The business of cybercrime against business

The trend to Digital financial services is undeniable but there's the dark side of dependency on systems exposed to risks and vulnerabilities. The hyper-connected nature of digital makes it easy As with technology itself, there is an increase in the frequency and sophistication of cybercrime attacks against businesses according to ANZ's Head of Global Transaction Banking.

"There are cybercrime organisations so sophisticated they are practically businesses themselves."
Carole Berndt, Head of Global Transaction Banking at ANZ

She spoke to BlueNotes about how corporate treasurers can work with their companies to build digital resilience against cybercrime.

Adele Tan: We typically hear about cybercrime targeted at consumers. Given complex corporate infrastructure but what about organisations?

Carole Berndt: Cyber criminals are increasingly sophisticated in their execution and opportunistic with targets. No person or business is immune from being attacked.

In fact, businesses are lucrative targets as they manage millions of dollars and valuable information across international networks. Cybercrime methods have developed much faster than corporate security systems, so cybercriminals are ahead of the game.

There are cybercrime organisations so sophisticated they are practically businesses themselves, with services that mirror those of multi-national organisations including customer support and technical helplines.

According to IBM, the average organisation experiences nearly 17,000 security attacks each year. It is estimated by 2020, failure to defend against cyber-attacks could have an aggregate impact of $US3 trillion on the global economy.

Corporate treasurers play an important role in managing business risks and they need to understand this changing landscape to protect their business.

AT: What are the weak links treasurers should look out for?

CB: People are usually the weakest link when it comes to cybercrime. An IBM study found 95 per cent of all security incidents involve some degree of human involvement.

Cybercriminals typically rely on social engineering methods to hack into corporate systems. They may send urgent payment instructions at 5pm on a Friday as staff are leaving the office in the hope shortcuts will be taken to get the job done.

Phishing attacks leverage information gained from social media or publicly available information, such as annual reports or company registers, to create legitimate looking emails to be sent to specific individuals.

Highly targeted phishing, known as spear phishing, is another tool. Spear phishing targets specific organisations or individuals and appears to come from a trusted source and can trick even the savviest of users and often has dire consequences.

There is also a new technique called a 'watering hole' attack. Cyber criminals look for websites often visited by employees in a specific locale. This can be anything from the local gym to the local newspaper. They infect websites with malicious software in order to gain access to users in a particular geographical area.

AT: What can businesses do to ensure their systems are safe?

CB: Every system has vulnerabilities exposed to cyber-attacks. Cyber criminals often rely on known but unpatched exploits to gain access to IT systems. Unchanged default root passwords are easy pathways into corporate IT systems.

Criminals know large organisations are slow to react to patch upgrades. A patch release often describes the vulnerability being resolved in detail.

If a cyber-criminal failed in a past attack but managed to gather information about a company's infrastructure, they would have detailed information on the vulnerabilities of that infrastructure. That enables them to succeed in any future attempt until the patch is applied.

AT: If both people and systems are weak links, what hope do we have?

CB: Corporate treasurers must establish a robust, well-documented and actively managed control environment to tackle cybercrime. The first and most important step to achieve this is to have a strong understanding of organisational processes and to review the maturity of transactional processes.

Businesses must identify gaps or weaknesses in process or controls, such as user access management and payment authorisation, which present a risk.They should enlist the help of risk professionals, as well as people who execute the processes and technology, in defining the risks associated with those processes.

Once the risks have been identified, clear plans and controls must be implemented to mitigate them.

AT: How can companies ensure their controls are effective against cyberattacks?

CB: Cyber criminals are innovative and constantly change their tactics and tools to break through corporate security controls. This is probably the biggest challenge for businesses dealing with cybercrime.

Controls reduce in effectiveness over time and this can happen very quickly given how fast the digital world moves. The agility to change is a vital factor in determining the resilience of a company's cyber security controls.

Companies must monitor security news, identify best practices and source intelligence on the tools and tricks used by cyber criminals. Speed and flexibility in navigating and responding to cyber threats is the differentiator in the robustness of a company's security controls.

Companies should tap on cybercrime intelligence groups, such as the National Cybercrime Unit in the UK and the Australian Cyber Security Centre for updates and resources.

A fundamental principal companies should follow is to have defence in depth, which means their security framework should not depend on a single control. It must be an end-to-end approach that pre-empts the entry of threats at any point.

Adele Tan is a contributing editor at BlueNotes