Cyber Security: Four Evolving Threats

Cyber crime has been hitting the headlines over the past year for all the wrong reasons. Jason Witty, senior vice president (SVP) and chief information security officer at US Bancorp, described how a growing list of retailers have been victim to cyber attack, while some 500m financial records have been stolen in 2014 to date. With the vast majority of the world economy now digital, information security is vital.

There are a variety of different cyber threats operating today. One is the insider threat, which can be either accidental or malicious. The impact of the insider threat can be minimised by good management and human resources, according to Witty. While this type of incident does not happen very often, when they do they can be very impactful.

Another threat is organised crime. Witty commented that organised crime is a US$300bn a year industry. Around 80% of malware detections are trojans. Witty advised delegates to keep on top of the various software updates that vendors release, as these more often than not are updating security protocols to protect software against a new risk detected.

Hacktivists represent a third type of cyber threat. They are ideologically motivated, and Witty said that this group is actually responsible for more data breaches than cyber criminals today.

The final threat comes from nation states. Witty said that countries engaging in cyber sabotage are persistent and stealthy, and act in a way to weaponise software. He used the example of the Stuxnet attack that actually targeted centrifuges in the Iranian nuclear programme and had caused them to fail, an example of a cyber attack manifesting in the physical world. With such a variety of threats operating, software security has never been more critical.

Nine Basic Threats

Following Witty, Bryan Sartin, director of risk at Verizon Enterprise Solutions, presented the findings of his company’s decade-long investigation into data breaches. The research found that, while there may seem to be an endless list of cyber threats that organisations face, a huge 92% of the 100,000 incidents analysed could be described by just nine basic patterns. These are:

  • Point of sale (PoS) intrusions
  • Payment card skimmers
  • Web app attack
  • Insider misuse
  • Theft or loss
  • Crimeware
  • Denial of service
  • Cyber espionage
  • Miscellaneous error.

Echoing a point made by Witty, Sartin said that the motivation of the threat actors has evolved in recent years. While motivation used to be mostly financial, hacktivism has been a growing trend over the past two years. Even more recently, in the past 12 months, espionage has grown to be a serious motivation. Sartin said that this now represents 20% of all cyber threats, having rapidly grown from a low base. There is clear volatility in the threat landscape.

The pace of change has taken on a political aspect in the US. President Obama made it clear that he thought Congress was not legislating in a way that kept up with the pace of change by issuing Executive Order 13636 in 2013. Entitled ‘Improving Critical Infrastructure Cybersecurity’, the Executive Order directed the government to develop a technology-neutral voluntary cyber security framework. This was duly published by the National Institute of Standards and Technology (NIST) in February this year, with the framework providing a common language for organisations to assess, communicate and measure improvements in cyber security.

Michael Steenberg, senior vice president and senior business line risk manager with US Bank, made the point that there is no magic bullet that corporates can use to protect themselves, rather, organisations require deep layers of counter fraud measures in place, including encryption, strong authentication, malware prevention and transaction-level dual control and dual authentication. Treasurers play a key role in organisational security, as a treasury management station (TMS) will require treasurers to set security limits, to know who the administrators of the system are and to put dual controls in place to ensure any transactional activity has at least second signee approval.

Steenberg concluded with some key takeaways for the treasurers attending the session. He said that organisations should consider adopting the NIST framework, and that corporates should assume it is ‘when’ and not ‘if’ a cyber attack will affect their business. Bearing that in mind, Steenberg said that there should be a strong focus on anomaly detection. Finally, he suggested that treasurers should participate in information, likening the fight against cyber crime to playing a team sport.


Related reading