The business of cybercrime against business

The trend to Digital financial services is undeniable but there's the dark side of dependency on systems exposed to risks and vulnerabilities. The hyper-connected nature of digital makes it easy for cybercriminals to fraudulently access information and systems.

Click image to zoom Tap image to zoom

The trend to Digital financial services is undeniable but there's the dark side of dependency on systems exposed to risks and vulnerabilities. The hyper-connected nature of digital makes it easy As with technology itself, there is an increase in the frequency and sophistication of cybercrime attacks against businesses according to ANZ's Head of Global Transaction Banking.

"There are cybercrime organisations so sophisticated they are practically businesses themselves."
Carole Berndt, Head of Global Transaction Banking at ANZ

She spoke to BlueNotes about how corporate treasurers can work with their companies to build digital resilience against cybercrime.

Adele Tan: We typically hear about cybercrime targeted at consumers. Given complex corporate infrastructure but what about organisations?

Carole Berndt: Cyber criminals are increasingly sophisticated in their execution and opportunistic with targets. No person or business is immune from being attacked.

In fact, businesses are lucrative targets as they manage millions of dollars and valuable information across international networks. Cybercrime methods have developed much faster than corporate security systems, so cybercriminals are ahead of the game.

There are cybercrime organisations so sophisticated they are practically businesses themselves, with services that mirror those of multi-national organisations including customer support and technical helplines.

According to IBM, the average organisation experiences nearly 17,000 security attacks each year. It is estimated by 2020, failure to defend against cyber-attacks could have an aggregate impact of $US3 trillion on the global economy.

Corporate treasurers play an important role in managing business risks and they need to understand this changing landscape to protect their business.

AT: What are the weak links treasurers should look out for?

CB: People are usually the weakest link when it comes to cybercrime. An IBM study found 95 per cent of all security incidents involve some degree of human involvement.

Cybercriminals typically rely on social engineering methods to hack into corporate systems. They may send urgent payment instructions at 5pm on a Friday as staff are leaving the office in the hope shortcuts will be taken to get the job done.

Phishing attacks leverage information gained from social media or publicly available information, such as annual reports or company registers, to create legitimate looking emails to be sent to specific individuals.

Highly targeted phishing, known as spear phishing, is another tool. Spear phishing targets specific organisations or individuals and appears to come from a trusted source and can trick even the savviest of users and often has dire consequences.

There is also a new technique called a 'watering hole' attack. Cyber criminals look for websites often visited by employees in a specific locale. This can be anything from the local gym to the local newspaper. They infect websites with malicious software in order to gain access to users in a particular geographical area.

AT: What can businesses do to ensure their systems are safe?

CB: Every system has vulnerabilities exposed to cyber-attacks. Cyber criminals often rely on known but unpatched exploits to gain access to IT systems. Unchanged default root passwords are easy pathways into corporate IT systems.

Criminals know large organisations are slow to react to patch upgrades. A patch release often describes the vulnerability being resolved in detail.

If a cyber-criminal failed in a past attack but managed to gather information about a company's infrastructure, they would have detailed information on the vulnerabilities of that infrastructure. That enables them to succeed in any future attempt until the patch is applied.

AT: If both people and systems are weak links, what hope do we have?

CB: Corporate treasurers must establish a robust, well-documented and actively managed control environment to tackle cybercrime. The first and most important step to achieve this is to have a strong understanding of organisational processes and to review the maturity of transactional processes.

Businesses must identify gaps or weaknesses in process or controls, such as user access management and payment authorisation, which present a risk.They should enlist the help of risk professionals, as well as people who execute the processes and technology, in defining the risks associated with those processes.

Once the risks have been identified, clear plans and controls must be implemented to mitigate them.

AT: How can companies ensure their controls are effective against cyberattacks?

CB: Cyber criminals are innovative and constantly change their tactics and tools to break through corporate security controls. This is probably the biggest challenge for businesses dealing with cybercrime.

Controls reduce in effectiveness over time and this can happen very quickly given how fast the digital world moves. The agility to change is a vital factor in determining the resilience of a company's cyber security controls.

Companies must monitor security news, identify best practices and source intelligence on the tools and tricks used by cyber criminals. Speed and flexibility in navigating and responding to cyber threats is the differentiator in the robustness of a company's security controls.

Companies should tap on cybercrime intelligence groups, such as the National Cybercrime Unit in the UK and the Australian Cyber Security Centre for updates and resources.

A fundamental principal companies should follow is to have defence in depth, which means their security framework should not depend on a single control. It must be an end-to-end approach that pre-empts the entry of threats at any point.

Adele Tan is a contributing editor at BlueNotes

The views and opinions expressed in this communication are those of the author and may not necessarily state or reflect those of ANZ.

editor's picks

22 Oct 2015

Who watches the cyber watchmen?

Bruce Hassall | CEO, PwC New Zealand

Leaps in technologies hold great promise for contending with seemingly intractable cyber threats. Yet the spotlight on technological advances can dim the focus on the roles, competencies and training of people—often an over looked although very effective defence. We're seeing this start to change.

07 Oct 2015

Is cyber fear hurting cross-border investment?

Cheng Lim & Michael Swinson | Partners at King & Wood Mallesons

Cyber security is looming as one of the great challenges of the 21st century. Several governments around the world are responding by strengthening online security laws which in some cases are creating a degree of regulatory uncertainty - but, critically, running the risk of deterring cross-border investment.

26 Nov 2015

AI agents: the next step in cybersecurity

Drew Turney | Freelance journalist

As cybercriminals improve their methods, so too does the cybersecurity industry – the arms race between the two isn't news. But here's what is – one of the earliest and most developed examples of artificial intelligence we have in the world might finally give protection from cyberthreats the edge we've been waiting for.