finance
monthly
Personal Finance. Money. Investing.
Contribute
Newsletter
Corporate

Banks and card companies prevented £1,458.6 million in unauthorised financial fraud last year, equivalent to £2 in every £3 of attempted unauthorised fraud being stopped, the latest data from UK Finance shows.

In 2017, fraud losses on payment cards fell 8% year-on-year to £566.0 million. At the same time, card spending increased by 7%, meaning card fraud as a proportion of spending equates to 7.0p for every £100 spent – the lowest level since 2012. In 2016 the figure stood at 8.3p.

For the first time, annual data on losses due to authorised push payment scams (also known as APP or authorised bank transfer scams) has also been collated. A total of £236.0 million was lost through such scams in 2017.

The unauthorised fraud data on payment cards, remote banking and cheques for 2017 shows:

The new authorised push payment scams data, collected for the first time in 2017, shows:

Katy Worobec, Managing Director of Economic Crime at UK Finance, said: “Fraud is an issue that affects the whole of society, and one which everyone must come together to tackle. The finance industry is committed to playing its part – investing in advanced security systems to protect customers, introducing new standards on how banks respond to scam victims, and working with the Joint Fraud Taskforce to deter and disrupt criminals and better trace, freeze and return stolen funds.

“We are also supporting the Payment Systems Regulator on its complex work on authorised push payment scams, providing the secretariat for its new steering group. It’s a challenging timetable, but it is important that we get it right to stop financial crime and for the benefit of customers.”

The finance industry is responding to the ongoing threat of all types of fraud and scams by:

To help everyone stay safe from fraud and scams, Take Five to Stop Fraud urges customers to follow the campaign advice:

Tony Blake, Senior Fraud Prevention Officer at the Dedicated Card and Payment Crime Unit, said: “With criminals using social engineering to target people and businesses directly, it’s vital that everyone follows the advice of the Take Five campaign. Always stop and think if you are ever asked for your personal or financial details. Remember, no bank or genuine organisation will ever contact you out of the blue and ask you to transfer money to another account.”

Unauthorised fraud

In an unauthorised fraudulent transaction, the account holder does not provide authorisation for the payment to proceed and the transaction is carried out by a third-party.

Authorised fraud

In an authorised push payment (APP) scam, the account holder themselves authorises the payment to be made to another account. If a customer authorises the payment themselves, current legislation means that they have no legal protection to cover them for losses – which is different for an unauthorised transaction.

Banks will always endeavour to help customers recover money stolen through an authorised push payment scam but customers typically only approach their bank after the payment has been processed, once they realise they have been duped. By this time the criminal has often withdrawn the stolen funds and the customer’s money has gone. Alongside the extensive work already underway through the Joint Fraud Taskforce, UK Finance is also currently working with the Payment Systems Regulator on its proposals to tackle these scams.

Behind the data

Fraud intelligence points towards criminals’ use of social engineering tactics as a key driver of both unauthorised and authorised fraud losses. Social engineering is a method through which criminals manipulate people into divulging personal or financial details, or into transferring money directly to them, for example thorough impersonation scams and deception.

In an impersonation scam, a fraudster contacts a customer by phone, text message or email pretending to represent a trusted organisation, such as a bank, the police, a utility company or a government department. Under this guise, the criminal then convinces their victim into following their demands, sometimes making several separate approaches as part of one scam.

Data breaches also continue to be a major contributor to fraud losses. Criminals use stolen data to commit fraud directly, for example card details are used to make unauthorised purchases online or personal details used to apply for credit cards. Stolen personal and financial information is also used by criminals to target individuals in impersonation and deception scams, and can add apparent authenticity to their approach.

(Source: UK Finance)

As a society, we cherish our right to privacy probably more than anything else. Sharing is great, and we all enjoy it, but there is always that other side, the untold story, the personal, the secret. Now, let’s extrapolate this to a societal level. How many information is out there, purposely being concealed for the sake of greater good, for the sake of our own safety? The number is probably unfathomable. Today, when everything is online, and our lives are intertwined with a world most of us know nothing about, privacy and safety become an issue of epic proportions.

That is why we need to talk about cybercrime and utilize the very best VPNs . However, instead of writing a tract of tedious length, here is an infographic that outlines the most important cybercrime facts all of us should be aware of in 2018.

www.Zagg.Com/Register for Zagg customers

(Source: BestVPNs)

Now a booming trading market, cryptocurrencies do however create an avenue of risk. Below Schalk Nolte, CEO at Entersekt, discusses said risk and the overall safety of trading Bitcoin and the likes.

It’s official: Bitcoin is now the golden child of the investment community. Following news headlines about becoming instant millionaires, starry-eyed cryptocurrency enthusiasts are flocking to online exchanges to get in on the action. Sign up, transfer funds and trade – the faster, the better. To keep the eager traders’ money and data safe, these exchanges all need to have transaction security in place. And most of them do – except that their security appears to be stuck in the early 2000s.

Nine years ago, Bitcoin didn’t exist. Today, between three and six million people are estimated to have a bitcoin wallet, with over $3 billion worth of the currency traded every 24 hours. Nine years ago, the one-time password, SMS OTP or mobile transaction authentication number (mTAN), represented the apex of transaction security. Today, other technologies have left SMS OTPs in the dust in terms of both user experience and security – and for good reason.

OTPs are typically reliant on mobile network operators for delivery, and they require additional effort from the user without rendering transactions fraud-proof as a reward. They are vulnerable to man-in-the-middle (MITM) attacks for the simple reason that an OTP is never truly out of band, whether it’s delivered via SMS or another route. Because it’s entered into a potentially compromised primary channel, it will always be susceptible to MITM attacks, while the involvement of mobile networks also introduces the possibility of attacks such as SIM swapping and number porting.

In fact, in August 2017, Sean Everett, CEO of artificial intelligence startup PROME, lost a significant cryptocurrency investment with the platform Coinbase as a result of a simple number porting attack made possible by SMS OTP. Soups Ranjan, Coinbase’s head of data science, commented: “I firmly believe we have the hardest payment fraud and user security problem in the world right now.” So how is it possible that the OTP is still the security measure of choice at the majority of cryptocurrency exchanges – and, more importantly, what are the alternatives?

In order to protect its trader members and allow them to match the pace at which cryptocurrency fluctuates, a cryptocurrency exchange needs to do three things:

Minimize risk: This is done by implementing a solution that offers solid app security and strong customer authentication for all transactions.

Make things easy: A convenient and user-friendly trading platform will attract and retain customers. To put it another way, play to a real-world trading scenario: if you were a trader, would you want to open an app, copy an OTP, switch apps, and then paste it? Or would you prefer to simply open an app and scan your fingerprint? The choice isn’t difficult – especially considering that the easier option is also the safer one.

Achieve regulatory compliance: It’s cheap and easy for a trading platform to recommend or require that their traders install a third-party app like Google Authenticator, but this will mess with regulatory compliance – such as with PSD2’s Regulatory Technical Standards on Strong Customer Authentication. Third-party apps often only authenticate logins, not transactions, and as such are not compliant with these requirements. OTPs, needless to say, do not comply either.

If they want to offer winning and secure trading options for cryptocurrency aficionados, it makes no sense for these exchanges to insist on using obsolete, not to mention risky, technology. Instead, exchanges should be employing a more robust and convenient out-of-band authentication solution that does not rely on mobile networks. They should look for a solution that offers PKI-based authentication and transaction signing directly from the mobile phone, which will eliminate fraudulent transactions and build trust in cryptocurrency trading practices – all while providing a user-friendly experience.

On the flip side, cryptocurrency traders should be demanding better security from the platforms they use. It is the only way for them to keep their investments safe and avoid becoming the next cybercrime news headline. After all, if cryptocurrency is at the cutting edge of innovation, shouldn’t the same apply to the protection of its trade?

Below, Thanassis Diogos, Managing Consultant, SpiderLabs at Trustwave, discusses with Finance Monthly the intricate planning and plotting behind the recent Eastern European cyber hack on banks, which combine both physical and cyber stealing methods. Trustwave believe that this attack has the potential to spread to the UK and around the world.

Earlier this year Trustwave was called in to investigate several security breaches which had affected banks in Post-Soviet countries. These attacks appeared to be a hybrid of physical and cyber techniques with people used as mules to open new bank accounts, and cyber specialists using their skills to hack into the banks systems. Banks which had been compromised suffered significant monetary losses, somewhere between USD$3 million and USD$10 million. Trustwave’s investigation also discovered that the attacks shared common features. These identifiers included large financial losses originating from apparently legitimate customer accounts and all thefts taking place at ATM locations outside of the banks originating country, where the money was withdrawn using a legitimate debit card.

In some cases, the banks were not aware they were being breached until the attack was complete. However, there were cases where the malicious activity was picked up by third party processors, who are responsible for processing credit and debit card transactions. Despite the large sums being stolen, the thefts were hard to detect thanks to the use of debit cards acquired legitimately through the standard in-branch application process.

A closer look

Upon investigation of the third-party processors and the affected banks, we found a completely unique modus operandi behind the breaches. The criminal gang had used innovative attack tactics, techniques and procedures to successfully complete the attack campaign. The attack itself comprised of two physical stages which top and tailed the attack – the mules opened bank accounts in the initial phase and withdrew the funds in the final ATM cashing out phase. The cyber-attack compromised four stages beginning with obtaining unauthorised access to the banks network, compromise of the third-party processors network, obtain privileged access to card management system and finally activate the overdraft facility on specific accounts.

Method in the madness

The criminals hired a number of mules and provided them with false credentials, so they could open new accounts in branch. On opening the accounts, the mules requested to receive debit cards with the account, and the cards were then passed on out of the originating country to a group of international conspirators. It is not unusual to request a debit card with a new account as the balance of the account is directly related to how much money is available.

Whilst these numerous bank accounts were being opened in branch, the cyber part of the attack was already under way. Members of the criminal gang hacked into the victim banks’ internal systems and manipulated the debit cards features to allow very high overdraft limits or no overdraft limit at all, and also removed any anti-fraud controls in place on specific accounts. Almost simultaneously the operation continued in the countries where the debit cards had been sent to. The cards were used to make large withdrawals from a number of ATM’s which had been carefully selected because they had high or no withdrawal limits. Locations were also chosen to be remote and have either no or obscured security cameras. During the following few hours the operation concluded with a sum between USD$3 million and USD$10 million being withdrawn from each bank.

Recommendations to banks

There are measures which banks can take to help mitigate these kinds of attacks. A proactive program such as managed detection and response (MDR), also known as threat hunting is recommended. Implementing a threat hunting program will allow banks to detect threats early on and mitigate them before they have the opportunity to do any real damage. Banks should also prepare incident response plans and have them well documented and tested so they are fully prepared to act swiftly if such incidents occur.

Unfortunately, the success of these attacks could be attributed to the lack of coupling between the core banking system and the third-party card management system. Had these two systems been integrated correctly the changes to the debit cards overdraft limits would have been red flagged much earlier on. A second example of non-technical control failure is that several accounts on the card management system were able to both raise a request for a change and approve the change. This process is a violation of a commonly used control used in banks and banking applications called Maker-Checker. Banks are therefore advised to undertake frequent cyber security risk assessments to detect and mitigate this type of control weakness.

Currently the attacks have been localised to Eastern Europe and Russia, however, we believe that they do represent a clear and imminent threat to financial institutions in Europe, North America, Asia and Australia over the forthcoming months. During the course of the investigation it was discovered that bank losses currently stand at around USD$40 million. However, this does not account for undiscovered or un-investigated attacks or investigations undertaken by internal groups or third parties, the total losses could already run into hundreds of millions of USD. We would advise all global financial institutions to consider this threat seriously and take necessary precautions.

The holidays are upon us, and that means consumers are limbering up their mouse-clicking fingers in preparation to go shopping online. Online shopping is now mainstream and consumers are expected to spend more than £600 billion online this year, up 14% from a year ago. More than three-quarters of mid-sized to large retailers now sell goods and services over the web.

In the wake of the many recent and prominent cyberattacks, it’s reasonable to be concerned about how safe your online shopping experience really is. To check, we analysed a dozen of the UK's largest online retail sites to evaluate their policies and procedures regarding privacy, security and information sharing. The good news: all have good security practices when conducting transactions. The not-so-good news: password policies, information sharing and general disclosure practices are all over the map.

Here are some things to look for, based upon our research.

Secure browsing

HTTPS is a version of the standard HTTP protocol that adds an extra layer of security by encrypting traffic between your device and the server. Some organizations, including Google and the Electronic Frontier Foundation have been pushing website owners to adopt HTTPS for all communications. In light of that fact, it’s surprising how many of the sites we visited don’t use this more secure standard for casual browsing. To be clear, all employ HTTPS for secure checkout, but several don’t make the switch until the customer logs into an account or heads for the checkout aisle.

There are reasons for this. Not all browsers support HTTPS, so requiring its use for simple viewing may lock some customers out of the site. However, the volume of non-HTTPS-compliant browsers is shrinking and the benefits of secure browsing are compelling enough that it’s worth checking when you visit the site. It’s easy to do; simply look at the URL in the address bar. If you see “http://” or nothing at all before the address, then HTTPS isn’t being used. That means that someone who can tap into your communications can see pages you are viewing or information you’re sending. Pay particular note, if you are accessing a shopping site over a public Wi-Fi network.

Privacy policy

Online retailers are required to post privacy policies by law. However, that doesn’t mean all policies are the same. That’s likely to change next May, when the General Data Protection Regulation goes into effect. Those are the rules that define how organizations operating within the EU must store and protect personal information about EU citizens. Enactment of GDPR should create a more level playing field, but in the meantime there are variances in details about the use of your personal data to look for.

A good privacy policy should be easy to find, easy to navigate and written in clear language. We found considerable variations between retailers in this area. Some bury sections of their policies in dense, nested menus or use legalese like Asda’s "By letting us have any sensitive personal data, you expressly consent to us using and telling others about any of your sensitive personal data so we can provide you with the goods or services requested by you in the way set out in this Privacy Policy.” Huh?

Others take time and care to craft a policy that is visually attractive and easy to navigate. Particularly notable is John Lewis, whose security policy amounts to a mini tutorial on good password practices. It even has advice on malware and phishing protection. Tesco also has an outstanding privacy center, with advice on how to protect against social media scams and even keep your gadgets safe.

Information sharing

Most e-tailers pledge not to use your contact information for anything unrelated to a transaction or a related service. However, some will contact you for market research studies or to get your feedback on their services or the website. Look, in particular, for language like "carefully selected third parties may use the information we collect to inform you about offers, products and services.” This means your contact information is being shared with companies or list services other than the one you’re doing business with, most likely for marketing purposes. Most retailers will let you opt out of such communications, but the responsibility to do so is yours.

A variation on this practice is to share information within a family of companies. For example, Marks and Spencer plc also runs its own bank and energy businesses and shares customer information between them. Retailers must disclose these practices in their privacy statements. If you’re uncomfortable with having a company that sells you clothes also pitch you on mortgages, opt out of the deal.

Speaking of opt out, practices also differ on email contact. Most retailers opt you into their email marketing programs and leave it up to you to withdraw. In some cases, you can opt out at the point of payment or registration, but others require you to go into your personal profile and change your preferences, or to unsubscribe once the pitches start arriving.

Payment information

Policies also differ on retention of credit card information. Some companies keep payment number by default, while others ask your permission. This information should be laid out in the privacy policy or stated on the registration page.

The convenience of saving your credit card on a retailer’s website is undeniable, but there’s also a risk involved, as evidenced by the many breaches of prominent brands. A safer course of action is to use a password manager that also stores payment information so that you can control access to this sensitive information. For one-off transactions with retailers you don’t know very well, we recommend against permitting payment information to be stored at all.

Password policies

Retailers love it when you become a member because it open new avenues to market their goods and services. While there are many benefits to membership, be wary of how much information you give up upon joining. We recommend you limit yourself to providing only that which you would be okay with exposing in the case of a breach.

Pay particular attention to password security. Our research found the greatest variation between websites in that area. For example, BooHoo requires only that passwords be at least five characters, despite the fact that the site offers to store payment information. This is unacceptably weak security, in our view. Most sites specify a minimum of six to eight characters with a combination of upper- and lower-case letters and symbols, which is considerably more secure. A few offer strength meters, which assess the security of your password as you type. The more guidance the site offers the better. No matter what the requirement, use at least an eight-character password and avoid easily guessed substitutions, such a “1” for “l.”

Checkout

All the retailers we visited provide secure checkout using the SSL protocol. Most also list multiple secure certifications on their payments page, such as Verified by Visa, MasterCard Secure Code and American Express SafeKey. The more of these badges you see the better.

Some retailers offer to save your payment information at the point of sale. As noted above, we recommend against this practice. Some also use checkout to try to sign you up for their mailing lists or third party offers. If you already receive enough marketing messages, keep an eye out for this practice, since most retailers automatically opt you in and require you to make the effort to remove your name.

Summary

The profusion of recent security breaches should have every retailer on high alert to safeguard customer information. While all the sites we visited do a good job of covering the basics, we found significant variation in attention to detail. That doesn’t mean the more attentive sites are necessarily more secure, but if given the choice, we prefer to spend our money with companies that give protection of our personal data more than just lip service. Enjoy the online shopping season, but be careful to give up no more information than is really needed.

(Source: Keeper Security)

Here Charlie Abrahams, Senior Vice President of MarkMonitor, a brand of Clarivate Analytics, discusses with Finance Monthly the problems behind cybercrime, in particular phishing and fraud.

While internet commerce has enjoyed exponential growth over the past 15 years, it has also created a significant opportunity for bad actors to indulge in cybercrime. It not only affects a brand’s revenue stream, but more importantly its reputation. As a result, organisations are investing in brand protection technology and processes – not just to prevent brand abuse and counterfeiting, but also prevent other forms of cybercrime. Keeping your intellectual property safe requires a multi-layered approach, regardless of the size of the business or the type of information you hold.

While it’s true that cyber criminals are targeting all industries, the financial services industry is particularly at risk. Firms within this sector have many high-value assets that make them an attractive target for cyber criminals — including significant intellectual property relating to their business processes and transactions, Las Vegas Immigration Lawyer and the financial records and customer data. Financial services companies stand to lose a lot more than money should cyber criminals be successful. Brand reputation would suffer, customer trust would be irrevocably damaged, and there may well be wider consequences such as fines from financial regulation bodies, especially with the deadline for compliance with the new European Union General Data Protection Regulation (GDPR) fast approaching. As a result, the financial services segment is one of the biggest buyers of enterprise security technology.

However, all that investment in enterprise security technology does not offer any protection for one of the most popular methods that is being used to take advantage by cyber criminals - phishing. The reason is that phishing attacks don’t target the enterprise, but directly their consumers, and this is where brand protection technology comes in. Phishing has been around in some form for the past few decades and are essentially emails — sent from what appears to be a legitimate source — asking for personal information, such as login details, passwords, payment card details, etc.

Over the years, phishers have evolved in the way they carry out their cyberattacks. They are creating phishing websites to collect passwords, conduct identity theft schemes and carry out online advertising scams. Despite being a relatively low-tech method of cyberattack, it remains one of the most effective. Research conducted by a German university found that 78% of respondents admitted to opening unknown emails and clicking the links within, despite also claiming that they were aware of the dangers of phishing. This shows there is still work to be done in raising awareness around how to avoid being caught out by these cyber criminals.

Given the continually threatening nature of phishing, protecting and proactively defending organisations has never been more important within the financial services industry.

The first crucial step for businesses is to be fully prepared and adopt a ‘when’ rather than an ‘if’ approach, with the aim of preventing the attacks in advance. Organisations can set up early warning systems alerting them of new domain registrations — that may misleadingly read like their brand name and may target that brand to host malicious content — before it impacts their customers, for example.

Fraudulent activity can also be detected using the right intelligence, as well as proactively monitoring and analysing key intelligence sources to detect phishing and malware activity across email and other digital channels. Fintech businesses need to shut down or restrict access to phishing sites, and should consider partnering with an anti-fraud (brand protection) vendor to share their phishing alerts with Internet Service Providers (ISPs), browsers, email providers and security vendors, helping them block malicious sites at the Internet gateway.

Lastly, all businesses — not just those within the fintech sector — should draw up an online brand protection strategy, which outlines the actions that should be taken in the instance of any particular cyberattack, including phishing. A brand protection strategy essentially means that you’re covered and ready to counter any of these infringement acts should they ever happen. Without a strategy, businesses are likely to either make snap decisions that might harm the brand, or spend precious time considering the multiple options available, by which time the damage has been done.

In this day and age, companies, regardless of the industry in which they operate, simply cannot afford to leave themselves vulnerable to phishing attacks. The risks are simply too great, and as public awareness of such cyberattacks continues to increase, the reputational damage that comes as a result is only likely to get worse. Therefore, brands must be more proactive in fighting the cyber threat, while each business should be backed up by a comprehensive brand protection strategy.

Cyberattacks have been widespread, common, and even expected now at firms worldwide. Many companies have been affected by cyber hacking, ransomware and threats, with reports emerging almost weekly about new attacks. It is now acceptable to be worrying about cybersecurity at a priority level, and if you aren’t, well you should be.

Finance Monthly, in this week’s Your Thoughts, asks what might be the long-term impact of cybersecurity attacks and similar cyber damage, not just to the individual firms and their pockets and operations, but to the markets they trade in, the economy of the countries they reside, and the overall global fluidity of markets.

Our guests this week answer questions such as: What are cyberattacks, the effects and impacts, doing to markets, the economy and our countries? How is trade affected in certain sectors? Do you have stats to show this? How do you think companies will react to cyber threats?

Dr Benjamin Silverstone, course leader for computing and quantitative business, Arden University:

The recent ransomware attacks have very publicly demonstrated vulnerabilities in business IT security. Firstly, the direct impact is that the business infrastructure is affected. Companies can be left unable to process orders, causing their operations to shut down, which directly affects their finances along with those of stakeholders. This leads to a second impact on business; consumer confidence.

A number of cyber-attacks in recent years have focused on obtaining personal details of customers and, where possible, defrauding them by pretending to be a familiar company. Rather than blaming the faceless cyber-criminals, consumers will increasingly turn to the company that is being impersonated to ask how this sort of thing could happen in the first place. The readiness to share details online, even with legitimate companies, is being affected and this will damage their business in the long term.

Ultimately, businesses need to consider the cost/benefit of investing in better security systems and changes in practice, to reduce the impact on their business-critical processes. Investment in these approaches may be seen as disproportionately high given the likely impact of an attack; but as we’ve seen successful attacks can, and do, negatively impact reputation in significant ways, and it is these intangibles that are hard to regain. Rather than an expense, improving security should be viewed as an investment, and insurance against brand damage to help ensure future longevity.

Oz Alashe, CEO, CybSafe:

When WannaCry struck in May, shares in cybersecurity and anti-virus companies surged. Once bitten, twice shy is the old adage, and being crippled by a cyber-attack makes for an uncomfortable AGM. The logical outcome from a global cyberattack is that companies invest in the latest cyber technology to prevent themselves being the next victim.

However, cyberattacks cover many facets. It can also include embarrassing phishing attacks that pranked the Morgan Stanley CEO, James Gormley, and the Bank of England’s Mark Carney recently. Phishing, albeit only one attack vector available to cyber criminals, is particularly noteworthy at present. A recent government survey suggested three-quarters of medium to large businesses in the UK had discovered at least one cybersecurity breach or attack, and a vast majority of these attacks were phishing emails or websites. The report also stated that a “sizeable proportion” of businesses didn’t have “basic protections” in place.

The National Crime Agency recently said that “many businesses failed to report attacks for fear of damaging their reputation.”

One of the biggest phishing incidents in recent history affected Google and Facebook, which both were scammed out of over $100 million in a sophisticated attack. This is concerning because it affects the supply chain and trade relationships. Trade is driven by trust, and if you can’t trust who you are trading with, it undermines the relationship.

What is the answer? Build trust; if you can equip staff with the skills to detect and prevent phishing and other cybercrime attempts you can empower everyone to be the first line of defence for cyberattacks.

Inga Beale, CEO, Lloyd’s:

Cyber-crime already costs an estimated $450 billion a year[1], and that figure is going to rise as more and more devices are connected to the internet and the sophistication of attackers grows.

This is having – and will continue to have – a huge impact on businesses. Lloyd’s new report on cyber risk, ‘Closing the Gap’, produced in association with KPMG and legal firm DAC Beachcroft, shows that as well as the immediate costs caused by cyber-attacks, slow-burn costs such as, litigation, loss of competitive edge and reputational damage can substantially increase the final bill. In today’s multi-media world, it can be the reputational fallout from a cyberbreach that kills modern businesses.

At the same time, more stringent regulations are being put in place, such as the EU’s General Data Protection Regulation – or GDPR – that will increase the penalty for companies that fail to protect European data from cyber threats. When this comes into force in 2018, the courts will be able to fine companies up to EUR20m or 4% of global turnover, whichever is higher, if they fail to comply with the new rules.

Despite these growing implications, it’s clear that many businesses are not facing cyber risk head-on. Recent Lloyd’s research shows that while 92% of respondents said their company had suffered a data breach in the past five years, only 42% are worried about suffering another breach in the future.

Nicola Whiting, COO, Titania:

The annual cost of cybercrime to the global economy is estimated to be between $375 billion and $575 billion (Mcafee, Net Losses - Estimating the global cost of cybercrime, June 2014) . Unsurprisingly the richest countries are hit hardest, with G20 nations suffering the bulk of losses. Low-income countries currently have smaller losses, partly due to their infrastructure and reliance on mobile Internet.  However, this may change as richer countries continue to invest more in their cyber security and as criminals find new ways to exploit mobile platforms.

The impact on countries is just as important when it comes to international relations. Just look at the hack of the Democratic party and the publication of confidential emails during the 2016 US presidential election, which elevated cyber security in the context of international affairs to a new level around the world.

Hackers will target any industry they can profit from, thus is highlighted by the wide range of nations and industries impacted by the ransomware attack last month. Aside from any financial loss the biggest impact can be on reputation and share price.

However, analysis shows that some sectors are potentially more at risk than others. For example, according to PricewaterhouseCoopers’ 2014 Global Economic Crime Survey39% of financial sector respondents said they had been victims of cyber-crime, compared with only 17% in other industries. Other research from Trend Micro assessed breaches that took place between 2005 and 2015 and showed health care as the most highly targeted industry for data breaches.

Any industry that stores customer information, such as credit card details, is a potential target. In 2015 Hilton Hotels, Starwood Hotels & Resorts, Mandarin Oriental and the Trump Collection all admitted that their payments systems had been compromised. Hilton and Starwood said guests’ personal details had been taken after hackers gained access via payment systems.  Hackers may have turned their attention to hotels after retailers began improving their security following a series of high-profile attacks on US chains in late 2013 and 2014, including breaches at Target and Home Depot. So any business that handles or stores sensitive data is at risk and once one sector builds its defences hackers will target another one they perceive to be weaker.

Most companies are not doing enough to secure the assets they’re creating. Large organisations can have incredibly complex networks and ‘border control’ issues as they can struggle to secure their IT infrastructure & supply chain. Smaller organisations find it easier to understand where their system borders are, but may lack resource and expertise to secure them.

In both there is inevitably more to be done in two key areas; reducing ‘human errors’ through security training and ensuring the ‘security basics’ are followed. The number of costly breaches that occur through basic training and security failures is astonishing – most of which could’ve been averted.

We’ve worked with everyone from the Department of Defence to small SME’s in creating tools to automate these security basics. Security automation is something all businesses should look at, humans beings make mistakes and when that inevitable ‘wrong click’ happens, it’s your next line of defence.

Patrick Martin, Cyber Security Specialist, RepKnight:

According to Forbes, Financial Services are in the Top-5 targeted by cyber-crime. This is borne out by the huge amount of data relating to the financial sector on the dark web. We put some of the UK’s leading financial services companies into BreachAlert, our software tool for searching and monitoring the dark web, and uncovered over 5,000 results. Each find contains thousands of pieces of information about financial services — most are as a result of a data breach one way or another.

Right now, cyber-criminals and bad actors are busy stealing data from within corporate networks and listing it for sale on the dark web. Most organisations neither know about it nor are they equipped to detect or do anything about it. Employee names, addresses, logins, and corporate credit card information is readily available, and companies carry on completely unaware of any illegal activity.

According to the 2017 IBM Ponemon report this year’s study suggests the global average cost of a data breach is down 10% over previous years to $3.62 million, due in large part to a strong US dollar. In the UK they assess £2.48 million to be the average total cost of a data breach. In addition, victims can suffer 5% drop in average stock price the day a breach is announced; 7% loss of customers and 31% of consumers discontinue the relationship. But things are about to get much worse next year when the EU enforces the General Data Protection Regulation (GDPR) with costs for organisations that suffer a data breach to be £20 million or 4% of their annual turnover, whatever figure is higher.

For most businesses, it can be next to impossible to find out if its information is on the dark web. So what can businesses can do to protect themselves? The key is for all businesses is to improve their understanding of how the dark web works, how criminals are using it to buy and sell their data and to put a plan in place to mitigate the damage once their data has been posted on the dark web.

The trick lies in acquiring advanced automated search technology and innovative data management processes. It’s vital for businesses to invest in this type of software that can monitor hundreds of dark web pages and filter and extract information based on things like card numbers and domain names. It’s even more essential to use software which can instantly alert you when your data is being shared or discussed on the dark web. The good news is that this type of software is already on the market and investing in it can save your business from receiving hefty fines from GDPR.

Pascal Geenens, EMEA security evangelist, Radware:

Today there are vibrant online marketplaces where just about anyone—even those with very limited technical knowhow—can buy tools to execute an attack. Cryptographic currencies enable untraceable digital payments, while old-fashioned economics is driving the growth of these marketplaces. Demand for services now outpaces supply, and DDoS-as-a-Service providers can bring in more than $100,000 annually.

Purchasing an attack can be surprisingly inexpensive. On the Clearnet, for as little as $19.99 a month, an attacker can run 20-minute bursts for 30 days utilising a number of attack vectors like DNS, SNMP, SYN and slow GET/POST application-layer DoS attacks. All an attacker has to do is create an account, select a plan, pay in Bitcoin and access the attack hub to target the victim by port, time and method. More advanced and larger botnets are also available for sale on the Darknet.

The motivation for people to pay for such attacks has different drivers, but profit is the most prevailing through the use of Ransom DDoS attack campaigns. The responses from nearly 600 enterprises world-wide confirm this through Radware’s annual ERT report: Ransom is the #1 motivation for cyber-attacks suffered by the respondents: 41% global average, 49% in Europe (half of the businesses!).

Recent trends such as cloud migration, digital transformation, automation (IoT, IoE) and serverless computing increase the number of targets for cyber-attacks. As our economies are becoming more dependent on these online technologies and dark marketplaces, dark marketplaces and economies will thrive on the potential of ransom DoS.

We would also love to hear more of Your Thoughts on this, so feel free to comment below and tell us what you think!

[1] http://www.cnbc.com/2017/02/07/cybercrime-costs-the-global-economy-450-billion-ceo.html

Austen Clark, managing director of Scottish IT specialists Clark Integrated Technologies tells Finance Monthly that a ransomware demand can be commercial suicide for a business, as it has the potential to ruin its reputation, send share prices plummeting and it may struggle to recover from the damage done.

Austen’s advice is simple - prevention is better than cure.

“Should companies pay cyber ransoms? The answer is that they should never have been in the position to be ransomed in the first place.

“Ransomware is the most financially successful hacking tool over the past four years. Revenues from ransomware have been increasing exponentially year on year – in 2016 it was reported a 6,000% increase in revenues.

“It is also one of the most publicised forms of attack so companies really have no excuse for failing to have appropriates backups, data recovery and updates in place. This can be avoided – hence why a business should not find itself in this position.”

Even after an organisation has been compromised, it should not consider paying a cyber ransom, explains Austen.

“By paying the attackers, you have confirmed that their method works, and paying a ransom does not guarantee you will get your data back. These are dishonest people, and even when you hand over the ransom there is no guarantee they will honour the arrangement. It has been well documented that they do not always release all of the data, holding out with additional requests.”

Austen outlines practical preventative measures relevant to all businesses to defend against a ransomware attack.

As long as companies continue to pay up, then hackers will strike in this way.

Austen adds: “There are few that will admit to an attack – and even less admit to paying up, so this is vastly under reported but this has crippled companies before, and it will again. Organisations like Nayana will be in the press for a long time and for all the wrong reasons.

“If you follow these points you will reduce the risk of a ransomware attack which really is the best defence. In the event of falling victim you can restore your information and not have to pay a ransom. Back-up data to a separate source like a Data Centre, Cloud, or external hardrive, basically anywhere but your current source.”

While the threat of cybercrime is at the forefront of SME owners’ minds, ‘cyber recovery’ is not, according to a new study, The Business of Cyber Recovery, by PolicyBee. Five hundred UK SMEs were asked about their preparedness for cybercrime and its aftermath: one in three believe that a cyber-attack on their business is a matter of ‘when’ not ‘if’, and quarter believe an attack is ‘likely’.

However:

Sarah Adams, cyber insurance expert, who commissioned the study for PolicyBee, said: “Large corporates will all have a ‘what if’ plan in place that has been stress tested via a crisis simulation or role play exercise. They will know exactly what to do in the event of a cyber-attack. However, small businesses seem to be chancing their luck and despite expecting to be hacked, aren’t preparing to be prepared.

“The difference between a large and small company is that at least in the short term, no single individual will lose their income in a big business - but in a small business, their day to day livelihood could be altered dramatically within a scarily short space of time.”

Businesses in denial

Younger respondents seem more aware of potential cyber risks - as business owners get older they think a cyber-attack is less likely: 22% of 18-34 year olds think a cyber-attack is unlikely; 41% of 35-54 year olds and 56% of 55+ year olds.

Business in the South West and East of England are most in denial of a cyber-attack - those in London and the NE are the most switched on.

Similarly, sole traders believe they are least at risk from a cyber-attack: 71% say it is unlikely; 32% of businesses with 10-49 employees and one in five of businesses with 50-249 employees.

Adams continued: “More mature sole traders in the South West and East Anglia seem to be in the most potentially vulnerable group. If you are one of these people, it would be well worth looking at your business’s potential to become the next cyber victim, and how you’d continue to operate afterwards.”

IT and management consultant firms more switched on to cyber recovery

Interestingly, SMEs operating in the IT and management consultancy sectors had a much more realistic attitude to cyber-attacks:

SMEs not ostriches

According to PolicyBee, who provides cyber insurance and other business insurance to freelancers and small businesses, the study highlights the fact that SMEs are simply too busy running their day-to-day operations.

Adams concluded: “It’s not the usual case that all SME owner-managers are burying their heads in the sand, as the study shows some awareness of the possibility of an attack amongst some groups. It’s more that these busy owner-managers haven’t prioritised any time to deal with the aftermath of an attack. We’re all familiar with the terms cybercrime; cyber-attack; and hackers; but we need to make ‘cyber recovery’ part of the general discussion now too.”

(Source: PolicyBee)

The threat of cyber extortionists holding data hostage is significant. Symantec’s 2017 Internet Security Threat Report lists ransomware as the ‘most dangerous cybercrime threat facing consumers and businesses’.

Last week, South Korean web-hosting firm Nayana agreed to pay a $1m ransom to unlock computers frozen by hackers. Security experts warned that firms should not pay such ransoms or enter into negotiations with hackers. In addition, today several firms globally were held to cyber ransoms including banks, airports and government systems around the world. Even DLA Piper suffered an attack according to the BBC.

When considering high-risk industries like financial markets, the data and infrastructure at risk is both incredibly sensitive and complex. Once adversaries gain access to an environment, they can access everything from proprietary algorithms and trading strategies through to sensitive customer data.

This week, Finance Monthly received its biggest ever number of responses to the question ‘Should Companies Pay Cyber Ransoms?’ Below are just a few of the responses from top experts around the world.

Jack Bird, Content Specialist, Team Umbrella:

The magic of the internet and today’s cutting edge technology is based on a give and take relationship. To take all the lightning quick information and globalised communication, we have to give our personal details and highly sensitive information in return; like a sacrifice to the all-powerful cyber gods that we’re forced to trust so our crops might be more fruitful next year.

The easier things get for us, the larger the anvil hanging over our head becomes; and this form of cyber terrorism we’re seeing with Nayana is only going to grow. This might soon see a return to more physical forms of media to avoid the proxy-warfare of recent headlines, but for now, and it is a weak answer: it’s a matter of balances.

Maybe the correct move is to stand up to the bully and not give them your lunch money, because next week they might come back for your homework or the intricate details of your eight figure business plans. Giving in to demands, however, might result in you going hungry throughout the day – or, to put an end to that analogy, your work force of mothers and fathers going hungry because you can’t pay them anymore.

Films taught us to puff our chest out, but, even though this news story might resemble the plot line of a 1980’s Paul Verhoeven film – this isn’t a film. There is no simple answer because every question is different. Is the $1 million more valuable than the files they’re holding a gun to the head of? Maybe they’re outdated and you don’t need the information anymore?

There is no definite answer, which makes this a bad one – but, also, the right one.

Rafe Pilling, Senior Security Researcher, Counter Threat Unit, SecureWorks:

To paraphrase a well-worn bit of philosophy, all that is necessary for ransomware attackers to succeed is for well meaning

organizations to pay the ransom. In 2016, it became common for thought leaders to say “Never pay the ransom, but …” and that “but” was meant to allow wiggle room for instances when a $500 ransom was cheaper than the hassle of not paying, or when healthcare entities were dealing with true matters of life and death. But the problem with either of those scenarios is: As soon as one pays the ransom, then one has reinforced that the attackers made the right decision to attack. The only reason this crime thrives is because it’s profitable organizations (despite what they say publicly) continue to pay the ransom. When that stops, so will the attacks.

Eric Berdeaux, CEO, OXIAL:

If the situation has gone so far that an organisation has actually been breached, then paying can be the best option open to them. Ransomware is truly insidious and can often encrypt most, or if not all of an organisation’s data. This makes it completely unusable and puts a halt to any internal business and IT processes. Such is the professionalism and expertise of modern hackers, it can be very difficult to fend off Ransomware once it has taken hold. To try and clean the virus, delete all of the encrypted files and then restore them, would not only cost a lot of money but would require a number of highly skilled engineers too. Even then, there is no guarantee of success. That’s why I believe that when it has gone this far, the only way is to pay.

Of course, it would have been far better to spend this money in a different way – securing the data properly and effectively in the first place, and covering any residual risk with good insurance. Organisations do not always do this even when they have suffered an attack, believing lightening won’t strike twice. This is misguided. When it comes to cyberattacks, lightning can and will strike on many occasions - the security threat in 2017 is incredibly complex, varied and on-going. Without continuous protection, organisations will be hugely vulnerable and may find themselves facing expensive ransom demands.

Rob Norris, VP Head of Enterprise & Cyber Security EMEIA, Fujitsu:

The news that South Korean web-hosting firm Nayana has agreed to pay a $1m ransom to unlock computers frozen by hackers is stirring a new narrative around whether we should be giving in to hackers. While industry experts have been preaching against this, companies are ultimately left facing the prospect of irreversibly losing valuable data, or paying a certain, often excruciating, amount of money to save their businesses.

Paying ransomware encourages the lucrative side of malicious cyber activity, which subsequently attracts more actors willing to engage for their personal gain. The truth is that many organisations probably don’t see themselves as ‘high value targets’ for attackers and it’s likely that they have very minimal protection or staff training and awareness. However, for many malicious actors finding vulnerabilities is their bread and butter, and they will look to hold organisations to ransom through a ‘soft attack’ that compromises its data.

Organisations should ensure they have good backups if they are infected. They must take a proactive and intelligence driven approach to security, by monitoring phishing campaigns which evade their mail gateway controls for example. Backups, risk analysis, staff training and further practical advice such as application whitelisting and incident response will ensure the risks associated with ransomware are as low as possible.

With this knowledge there is no excuse not to be prepared. Cyber criminals are entrepreneurial, well-sourced and motivated, and we shouldn’t be repaying their efforts in hefty amounts of ransom.

Sarah Adams, Cyber Risk Expert, PolicyBee:

Faced with not having access to your systems, data or website, it’s tempting to take what seems like the line of least resistance and pay a ransom straightaway. But there are good reasons why that might not be the best thing.

From a cyber insurance point of view, the most obvious alternative is to get in touch with your insurer. This kind of situation is exactly the sort of thing your policy is for. Your insurer has access to cyber security experts who will evaluate and deal with the problem for you.

Of course, if there’s no way around it, your policy will cover the ransom. But ideally your insurer will want to sort the situation by other, technical means if possible – there’s no guarantee paying up means case closed. Who’s to say you’ll get your files back, even if you cough up? Your insurer certainly doesn’t want to trust the word of a cybercriminal.

The point here is that two (or more) heads are better than one. You don’t have to deal with a ransomware problem – or any other cyber-attack – on your own.  Cybercrime is alien territory for most businesses, and it makes sense to get help when you need it most. A specialist insurer not only has the money to sort out these situations, it has the time and the expertise too.

Although undoubtedly unsettling and very much an unknown quantity, cyber-attacks involving ransomware aren’t always the business disaster they might first appear to be. Paying up doesn’t have to be a given and doing so, worst-case scenario, can risk turning you into a future blank cheque.

Preventing an attack in the first place can be equally expensive and time-consuming (and, given the odds, arguably futile), so it pays to have help and support on standby for if and when you’re targeted. You don’t need to be a cyber security expert to recover from an attack – you just need to know someone who is.

Dr Guy Bunker, Senior Vice President of Products, Clearswift:

This case sets an unfortunate precedent. Whereby larger organizations are shown to be prepared to pay significant sums of money to cyber-criminals. It will only stoke the fire of ransomware and the attacks on business if the perpetrators think they will get away with it. In the non-cyber world, we saw this with the Somali pirates, where once ransoms started to be paid, there was a huge rise in vessels and crew being taken hostage.

Our advice is always the same for both individuals and organisations: once you’ve been compromised, do not pay the ransom. By paying, you’re opening yourself up to further attacks as the criminals will see that A) the organisation has the willingness to pay ransom and B) the cash reserves to do so. Furthermore, in more than 30% of cases, access to the information is not returned, i.e. you still don’t get your data back in an unencrypted form. All too often, the cyber-criminals take the money and then re-encrypt systems a short while later – as the malware will still be lurking in the background, unless it has been fully removed.

This is not the only issue, negotiations between the criminals and organisation can take up valuable time and resources – according to reports it took Nayana over a week of back and forth with the hackers to come to an agreement. Ransomwares’ biggest impact is downtime of the organization, with several organizations requiring complete IT shut-down and the return to pen and paper while the issues are resolved.

The best defense against ransomware is firstly, to ensure all systems and applications are kept up to date with security patches being applied; secondly, ensuring that security systems are in place that strip hidden active content (the type likely to be ransomware) out of documents and emails coming into your organization; and thirdly, to regularly backup critical information. Backups are key and can ensure that even if information is encrypted, you won’t be in a position where you have to pay – minimizing the harm to you and the reward to the criminal to zero.

Robert Rutherford, CEO, QuoStar:

Ransomware is an increasing threat, and one which is here to stay. Although businesses may not like the thought of paying a cyber ransom, in today’s digital era if an entire business’s IT environment is frozen then they are unable to function, this loss of productivity can come at a far higher cost than the ransom itself.

When it comes to deciding whether to pay a ransom, a business essentially needs to understand how much an outage or a loss of key data assets is going to cost them. This information will allow a business to measure risk against cost and make an informed decision. If a cyber ransom is £500 for example, whereas loss of productivity could cost thousands, the decision can be made easily by those responsible for IT security within a business.

Furthermore, this information should also be used by a firm’s senior leadership team to determine which protections and solutions should be put in place to prevent the business from being infiltrated by ransomware again, or by another type of cybersecurity threat in the future. IT security must be a priority, however, and firms must not wait until ransomware strikes to conduct these risks versus cost reviews and act ahead of time.

Giovanni Vigna, CTO and co-founder, Lastline:

Companies should not pay ransom. However, there might be situations in which not paying ransom would cause irreparable damage to a company, putting the company out of business. In these cases, paying might be the only option, but these situations can be avoided by being prepared. Ransomware, in a way, is not very different from a catastrophic event. What if a room full of server is flooded and the machines damaged beyond repair? Would the company be ready to restore the service (and the associated data) after such an event? If the answer is “yes” the company could probably withstand a ransomware attack as well…

Andrew Stuart, Managing Director, EMEA, Datto:

Firms should never cave in to ransom demands from hackers. First of all, paying up does not guarantee the safe return of data. Datto conducted some research into this topic during the twelve months up until September 2016. We found that almost half – 47% – of the European firms which opted to pay ransoms, didn’t get all of their data back.

Secondly, firms that choose to cough up can quickly gain a reputation amongst cybercriminals for being a soft target. This leaves particularly susceptible to future attacks.

On a wider scale, each and every time a ransom is paid more money is ploughed into the criminal underworld. Today’s hackers work like businesses, with a portion of their income being invested in R&D. This extra cash could be used to develop new strains of malware or to exploit new vulnerabilities. While paying a ransom seems like a quick fix, it has negative, long-term consequences for all organisations.

Instead of paying ransoms – especially ones with $1 million price tags – organisations need to invest in better defences. Patching vulnerable IT systems is vital, as are perimeter defences such as anti-virus software and firewalls. But these alone are not enough. Firms also need to back up their data. If they call roll back their systems to a point in time before their data was illegally encrypted by hackers, firms can carry on as normal, with no dramas and no ransoms.

Andrew Bushby, UK director at Fidelis Cybersecurity:

An analogy often used to describe ransomware and whether to pay up or not is ‘protection racket’. In old-fashioned mob movies, two guys walk into a grocery store saying ‘Hey, nice store. Would be a shame if something were to happen.’ The reason the mob ‘insurance’ scams worked is because the value of the protection was higher than the cost of the insurance – and the mob delivered on their promises. In the case of ransomware, the value of the data is higher than the ransom and operators go through great effort to ensure users get their data back. Occasionally there are errors, but in general, people do get their data back.

In an ideal world, consumers and organisations would be better prepared. With sound backups in place, ransomware infections would merely be annoying exercises involving file restoration.  Ensuring backups of critical or valuable information has been a best practice for decades, but because reality rarely matches the ideal, this often doesn’t happen.  Consequently, a few tips can help those dealing with a ransomware attack:

Stu Sjouwerman, CEO, KnowBe4:

Ransomware has been called the most profitable criminal business model in history. Bad guys infect a workstation or whole network and hold the data hostage until a fee is paid to get it back. Last month, the WannaCry ransomware strain went global, impacting computers in more than 150 countries and wreaking havoc on Britain’s National Health Service, Spain’s Telefonica and France’s Renault automobile factory.

Ransomware has become a “when, not if” scenario for businesses of all sizes. Typically ransomware comes into a company through an employee– usually by opening the attachment of a phishing email which then gives cyber criminals the ability to download the malware onto the users’ computer or network without their knowledge.

Most antivirus programs do not detect it as it is rapidly changing with new variations every day. Being successfully hit by a ransomware attack can set a business back 50 years, using “pen and paper” management and the ransom amount can get very high. WannaCry charged $300/machine, which adds up very quickly, particularly for small and mid-sized businesses (SMBs)

Now to pay or not to pay – this is ultimately a business decision, and one which most organizations do not make lightly. There are different types of ransomware infections:

It is crucial to start with a so-called defense-in-depth strategy to protect your network, including weapons-grade backups that are regularly tested, ensuring all software is up to date, running antivirus software but not relying on it, identifying users who handle sensitive information and checking firewall configurations to make sure no criminal network traffic is allowed out and educating your users as your last line of defense so they can stop ransomware before it comes in.

Alex Manea, Chief Security Officer at BlackBerry:

Companies that experience ransomware attacks should never consider paying any ransom demand. Not only does it cause reputational damage and a loss in customer confidence, but once an organisation succumbs to paying a cybercriminal there is still no guarantee that full recovery will occur. Trusting cybercriminals to provide a decryption key can often take days, weeks or not happen at all.

Businesses should also keep in mind that cybercriminals are anonymous and they have no reputation to protect, which means they have no incentive to hand over the decryption key, as this could make them easier to trace.

In addition to this, there is now evidence that hackers are actually repeating other hackers’ successful ransomware activities. This not only suggests that businesses that are paying ransoms aren’t getting their data back, but are likely inspiring future attacks.

If a company does choose to pay the ransom, as in this case Nayana did, and they gain access to the decryption key or a tool which can help them to access their files again, there is still no certainty that the organisation is secure again. Indeed, in many ways the company is now more vulnerable to ransomware attacks, as it will have a reputation for paying and this could actively encourage additional ransomware attacks and even bigger financial demands.

We would also love to hear more of Your Thoughts on this, so feel free to comment below and tell us what you think!

With cybercrime and ransom hacks being a common occurrence in today’s newsrooms, Karen Wheeler, VP UK Country Manager at Affinion talks to Finance Monthly about the opportunities that can arise from these kinds of threats, for the banking sector in particular.

We’re living in a world where high profile data hacking scandals and cybercrime attacks dominate our headlines on an almost daily basis. New research by Barclays has revealed that last year alone saw a total of 5.6m cases of cyber fraud reported across the UK; a figure accounting for nearly half of all UK crimes, affecting both companies and consumers alike.

The newest member of the ever-growing club of victims is the NHS, which last week saw a colossal attack in which criminals took control of computers and held hospitals at ransom. But despite the mass media coverage, it’s not just high-profile organisations that are targeted. Cyber criminals are also after sensitive customer information and payment details that can be traded on the dark web.

Clearly, no one is exempt from the threat of digital fraud, and Barclays’ research highlights the need for education on protection methods amongst UK consumers. In fact, almost 40% of people believe they can’t prevent cybercrime, according to a survey by Get Safe Online.

While there’s no doubt that cyber-crime exists, the number of reported cases suggests there could be a lack of clarity around who can be targeted and what constitutes risky cyber behaviour. Furthermore, who is responsible to protect against digital crimes and how customers can protect themselves.

Step 1: Recognise the opportunity

Following its research, Barclays’ has also announced plans to lead a £10million campaign against digital fraud with a primary aim to educate customers. Its campaign, and the current climate in which cybercrime is rife, illustrates a clear opportunity for banks to step up and adopt a role of responsibility in this field; positioning themselves as experts in educating on risk and how customers can protect their identities from digital fraud.

While some financial services institutions may question whether or not this is their job, given the amount of money they lose as a result of fraud, perhaps the question they should be asking is whether or not they can afford not to address this issue?

However, the truth is that banks are actually among the most trusted brands by consumers when it comes to data security. The Symantec State of Privacy Report in 2015 revealed that 66% of banks were the third most trusted by their customers to handle data; only hospitals and medical services ranked above.  Evidently, there’s already a great deal of trust and brand value that exists for financial services institutions when it comes to handling data, meaning customers are likely to value their banks’ advice. This is something that currently, many are failing to utilise.

There’s a lot to learn from Barclays and by recognising this as an opportunity, not a challenge, banks can enable customers to make better fraud prevention choices, enhance loyalty and build deeper, more valuable customer relations in a fiercely competitive market.

Step 2: Educate and empower

By enabling people to make better security and fraud prevention choices that are backed up by relevant and knowledgeable support when things go wrong, banks can enhance their reputation amongst existing and potential customers. For example, Barclays’ upcoming digital-led safety campaign provides free support to SMEs as well as an online quiz for customers to assess their overall digital safety level - equipped with advice and tips for improvement.

Whilst this might sound like simple advice, it is guidance that could empower customers to be a little more careful about who they disclose their personal information to. Other examples might include a helpline to provide customers with peace of mind. Such a service could increase a customer’s bond and loyalty to their bank.

Step 3: Offer additional services

In addition to educating and advising customers about risks and ways to protect their identity, banks can also take further steps to build loyalty by offering additional and exclusive services. Barclays is now giving customers the opportunity to set up daily ATM withdrawal limits on their mobile banking app, to prevent the risk of security breaches. This is just one example of an additional account protection service that a bank could offer its customers on top of advice.

By taking responsibility and offering customers not just advice, but an actual service that will help protect themselves, a bank can its extend the influence into customers’ lives, improving their value and retention. In fact, our recent study looking at customer engagement found that banks that offer ‘protecting the customer’ products have 13 per cent higher customer engagement scores compared to the average, meaning they stay longer and are more likely to recommend to others.

Cyber-security attacks have, and will continue to, present a significant threat because of the connectivity of modern life, unless action is taken. There is an ever-rising level of customer data online, which both businesses and customers need to take responsibility for keeping safe. But amidst the threat and concern, there is an opportunity for financial services institutions to look beyond this and instead see the challenge as a chance to build more loyal and lasting customer relations.

According to the latest IMB Security report, the finance industry is facing 65% more cyberattacks than the average organisation. In 2016, the finance industry was the most targeted sector of cybercrime, an increase of 937% from the previous year.

What’s more, up to 50% of security breaches remain unreported to the public by the affected organisations in fear of damaging their reputation and people's confidence in investing with them. The result is that most people never realise their data and money are at risk. The recent cyberattack which affected organisations such as Telefonica, Renault and the British NHS, caused turmoil and panic in businesses across all sectors throughout the world. While cybersecurity is the biggest concern for most organisations today, the finance sector is the one mostly affected by cybercrime on daily basis.

The recent attack is a wakeup call for many who may now question if their money is safe and ask how best to protect it.

What makes a secure hedge fund?

Steven Jupp, CEO of Avem Capital says: “Coming from a technology and security sector, when selecting Avem Capital for a worthy hedge fund to lead, it was my priority to ensure we had the best security and protection of all our data. Naturally, when choosing a hedge fund, cybersecurity is not the biggest concern for most of our Clients. Many don’t even consider such matters at all. It is also a very well known fact that both platforms and the regulators are making keen headway during selection and onboarding processes, as well as during the lifecycle.

“However, concerned or not, in terms of cybersecurity I’m confident that we are one of the most secure and safe hedge funds in the market in respect to data and technological infrastructure.”

With the recent data showing how heavily targeted and poorly protected the finance sector is, it is apparent that cybersecurity is often omitted while thinking of a hedge fund. Avem Capital believes that this should be a priority for both Clients and the Hedge Fund Management – an integral part of its DNA. It is so much more than choosing a good antivirus software.

As Jupp highlights, there are numerous things to look out for when thinking of cybersecurity: “We do our best to prevent any possible attacks from any side, we like to be one step ahead of the game. At Avem Capital we introduced some of the most powerful, pro-active security management systems in the world, many of which are proprietary and reduce the potential fingerprint attacks available to commercial world applications.

“Our in-house logical security engineers are constantly monitoring numerous channels both regular web based and deep web based, in order to protect and defend against zero day exploits.” - says Jupp

Furthermore, Avem Capital also uses Data Loss Prevention systems, both in email and in document management, allowing to track the propagation of a document and secure it from intervention from a third party.

Another approach being adopted by Avem is that all infrastructure and mobile connected devices are patched at least weekly. Critical security patches are then tested against software and operating systems before being deployed on the day of notification. To ensure only secure devices enter the corporate network, Traders and Fund Managers are not able to operate any form of buying or selling over any device other than guarded desktop devices. Bring Your Own Device (BYOD) is not permitted to enter the corporate network at any point. To prevent this, Avem utilises a separate infrastructure, capable of detecting any potential threats or rogue devices.

With companies investing billions of dollars and private investors entrusting their life savings to hedge funds, the finance industry needs to step up their game when it comes to cybersecurity. The key is to always assume the worst case scenario and prevent possible threats by utilising all available tools to assure security.

(Source: Avem Capital)

About Finance Monthly

Universal Media logo
Finance Monthly is a comprehensive website tailored for individuals seeking insights into the world of consumer finance and money management. It offers news, commentary, and in-depth analysis on topics crucial to personal financial management and decision-making. Whether you're interested in budgeting, investing, or understanding market trends, Finance Monthly provides valuable information to help you navigate the financial aspects of everyday life.
© 2024 Finance Monthly - All Rights Reserved.
News Illustration

Get our free weekly FM email

Subscribe to Finance Monthly and Get the Latest Finance News, Opinion and Insight Direct to you every week.
chevron-right-circle linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram