Cybercrime - Stealing in the Connected Age

©2016 – Treasury Alliance Group LLC – All Rights Reserved
Cybercrime – Stealing in the
Connected Age
Treasury Alliance Group LLC
www.treasuryalliance.com
January 28, 2016

Cybercrime – A Growing Threat
Source: Ponemon Institute, HP
2015 Cost of Cybercrime Study
Year over year net change in cybercrime

CYBERCRIME

Malware
•  21 million new malware samples in 3rd quarter of
2015
–  “Ransomware” is a growing problem
–  75% are Trojans
•  33% of all PCs around the globe are now infected
–  China 45%
–  Turkey 43%
–  Peru 41%
–  Russia 38%
–  Taiwan 38%
•  US is still the top hosting country of phishing-based
Trojans and keyloggers – largely due to the number
of websites and domains hosted in the US
Source: Anti-Phishing Work Group

Ransomware

Vector of Malware Installation
The Rule of 20
Source: U.S. Secret Service

Phishing
The creation and use of e-
mails and websites designed
to look like e-mails and
websites of well-known
legitimate businesses to
deceive Internet users into
disclosing their bank and
financial account information
or other personal data such as
usernames and passwords

Phishing Illustrated

Key Tells

Phishing Attacks by Industry
Source: Anti-Phishing Work Group

Pharming
Phishing’s evil twin – If you
won’t answer our email,
we’ll get you to come to
us!

Pharming Illustrated
92.100.01.01
98.155.01.01
98.155.01.01
www.nicebank.com

BYOD – A Growing Issue
Source: Tech Pro Research

An Increasingly Mobile Universe
•  Potential rise of infested mobile apps. Don’t rely on mobile vendors’ app
vetting processes. Do your corporate diligence. Installing an app on your
phone may expose access to ALL of your phone data and ongoing activities,
including contact books, email, login information, browsing history, GPS
location history, security codes that you enter for conference calls, etc.
•  Onset of bring-your-own-device cultures. The mobile revolution has partly
benefited corporate mobile costs by inviting privately chosen devices into
corporate networks. However, this poses security risks stemming not only
from the nature of mobile, but also from the scope of devices on the
network. Hardware and software have known and lurking vulnerabilities.
More variety creates more exposure.
•  Mobile vulnerabilities are multi-dimensional. Phones with data access to the
corporate network can expose data, network authentication information,
network application access, remote sessions, browsing data, and even DNS
information. These exploits can be escalated to the land-based network.

Smishing and Vishing
•  The rise of mobile creates new channels for the same
old tricks.
•  Sending you a fake SMS alert (Smishing) or voice mail
(Vishing) to create panic, so that you reveal useful
security information.
•  Objective is to confirm authenticity of your mobile
information (i.e.. the target phone is actually yours) and
to encourage a subversive action by you.
•  Example: “Your account has been compromised.
Immediately call 1-800-IAM-FAKE to help us investigate
this security breach. Alternatively, immediately log in
with your normal bank account user name and password
at www.authenticbank.fakesecurity.com.”

•  Corporate version of ID Theft
•  Mimics internal fraud
•  Funds are often gone before you are aware
there is a problem
•  “Mules”, who often think they are doing
legitimate business, are used to move the
money out of the country
•  Originally aimed at large companies but now
cybercrooks are targeting smaller businesses,
municipalities and non-profits
Corporate Account Takeover

COST OF CYBERCRIME

What are Cybercriminals After?
•  Usernames and passwords, obviously, but there’s
MUCH more
•  Information about the hardware and software you
are running:
•  Trade secrets and trade data – corporate espionage
•  Personally Identifiable Information
–  Social Security Number
–  Drivers License Number
–  Card Numbers
–  Bank Account Numbers
–  Etc. etc.

Data Breaches
953
1241
3220
2345
3014
0
500
1,000
1,500
2,000
2,500
3,000
3,500
2010 2011 2012 2013 2014
0
200
400
600
800
1,000
1,200
Incidents
RecordsExposed
Millions
Incidents
Records

True Cost
•  Remediation
•  Legal costs
•  Regulatory costs and fines
•  Loss of customers
•  Reputation

Total Cost
Source: Ponemon Institute, HP
2015 Cost of Cybercrime Study
Cost expressed in US dollars (000,000), n = 252 separate companies

BEST PRACTICES

Best Practices
•  Educate your staff
•  Use pop-up blockers and anti-virus software and maintain
them!
•  Never respond to emails or pop-ups asking for personal
(corporate) info
•  Be suspicious of unknown or unexpected emails
•  Never open email attachments unless you already know
what’s in them
•  Lock unattended workstations
•  Use limited purpose workstations for financial transactions
•  Cyber risk policy and action plan
•  Insurance
•  Report suspicious activity

Better to do it now …
before you have a problem!
Improve Your Authentication
•  Don’t use the same password for different login
levels.
•  Change your passwords regularly.
•  Use complex passwords, even if not enforced.
•  Consider using encrypted password “vaults” or
managers to store and machine-enter authentication
strings.
•  Be aware of symptoms of key-logging.

Password Vaults
•  Store passwords
•  Create strong passwords
•  Device agnostic / cross-platform capabilities
•  Single password for access

•  Incident Response Plan
–  Specify the response team
–  Notification channels
–  Escalation Procedures
–  Identify regulatory requirements
–  Don’t forget PR
–  Test at least annually
•  Data Privacy Policy
–  Identify access to all PII and related information
–  Specify security policies and procedures
–  Review vendor agreements and processes
–  Board level approval
Cyber Risk Management Plan

CYBER LIABILITY
28

Cyber Insurance
•  First Party
–  Notification
–  Credit Monitoring
–  Business Interruption
–  Extortion
–  Crises Management/PR
•  Third Party
–  Invasion of Privacy Rights
–  Media Intellectual Property
–  Failure to implement, maintain or enforce reasonable security
policies
–  Unfair, Deceptive and unlawful business practices
–  Regulatory Actions
Source: Oswald Insurance

•  First Party Coverages (Losses/expenses incurred by insured)
•  Event Management Expense: Coverage for notification costs,
credit monitoring/restoration services, legal assistance, forensic
investigation costs, and costs to hire PR firm to minimize harm
•  Cyber Extortion: Costs incurred to investigate and terminate an
extortion threat to commit an intentional computer attack against
the insured
•  Information Asset: Covers replacement costs as a result of
damage to or theft of insured’s information assets due to a
covered computer attack (Data Restoration)
•  Business Interruption: Coverage for loss (costs and lost income) in
the wake of a computer attack that interrupts or suspends your
business
First Party Privacy Insurance Coverage

•  Third Party Liability (Economic damages suffered by others)
•  Network Security Liability: Coverage for damages and defense costs
resulting from breaches in network security; i.e. computer virus,
unauthorized access, denial-of service, identity theft
•  Privacy Liability: Coverage for failure to protect or wrongful disclosure of
PI or PHI, whether or not due to failure of network security
•  Privacy Regulatory Proceeding Coverage: Covers costs resulting from
civil, administrative or regulatory proceedings alleging violation of
privacy laws
•  Electronic (Website) Media Liability Coverage: Coverage for content-
based injuries such as libel, slander, defamation, copyright
Third Party Privacy Insurance Coverage

OOPS
32

When It Happens
And it will happen!
•  Notify - Notify your bank immediately and
consider suspending funds transfer capabilities
until you know the scope of the problem.
•  Report - Contact appropriate law enforcement
and file a report.
•  Record - Make a written record of what
happened, what was lost, and the steps you
took to report the incident and attempt to
recover the funds involved.

CONCLUSIONS

Conclusions
•  Cybercrime is a growing problem around the world
•  Convenience of easy access complicates the
problem
•  The total cost can be immense
•  There are things that you should be doing to protect
yourself
–  Policies and procedures
–  Training
–  Action plans
–  Insurance
–  Board involvement
•  Cybercrime is not just an IT issue, it should be part
of your overall enterprise risk planning

Daniel L. Blumen, CTP, Partner
Phone (630) 717-9728
dlblumen@treasuryalliance.com
Mark K. Webster, CCM, CPA, Partner
Phone (216) 932-1678
mark.webster@treasuryalliance.com
Treasury Alliance Group LLC
www.treasuryalliance.com
Contact Information
Page 37

Cybercrime - Stealing in the Connected Age

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (20)

Destacado

Destacado (20)

Similar a Cybercrime - Stealing in the Connected Age

Similar a Cybercrime - Stealing in the Connected Age (20)

Último

Último (20)

Cybercrime - Stealing in the Connected Age