Cybercrime: An asymmetrical war

What do Robert Mueller, former Director of the FBI, John Chambers, former CEO of Cisco, and Misha Glenny, a British cybersecurity journalist, have in common? They all agree that there are two types of companies today: those who have been hacked, and those who will be again. Though it may sound like an innocent platitude, consider that a company need not even realise that its security has been compromised to fit into one of these categories.

Corporate cybersecurity is more important than ever, with 54% of cybersecurity professionals predicting an increase in cyberattacks over the next 12 months.1 Cybercrime is evolving at an unprecedented pace, and many companies are struggling to develop and maintain effective security standards. The greatest security challenge faced by companies is the detection of advanced, unknown or emerging threats. On average, it currently takes a company 40 days to notice that attackers have infiltrated their networks.

As cybercrime advances, corporates of all sizes must take proactive steps to help prevent, detect, and resolve security breaches. “Cybercrime has become more sophisticated as perpetrators have realised that there is profit to be gained,” says Anton Tkachov Chief Security Architect, Financial Systems Cybersecurity, PwC. “In the 1970s, for example, computer viruses were just a prank; today, ransomware is a very lucrative market. Cybercriminals have realised the potential gain and started to operate as mature businesses with large investment and R&D budgets.”

In light of these developments, companies are showing a renewed interest in cybersecurity, and security professionals understand that corporates must take proactive steps to remain ahead of emerging security threats. “It’s a very asymmetric war,” says Alvaro Garrido, Group CIO and head of Group IT at Nordea. “We need to be right 100% of the time, and they need to be right just one time.”

Cybersecurity Trends Report, 2017

Financial systems at heightened risk

One of the prime targets for cybercriminals is to infiltrate a company’s financial systems. However, advanced cyberattacks have found new methods to gain access to secured financial systems. “While attacks used to be made at the ‘sharp end’ of the payment processes, such as banking systems and payment transmission systems, criminals are now targeting vulnerabilities across the wider supply chain to influence and divert payments,” explains Tkachov.

“Banks and corporations operating internationally need to review and address vulnerabilities across their entire footprint, as with globally-connected systems, a breach in a remote branch could have a major impact on their core banking and payment processing systems,” he continues. “Only if companies understand their risks and vulnerabilities holistically can they act to overcome them.”

These risks can be both external and internal. One of the greatest threats to security comes from a company’s own employees. Phishing attacks have grown in prevalence and sophistication, leading to the moniker “spear-phishing” to refer to attacks that specifically target an individual or organisation. Even the most tech-savvy employees can be fooled, so the best defence against phishing of all varieties is company-wide security-awareness training.

Regulatory environment: local application, global implication

The regulatory environment is also evolving to reflect the increasing impact of cybercrime, both for corporates and consumers. The new EU General Data Protection Regulation (GDPR) will require all companies who do business in Europe to inform national authorities whenever they experience a data breach. In some cases, companies will also be required to directly inform affected individuals. Furthermore, under the GDPR, companies will be required to implement “appropriate technical and organisational measures to ensure a level of security appropriate to the risk.” Companies who run afoul of the regulation may be penalised by up to 4% of total revenues and leave themselves open to private lawsuits.

However, cybercrime is a global problem, not limited to specific regions or industries. A company or institution can be compromised by an attacker from any origin. It is important for companies to maintain this international perspective, especially in terms of regulatory compliance. “Regulations differ across jurisdictions,” says Garrido. “This means that corporations need to achieve the ‘highest common denominator’ from a compliance perspective, as well as meeting specific obligations in individual countries.”

Having strong protections in place is paramount, as enforcement for cybercrime is fractured by regulatory differences. “As yet, there are no global rules to combat cybercrime,” says Tkachov. “The regulators work in a siloed manner, so it can be difficult to prosecute international criminals. Enforcement agencies and regulators need to work together to reduce the incentive, improve intelligence sharing and enable prosecution of financial crime.”

Monitor trends to stay prepared

Corporates who are concerned about the integrity of their cybersecurity policies and practices should remember that vigilance is key. Cybercrime is always evolving so it is important to stay informed on the latest trends and innovations. Security professionals should either create or update their digital security strategies to reflect the latest advances in cybersecurity.

Internally, “Nordea is responding decisively to the changing environment with a substantial increase in focus and investment, and a revamped Information and Cybersecurity strategy,” says Alvaro.

We are also working to keep our customers up-to-date on the latest trends and best practices in cybersecurity. For instance, this October is Cybersecurity Awareness Month, and the Insights newsletter will focus on best practices for corporates to develop and maintain their cybersecurity in the face of new technological advances and the upcoming regulatory shifts regarding PSD2 and GDPR. We are also planning seminar and webinar sessions for our corporate customers, so stay tuned for more information after the summer.

Security Action Points

Alvaro Garrido, Nordea:

  • Put security firmly on the corporate agenda:security must be a starting point in decision making.
  • Assess the current security situation realistically.Engage stakeholders across the enterprise todevelop a security-focused mindset.
  • Look beyond your immediate counterparties to the wider commercial ecosystem in which you operate to identify potential weak links.
  • Identify key skills and resources that you are missing, and develop recruitment or staff development plans to fill any gaps.

Anton Tkachov, PwC:

  • Reach out to executives such as the CIO to agree clearly which business functions (e.g. IT or treasury) are responsible for the security of systems, processes, controls and training.
  • Participate in cyber threat modelling exercises to identify cyber security vulnerabilities and devise priority action plans to overcome them.
  • Recognise that the human element of security,such as awareness training and testing exercises,is just as important as sophisticated technology solutions. Good security starts with the correct security culture.

Glossary

Malware: Malicious software that tries to infect computer and mobile devices. Trojans, viruses, adware, etc.

Phishing: The attempt to obtain sensitive information such as usernames, passwords, and credit card details (and, indirectly, money), often for malicious reasons, by disguising as a trustworthy entity in an electronic communication.

Spear-phishing: Phishing attempts directed at specific individuals or companies.

Whaling attack: A type of phishing scam that directly attacks high-profile targets like C-level executives, politicians and celebrities

Smishing: A phishing attempt conducted via SMS.

Vishing: A phishing attempt conducted over the phone or via voice-operated services.

The information provided within this website is intended for background information only. The views and other information provided herein are the current views of Nordea Bank Abp as of the date of publication and are subject to change without notice. The information provided within this website is not an exhaustive description of the described product or the risks related to it, and it should not be relied on as such, nor is it a substitute for the judgement of the recipient.

The information provided within this website is not intended to constitute and does not constitute investment advice nor is the information intended as an offer or solicitation for the purchase or sale of any financial instrument. The information provided within this website has no regard to the specific investment objectives, the financial situation or particular needs of any particular recipient. Relevant and specific professional advice should always be obtained before making any investment or credit decision. It is important to note that past performance is not indicative of future results.

Nordea Bank Abp is not and does not purport to be an adviser as to legal, taxation, accounting or regulatory matters in any jurisdiction.

The information provided within this website may not be reproduced, distributed or published for any purpose without the prior written consent from Nordea Bank Abp.

Related articles