directed the government to develop a technology-neutral voluntary cybersecurity framework. This was duly published by the National Institute of Standards and Technology (NIST) in February this year, with the framework providing a common language for organizations to assess, communicate and measure improvements in cybersecurity.
Michael Steenberg, senior vice president and senior business line risk manager with U.S. Bank, made the point that there is no magic bullet that corporates can use to protect themselves, rather, organizations require deep layers of counter fraud measures in place, including encryption, strong authentication, malware prevention and transaction-level dual control and dual authentication. Treasurers play a key role in organizational security, as a treasury management station (TMS) will require treasurers to set security limits, to know who the administrators of the system are and to put dual controls in place to ensure any transactional activity has at least second signee approval.
Steenberg concluded with some key takeaways for the treasurers attending the session. He said that organizations should consider adopting the NIST framework, and that corporates should assume it is ‘when’ and not ‘if’ a cyberattack will affect their business. Bearing that in mind, Steenberg said that there should be a strong focus on anomaly detection. Finally, he suggested that treasurers should participate in information, likening the fight against cybercrime to playing a team sport.