‘Pernicious disease’ of cyber war escalates

While the average bank heist averages $6000, a cyber-thief can make off with millions. Last year 552 million identities were breached, while every call about a compromised credit card costs a bank $4.

Are we fighting a cyber war? The war analogy seems to aptly describe the relentless attacks aimed at breaching financial institutions’ security, but an IBM security expert on yesterday’s cyber war panel sees cyber attacks as being more like a pernicious disease, writes Dick Pirozzolo..

Kris Lovejoy, general manager of IBM’s security services division, explained that when individuals take security precautions, it markedly reduces breaches. This is much like the way hand-washing reduces the number of classes schoolchildren miss. She added: “We have to think of it as a biological system; how do we detect the difference between ebola virus and the common cold? How do we protect ourselves? Most folks we work with have, at some time, been personally compromised,” and, “90 per cent of the time the bad guy got in because he exploited an individual who double-clicked on the wrong thing.”

War or disease, the major threats fall largely into a few categories: criminal activity – particularly organised crime cartels in Eastern Europe looking to steal money – terrorist groups, or nation states bent on disrupting banking or making off with intellectual property such as algorithms, and young activists on a mission to disrupt commercial activity as form of protest. Any of these categories includes insiders working with outsiders.

With banks operating globally, attacks can come from nations seeking a way into international transactions. In all likelihood, North Korea monitors transactions between other nations and South Korea, while Russia pokes into transactions involving Ukraine.

Beyond banks, the risk extends to essential infrastructure such as telecommunication, utility companies and the power grid. Governments play a key role in providing intelligence that is critically needed by banks to defend themselves against cyber attacks.

While Citi’s Charles Blauner, global head of information security and chair of the Financial Services Sector Coordinating Council, sees the vast number of security breaches not as skirmishes but as a war, he does not believe victory is possible. “Winning the war is not possible, the victory is in how you respond and monitor that risk,” he said.

Few of the delegates attending the session believe cyber attacks are avoidable. When moderator Ben Rooney, co-editor in chief of Informal and a former Wall Street Journal financial reporter, asked the group to respond to a survey question: ‘how likely is it that your institution will be a victim of a cyber crime in the next year?’; 44 per cent voted ‘very likely’ and 26 per cent ‘likely’ for a total of 80 per cent of the audience feeling their institution could be attacked in the near future.

The sense of victimisation extends to customers as well and, while one cannot put a return on investment number to investment in cyber crime countermeasures, the harm a security breach does to a company brand is incalculable. Likewise, the impact on customer relations is impossible to measure. Of course, the breach of the customer list of a Swiss bank is in a category unto itself, but other breaches are no less worrisome.

The Home Depot and Target breaches in the US caused a level of stress on the consumer that extended far beyond the cost of having to reissue new credit cards. In The Home Depot case, company officials did not even know of the breach until they were alerted by law enforcement officers. If consumers become wary of purchases with these retailers, it can be a further blow to profits.

With banks moving customers to online banking, how much responsibility does the customer have when it comes to cyber security? At least 57 per cent of the audience polled felt some of the financial burden could be placed on the customer, though the panellists agreed that this is unlikely to occur.

While the consumer is protected, the same cannot be said for business customers, according to Lovejoy, who pointed out that there are some grey areas such as when a retail customer uses a company computer to make a transaction.

Banking is also moving increasingly to mobile devices, which may add an unprecedented level of security in the war against cyber atttacks. Blauner observed that banking using mobile devices eliminated the vulnerabilities associated with passwords. “I’m big on mobile banking,” he said. “Ten years ago when we talked about biometrics, we would have had to send a video camera to every customer. I have a phone; it has a lens for facial recognition, a mic for voice recognition and the iPhone can record a thumbprint. A breach is a lot harder with this device and it is hard for the criminal to scale. Bringing biometrics into the mass market is a huge game changer.”

But Lovejoy pointed out that when apps are developed, vulnerabilities could be built into the code. Security needs to be part of the development process.

She also pointed out that cyber attacks should be part of the disclosure public organisations undergo.

Winning the cyber war may not be nearly as important as how an organisation responds. Lovejoy pointed out that all public organisations must have disclosure committees under Section 409 of the Sarbanes-Oxley Act and security breaches should be evaluated by these committees.

James Kaplin, principal at McKinsey, added: “How you respond extends beyond technical remediation. How you communicate with customers, law enforcement, the media and the call centre, matter.”

While news reporters may be drawn to cover a security breach, Blauner emphasised that handled properly, the cyber attacks are news for one day, “handle it badly and they will be in the press for weeks”.