Data/Cyber

Fighting back after Bangladeshi hack

in ,

BY Richard Summerfield

The Bangladeshi banking hack, which saw $81m stolen by cyber criminals in February, has caused the Society for Worldwide Interbank Financial Telecommunication (SWIFT) to issue a statement announcing the creation of a new five point security plan which will be released this week.

SWIFT’s secure messaging service is, in many ways, the glue that binds much of the global international banking system together. It allows banks to communicate with one another, sending payment instructions back and forth. However, the service acted as the backdoor for criminals to carry out the Bangladeshi theft. Via a number of coordinated cyber attacks, criminals broke into the messaging service, hijacked the system and redirected payments for their own ends.

Worryingly for both SWIFT and the global financial system, the Bangladeshi hack is not an isolated incident. In Ecudaor in 2015, a similar attack saw cyber thieves take more than $12m. An attack on Vietnam’s Tien Phong Bank, which was unsuccessful, has also recently come to light. It appears that these three publicised attacks may just be the tip of the iceberg.

Gottfried Leibbrandt, SWIFT’s chief executive, told an audience at the European Financial Services Conference in Brussels that “The Bangladesh fraud is not an isolated incident: we are aware of at least two, but possibly more, other cases where fraudsters used the same modus operandi, albeit without the spectacular amounts. The banks were compromised, credentials to payment generation systems were obtained to send fraudulent payments and the statements/confirmations from their counterparties were obfuscated."

In response to the hack, SWIFT will introduce certification requirements for vendors that help some banks connect to the network and use pattern recognition to identify suspicious behaviour.

In light of the reported – and unreported - cases SWIFT has called on the wider banking sector to do more to counteract cyber theft. It reiterated that while the company has a key role to play, it is not a regulator. "SWIFT is not all-powerful, we are not a regulator and we are not a policeman," said Mr Leibbrandt.

SWIFT’s response to these hacks may help shape the future of global banking.

News: SWIFT to unveil new security plan after hackers' heists

Two-thirds of UK firms victims of cyber crime

in

BY Richard Summerfield

There can be little doubt that the digital economy is changing our day to day lives. For consumers and companies alike, the advent of the digital age has forever altered the way we do business. According to data from the UK Office for National Statistics, in 2014, e-commerce sales were £573bn across non-micro businesses, up from £335bn in 2008.

Companies are discovering that technology has a pivotal role to play in their future development and prosperity, according a new report from Ipsos MORI and the Institute of Criminal Justice Studies. The 'Cyber Security Breaches Survey 2016' report notes that over half (53 percent) of all businesses say online services form a core part of the goods and services they provide, at least to some extent.

Yet despite this reliance on cyber activity, the report suggests that firms in the UK are  increasingly exposed to cyber criminality as a result of their unwillingness – or even inability – to properly tackle security.

The report, commissioned by the UK government’s National Cyber Security Programme to survey UK businesses on their approach to cyber security and the costs they have incurred from cyber security breaches, found that two of every three big business firms surveyed were breached at some point over the last year. In total, 24 percent of UK businesses were breached. The majority of those firms were medium or large enterprises.

The most common types of cyber security breaches were viruses, spyware or malware, and impersonation of the organisation. Only half of all firms surveyed had implemented basic security controls across five major areas laid out under the government-backed Cyber Essentials Scheme. Given that just three in 10 organisations have written cyber security policies, and only 1 in 10 have any formal processes for managing such incidents, it is clear that companies must become better organised when it comes to protecting themselves.

According to digital economy minister Ed Vaizey, the breaches are particularly troubling. He said: “The UK is a world-leading digital economy and this government has made cyber security a top priority. Too many firms are losing money, data and consumer confidence with the vast number of cyber attacks. It's absolutely crucial businesses are secure and can protect data."

Report: Cyber Security Breaches Survey 2016

Mind the gap

in

BY Richard Summerfield

One need only pick up a newspaper to see the importance of developing a robust and comprehensive cyber security programme. Data breaches have, in recent years, emerged as one of the most pressing corporate issues of our time. In light of this rising threat,  many companies are pouring millions of dollars and thousands of manpower hours into shoring up their cyber defences.

However, an ‘accountability gap’ is opening up in the world of cyber security, suggests Tanium and NASDAQ in a new report. According to the study, which surveyed 1530 non-executive directors, c-level executives, chief information officers and chief information security officers across the US, the UK, Germany, Japan, Denmark, Norway, Sweden and Finland, 40 percent of executives believe that they feel no responsibility for the impact any cyber attack might have.

Furthermore the Tanium/NASDAQ survey suggests that among the most vulnerable companies, 98 percent of business leaders are not confident in their organisation’s ability to monitor all devices and users at all times. More than 90 percent of respondents said that they are unable to read a cyber security report and are not prepared to handle a major attack. Further, only 10 percent of those surveyed agreed that they are regularly updated with information about the types of cyber security threats to their business.

Worryingly, only 9 percent of executives claimed that their systems were updated regularly in response to new cyber threats. Given the speed, agility and inventiveness demonstrated by cyber criminals in recent years, this inability or unwillingness to adapt is an alarming revelation in a business landscape pockmarked with risk.

Cyber crime, as the scandal around the ‘Panama Papers’ has recently reiterated, is a looming, ever present threat. Companies must do more to address their yawning accountability gap, before they find themselves in the headlines.

Report: The Accountability Gap: Cybersecurity & Building a Culture of Responsibility

P&U sector rethinks business models to tackle cyber security challenges

in , ,

BY Fraser Tennant

Understanding the cyber security challenges facing the power and utilities (P&U) sector and improving how businesses respond to them is the overarching theme of a new EY report published this week.

In EY’s ‘Creating trust in the digital world’ global information survey 2015, 1755 respondents from global P&U organisations provide insight into the most important cyber security issues facing the sector today – a sector currently undergoing major transformation due to the introduction of smart meters and data networks across the digital energy value chain.

Moreover, the onset of this digital energy value chain, what EY describes as the “attack surface” of P&U organisations, is expanding considerably, as is the sophistication and persistence of the cyber attacks being launched by cyber criminals.

Highlighting the main concerns of the P&U sector, the EY report reveals that 19 percent of P&U responders admit that they do not have an information security strategy; 46 percent point to a lack of executive awareness or support as a major obstacle to dealing with threats to cyber security; and 55 percent confirm that their organisation does not have a dedicated security operations centre (SOC).

In terms of how P&U organisations should manage a cyber attack, the report recommends that they first identify their key risk management principles and apply them to the cyber risk issue. Fundamentally, this means knowing their critical assets; making cyber risk more tangible; aligning cyber risk with existing risk frameworks; making cyber risk relevant to the business; and embedding risk appetite within investment decisions.   

Furthermore, says EY, organisations should adopt a three-stage improvement process: (i) ‘Activate’ (establishing and improving cyber security foundations); (ii) ‘Adapt’ (adapting cyber security to changing requirements); and (iii) ‘Anticipate’ (predicting what is coming to be better prepared).

“P&U companies are rethinking their business models by being more innovative and offering a richer customer and employee experience through a variety of channels”, states the report. “However, there are significant cyber threats, and organisations need to recognise and understand the current challenges to get ahead of the cyber criminals.”

Although the EY report makes it clear that the P&U organisations are indeed making significant progress as far as tightening up their cyber security, the overriding message is that there remains considerable room for improvement across the sector.

Report: Global information survey 2015: creating trust in the digital world

The Internet of Threats

in

BY Richard Summerfield

Much has been made of the Internet of Things (IoT) over the last few years. Heralded as the dawning of a new technological era, or perhaps the next industrial revolution, the IoT will see smart devices of all shapes and sizes combine to create a network of connected devices communicating and sharing vast quantities of highly valuable data.

Although the technology is still in something of a nascent state, it is slowly beginning to live up to its reputation. Smart or connected devices are becoming more common, and generating considerable amounts of data. The IoT will, and is, changing the way firms do business, making new capabilities possible and introducing efficiencies to companies to help them remain competitive in an increasingly crowded marketplace.

For many companies, these predicted data flows are seemingly too good an opportunity to pass up, and firms are rushing headlong into the burgeoning IoT space. According to a report from AT&T, 'Exploring IoT Security', which surveyed 500 companies around the world with more than 1000 employees, 85 percent of organisations are exploring the prospect of implementing connected devices across their enterprises.

However, the scramble to gain a part of the IoT market is not without risks; indeed, for companies hoping to incorporate the IoT into their wider operations, the proliferation of connected devices will expose their businesses to considerable cyber security risks. AT&T’s data suggests that just 10 percent of the firms surveyed are confident in the security of connected devices. With more and more companies marrying their products with connected technology, the importance of effective and efficient cyber security is obvious. According to AT&T, by 2020 there will be around 50 billion smart devices ‘in the wild’. With smart technology finding its way into everything from home heating systems to cars, organisations cannot afford to neglect their cyber security obligations.

Given that the cost of a cyber attack can run into the millions, organisations must be prepared - yet data suggests that many companies are still scrambling to get their houses in order. Alarmingly, the report notes that only 47 percent of respondents say their organisations analyse connected device security logs and alerts more than once a day. Furthermore, only 14 percent of companies have instituted a formal auditing process to help understand whether their devices are secure and how many devices they have; only 17 percent of companies involve their boards in decision-making around IoT security.Obviously, improvement is needed. 

Efforts are underway to improve cyber security provisions. The report recommends that companies: (i) assess their risk; (ii) secure both information and devices; (iii) align their organisation and governance for IoT; and (iv) define their legal and regulatory issues.

Clearly, these measures would be a good starting point for any firm; however, more must be done - and quickly, if the IoT is to fulfil its potential as a true technological game changer.

Report: Exploring IoT Security

©2001-2025 Financier Worldwide Ltd. All rights reserved. Any statements expressed on this website are understood to be general opinions and should not be relied upon as legal, financial or any other form of professional advice. Opinions expressed do not necessarily represent the views of the authors’ current or previous employers, or clients. The publisher, authors and authors' firms are not responsible for any loss third parties may suffer in connection with information or materials presented on this website, or use of any such information or materials by any third parties.