Cybersecurity Fraud – How to Address the Risk in Today’s Marketplace
Author: Angela Morelock
Across all industries, cybersecurity continues to draw attention and resources. While technological advancements have helped businesses evolve and operate more efficiently than ever, they also have created new risks and exposures for businesses to address. As cybersecurity became a matter of national concern—and to emphasize its importance—President Obama designated October as National Cyber Security Awareness Month.
The universe of cyberthreats is vast and evolving. Businesses must be ready to respond to a gamut of potential incidents ranging from sophisticated data breaches and theft of proprietary information, through data destruction and network disruption, to less technical but very costly email fraud schemes. Cybercriminals’ targets also appear to be evolving. Banks, which for a long time were the primary target, have implemented sophisticated IT controls and trained their employees, making those facilities a more difficult target for cybercrime—and making other organizations the new targets.
Data breaches remain the most expensive types of cybersecurity incidents. Target, The Home Depot, eBay, JP Morgan and Experian have made headlines for massive data breaches. In addition to reputational damage, these companies face multiple class action lawsuits, with recovery and reimbursement estimated to cost tens of millions of dollars, e.g., $252 million alone in the case of Target. It’s not clear how the adoption of EMV technology will affect recovery costs in the future, but the black market value of stolen credit card information likely will erode over time as more retailers adopt the technology.
Less technical but equally alarming threats come from business email compromise (BEC) schemes. Contrary to other cyberthreats, BEC schemes don’t require breaking through computer defenses; they rely on the human element, ingenuity and social engineering. In BEC schemes, fraudsters masquerade as authentic vendors or business partners and target personnel in accounting and finance departments in an attempt to fraudulently induce business employees to execute a wire transfer. Based on statistics published by the FBI, from October 2013 to December 2014, nonbank businesses lost approximately $214 million as a result of BEC attacks, and the number of reported incidents continued to rise at an alarming rate throughout 2015. As of August 2015, the combined exposed dollar loss reached $798 million.
It’s important to note this type of fraud could occur even if all standard internal controls and protocols are followed by victim organizations and their employees, making this type of fraud particularly difficult to prevent. Spam filters and antivirus software are not designed to protect against cleverly engineered impersonation. The human element is vitally important. Employee training, secondary verification of wire instructions—preferably via phone or face-to-face interaction—and careful screening of sender email addresses are most effective in preventing losses.
We’ve recently seen a number of small to midsize clients suffer losses as a result of BEC; someone impersonating the chief financial officer or another executive requests a wire transfer be sent—or, in one case, someone impersonating a vendor requests the payment instructions be changed for wire payment of invoices. When those wire transfers go out, the money seldom is recovered. We’ve seen accounting departments of nonbank clients become a new target. This means we must begin focusing on training accounting department employees about email threats. In addition, all companies should obtain cybercrime insurance coverage to help protect against these losses and allow for recovery.
Regardless of the nature of the threat, the best cybercrime defense strategies include a combination of these elements:
- Training and awareness
- Risk and vulnerability assessment
- Strategic budgeting for cyberdefenses
- Continuous monitoring and detection systems
- Incident response plan
- Reporting and proper insurance coverage for cybersecurity incidents
For a complete listing of best practices for victim response and reporting of cyber incidents, refer to the publication by the U.S. Department of Justice’s Cybersecurity Unit, Best Practices for Victim Response and Reporting of Cyber Incidents.
As new data breaches and security incidents continue making headlines, businesses must race to shore up their defenses. A digital world offers increased speed, productivity, efficiency and profitability, but it also requires constant diligence, monitoring and security systems. Inaction may prove costly.
Need a starting place? Check out the Federal Trade Commission’s online guidance or contact your BKD advisor.