Board Directors Need to Ensure They Have a Flexible, Responsive Cyber Defense Strategy
Cyber crime and financial fraud are converging as fraud becomes a preferred method to monetize stolen data. As a result, cyber security as a profession is evolving rapidly, and becoming a necessity in government agencies and private sector organizations. That alignment of interests, coupled with a technology and technique arms race, is manifesting a never-ending struggle. Pitted against organized crime, nation-states, and other attackers are businesses, regulators, law enforcement and security professionals working to exploit or defend vulnerabilities respectively.
Based on our work in cyber defense and fraud prevention, BAE Systems has identified three major developments related to information security that in the coming months will have material impacts on both people and business.
First, a significant reduction of in-person credit card fraud in the U.S. is imminent due to the implementation of “Chip and Signature,” or the EMV (Europay, MasterCard, Visa) technical standard for point-of-sale vendor payment terminals. This drop will proceed as fast as retailers and vendors update their Point-of-Sale (POS) equipment - with previous breach victims leading the charge.
Next, the growth of the Internet of Things (IoT), the universe of Internet-enabled physical objects, such as devices, vehicles, and buildings, will greatly compound cyber risk exposure for both consumers and companies. Vulnerabilities in toys, cars, printers, and other inter-connected devices have already been demonstrated. Just as the wide scale adoption of mobile devices led to “location based services” criminal appetites for personal data will result in the targeting of “digital shadows,” or electronic data outlining the routines and patterns of everyday life.
Lastly, cyber defense will complete its evolution from an information technology (IT) issue to a company-wide matter, touching on supply chains, contractors, and third parties that represent weak links or access points for attacks. Because of the potential for outsized impact of such attacks, cyber protection will be permanently entrenched as a boardroom agenda item, leading to robust security measures to arm businesses and customers against known and unknown threats.
However, before exploring these three major developments in detail, it is worth pointing out that there is strong reason to be optimistic as far as cyber defense is concerned. In fact, for the first time, concerted, meaningful efforts and improved cooperation is promising to make life more difficult for cyber criminals.
The long-awaited arrival of Chip cards/EMV in the U.S. will eliminate ‘easy’ credit card scams but will inspire alternative credit card fraud
Lagging behind much of Europe and Asia, the U.S. has been slow to adopt EMV. Comparative analysis would suggest that gap has made America a hotbed for credit card fraud. In 2013, total credit card fraud in Europe equaled $1,463, compared to $4,563 million in the U.S.
With EMV due to quickly establish itself as the norm in the U.S., in-person fraud (involving duplicate cards with cloned data from legitimate cards) will become easier to detect and prevent as older magnetic stripe only devices phase out.
That said, stolen credit card data will continue to be exploited. In the U.K., counterfeit card fraud fell from 26 percent of total card fraud losses to 10 percent between 2004 and 2014—but remote purchase fraud (also known as Card Not Present—or CNP—fraud) went from 30 percent to 69 percent of total card fraud in the same period.
Businesses taking payments when a card is not present—for example, over the Internet or by telephone, will need to look to bolster their cyber defenses in the form of adopting two- or three-factor authentication from purchasers, and by looking for patterns of known fraud techniques—as well as using data analytics to detect potentially suspicious buyer behavior.
A cyber attack on a widely used IoT network is likely to result in mass “pattern data” theft or the creation of an IoT botnet
The IoT is, generally speaking, a huge benefit to consumers and businesses. However, as IoT devices increase in scale and reach, so too do their value to cyber criminals. IoT vendors, especially those selling to consumers, operate large, powerful networks of smart devices which are often in homes. They manage large amounts of personal data that can show the everyday routines and behaviors as well as identities.
Recently, the IoT has been subject to a number of large-scale data breaches. In the case of a cyberattack on VTech, a device-maker for children, the birthdates of 6.5 million children and 4.9 million adults, as well as their photographs and messages, were stolen.
But expect IoT attacks to steal more than personal identification data. A successful IoT attack could manifest itself in two ways—the takeover of consumer or commercial devices to harness their connectivity and processing power, or theft of large volumes of critical data.
The latter represents a new problem: volumes of customer data—not just traditional customer information, but also device data—demonstrating the patterns of peoples’ lives. This new class of “Pattern Data” could reach a black market for those with the means to exploit it.
This might include burglars who want to identify high-net-worth households or understand the routines of target properties. By looking at the correlation of large volumes of IoT data, they can understand and profile the people and properties they target. But it’s not just high-net-worth individuals that could be affected. One lesson we’ve learned is that once a means of capturing data is created it expands rapidly and the data itself becomes a commodity.
Securing and protecting the large volumes of data created by the IoT, both at the point of collection, and at places where the data is at rest or being processed, is vital. For IoT providers, a strong business defense covers not only the data, but the devices and networks they use to collect, deploy and move that data. Hardened IoT devices and security by design will become a higher priority for brands in 2016—as will the enforcement of strong security practices at contract manufacturers and third party suppliers and providers.
Cyber risk—and attempts to mitigate it affordably—will continue to evolve from an IT problem into a key risk issue for company leaders
Cyber defense will continue to make the transition from IT problem to boardroom matter. Leading companies have already recognized this and we’ve passed the inflection point towards universal acceptance. In the modern world, use of cyber space is a critical business enabler, yet it carries inherent risk. One of the main functions of company boards has always been to balance risk versus reward, the potential for loss against the ability to generate revenue and profit. In that respect, cyber threats are just a new factor to be taken into account.
Yet, for much of the corporate world, cyber risk is new territory in a political balancing act. The rapid pace of development both in the business strategy and evolution of cyber threats is making the cost of risk mitigation prohibitive and unpredictable. Unlike other more traditional business risks, cyber risk has a long tail – being 99% secure does not stop a costly breach – and defense in depth can be costly. Companies that are able to affordably balance risk against profitability in this new environment will move ahead of their competitors.
Board directors need to ensure they have a flexible, responsive cyber defense strategy in place that successfully provides the best possible protection for their business strategy. This includes making use of industry expertise to ensure the company strikes the right balance between managing risk and pursuing profit.
Related: Learn More a the 2016 CISO Forum