Banks and card companies prevented £1,458.6 million in unauthorised financial fraud last year, equivalent to £2 in every £3 of attempted unauthorised fraud being stopped, the latest data from UK Finance shows.

In 2017, fraud losses on payment cards fell 8% year-on-year to £566.0 million. At the same time, card spending increased by 7%, meaning card fraud as a proportion of spending equates to 7.0p for every £100 spent – the lowest level since 2012. In 2016 the figure stood at 8.3p.

For the first time, annual data on losses due to authorised push payment scams (also known as APP or authorised bank transfer scams) has also been collated. A total of £236.0 million was lost through such scams in 2017.

The unauthorised fraud data on payment cards, remote banking and cheques for 2017 shows:

• Combined total losses fell by 5% to £731.8 million.
• Losses due to unauthorised transactions on payment cards fell 8% year-on-year to £566.0 million. The industry helped prevent £984.9 million in attempted unauthorised card fraud.
• Losses due to unauthorised remote banking fraud totalled £156.1 million, a 14% rise on 2016. Banks prevented £261.4 million of unauthorised remote banking fraud, 27% more than last year.
• Cheque fraud losses fell 28% in 2017 to £9.8 million. This is the lowest annual total on record. £212.3 million of attempted unauthorised cheque fraud was prevented.
• There were 1,910,490 reported cases of unauthorised financial fraud, a rise of 3% compared to the year before.

The new authorised push payment scams data, collected for the first time in 2017, shows:

• There were 43,875 reported cases of authorised push payment scams with a total value of £236.0 million. 88% of this total were retail consumers, losing an average of £2,784, and the remainder were businesses who lost on average £24,355 per case.
• Financial providers were able to return £60.8 million (26%) of the authorised push payment scam losses in 2017.

Katy Worobec, Managing Director of Economic Crime at UK Finance, said: “Fraud is an issue that affects the whole of society, and one which everyone must come together to tackle. The finance industry is committed to playing its part – investing in advanced security systems to protect customers, introducing new standards on how banks respond to scam victims, and working with the Joint Fraud Taskforce to deter and disrupt criminals and better trace, freeze and return stolen funds.

“We are also supporting the Payment Systems Regulator on its complex work on authorised push payment scams, providing the secretariat for its new steering group. It’s a challenging timetable, but it is important that we get it right to stop financial crime and for the benefit of customers.”

The finance industry is responding to the ongoing threat of all types of fraud and scams by:

• Helping to prevent customers being duped by criminals by raising awareness of how to stay safe through the Take Five to Stop Fraud campaign, in conjunction with the Home Office.
• Working with government and law enforcement to deter and disrupt criminals and better trace, freeze and return stolen funds, while calling for new powers on information sharing to allow banks to share data to detect and prevent financial crime better.
• Implementing new standards to ensure those who have fallen victim to fraud or scams get the help they need, including around-the-clock availability of fraud teams, to make it easier and better for the customer, and, where possible, improve the likelihood of their funds being recovered. UK Finance will also be the secretariat for the PSR’s new steering group on authorised push payment scams².
• Working with government on making possible legislative changes to account opening procedures to help the industry act more proactively on suspicion of fraud and prevent criminals from accessing financial systems.
• -Rolling out the Banking Protocol – a ground-breaking rapid response scheme through which branch staff can alert police and Trading Standards to suspected frauds taking place – to every police force area in the UK. In 2017, while it was still being introduced across the country, the Protocol prevented £13.3 million of fraud and led to 129 arrests.
• Sponsoring the Dedicated Card and Payment Crime Unit⁵, a specialist police unit which tackles the organised criminal groups responsible for financial fraud and scams. This has led to a combined value in savings and disruptions in criminal activity of close to £30 million in 2017.
• Exploring new ways to track stolen funds moved between multiple bank accounts.

To help everyone stay safe from fraud and scams, Take Five to Stop Fraud urges customers to follow the campaign advice:

• A genuine bank or organisation will never contact you out of the blue to ask for your PIN, full password or to move money to another account. Only give out your personal or financial details to use a service that you have given your consent to, that you trust and that you are expecting to be contacted by.
• Don’t be tricked into giving a fraudster access to your personal or financial details. Never automatically click on a link in an unexpected email or text.
• Always question uninvited approaches in case it’s a scam. Instead, contact the company directly using a known email or phone number.

Tony Blake, Senior Fraud Prevention Officer at the Dedicated Card and Payment Crime Unit, said: “With criminals using social engineering to target people and businesses directly, it’s vital that everyone follows the advice of the Take Five campaign. Always stop and think if you are ever asked for your personal or financial details. Remember, no bank or genuine organisation will ever contact you out of the blue and ask you to transfer money to another account.”

Unauthorised fraud

In an unauthorised fraudulent transaction, the account holder does not provide authorisation for the payment to proceed and the transaction is carried out by a third-party.

Authorised fraud

In an authorised push payment (APP) scam, the account holder themselves authorises the payment to be made to another account. If a customer authorises the payment themselves, current legislation means that they have no legal protection to cover them for losses – which is different for an unauthorised transaction.

Banks will always endeavour to help customers recover money stolen through an authorised push payment scam but customers typically only approach their bank after the payment has been processed, once they realise they have been duped. By this time the criminal has often withdrawn the stolen funds and the customer’s money has gone. Alongside the extensive work already underway through the Joint Fraud Taskforce, UK Finance is also currently working with the Payment Systems Regulator on its proposals to tackle these scams.

Behind the data

Fraud intelligence points towards criminals’ use of social engineering tactics as a key driver of both unauthorised and authorised fraud losses. Social engineering is a method through which criminals manipulate people into divulging personal or financial details, or into transferring money directly to them, for example thorough impersonation scams and deception.

In an impersonation scam, a fraudster contacts a customer by phone, text message or email pretending to represent a trusted organisation, such as a bank, the police, a utility company or a government department. Under this guise, the criminal then convinces their victim into following their demands, sometimes making several separate approaches as part of one scam.

Data breaches also continue to be a major contributor to fraud losses. Criminals use stolen data to commit fraud directly, for example card details are used to make unauthorised purchases online or personal details used to apply for credit cards. Stolen personal and financial information is also used by criminals to target individuals in impersonation and deception scams, and can add apparent authenticity to their approach.

(Source: UK Finance)

Now a booming trading market, cryptocurrencies do however create an avenue of risk. Below Schalk Nolte, CEO at Entersekt, discusses said risk and the overall safety of trading Bitcoin and the likes.

It’s official: Bitcoin is now the golden child of the investment community. Following news headlines about becoming instant millionaires, starry-eyed cryptocurrency enthusiasts are flocking to online exchanges to get in on the action. Sign up, transfer funds and trade – the faster, the better. To keep the eager traders’ money and data safe, these exchanges all need to have transaction security in place. And most of them do – except that their security appears to be stuck in the early 2000s.

Nine years ago, Bitcoin didn’t exist. Today, between three and six million people are estimated to have a bitcoin wallet, with over $3 billion worth of the currency traded every 24 hours. Nine years ago, the one-time password, SMS OTP or mobile transaction authentication number (mTAN), represented the apex of transaction security. Today, other technologies have left SMS OTPs in the dust in terms of both user experience and security – and for good reason.

OTPs are typically reliant on mobile network operators for delivery, and they require additional effort from the user without rendering transactions fraud-proof as a reward. They are vulnerable to man-in-the-middle (MITM) attacks for the simple reason that an OTP is never truly out of band, whether it’s delivered via SMS or another route. Because it’s entered into a potentially compromised primary channel, it will always be susceptible to MITM attacks, while the involvement of mobile networks also introduces the possibility of attacks such as SIM swapping and number porting.

In fact, in August 2017, Sean Everett, CEO of artificial intelligence startup PROME, lost a significant cryptocurrency investment with the platform Coinbase as a result of a simple number porting attack made possible by SMS OTP. Soups Ranjan, Coinbase’s head of data science, commented: “I firmly believe we have the hardest payment fraud and user security problem in the world right now.” So how is it possible that the OTP is still the security measure of choice at the majority of cryptocurrency exchanges – and, more importantly, what are the alternatives?

In order to protect its trader members and allow them to match the pace at which cryptocurrency fluctuates, a cryptocurrency exchange needs to do three things:

Minimize risk: This is done by implementing a solution that offers solid app security and strong customer authentication for all transactions.

Make things easy: A convenient and user-friendly trading platform will attract and retain customers. To put it another way, play to a real-world trading scenario: if you were a trader, would you want to open an app, copy an OTP, switch apps, and then paste it? Or would you prefer to simply open an app and scan your fingerprint? The choice isn’t difficult – especially considering that the easier option is also the safer one.

Achieve regulatory compliance: It’s cheap and easy for a trading platform to recommend or require that their traders install a third-party app like Google Authenticator, but this will mess with regulatory compliance – such as with PSD2’s Regulatory Technical Standards on Strong Customer Authentication. Third-party apps often only authenticate logins, not transactions, and as such are not compliant with these requirements. OTPs, needless to say, do not comply either.

If they want to offer winning and secure trading options for cryptocurrency aficionados, it makes no sense for these exchanges to insist on using obsolete, not to mention risky, technology. Instead, exchanges should be employing a more robust and convenient out-of-band authentication solution that does not rely on mobile networks. They should look for a solution that offers PKI-based authentication and transaction signing directly from the mobile phone, which will eliminate fraudulent transactions and build trust in cryptocurrency trading practices – all while providing a user-friendly experience.

On the flip side, cryptocurrency traders should be demanding better security from the platforms they use. It is the only way for them to keep their investments safe and avoid becoming the next cybercrime news headline. After all, if cryptocurrency is at the cutting edge of innovation, shouldn’t the same apply to the protection of its trade?

Last weekend, British shoppers were predicted to have spent almost £8bn on Black Friday sales – nearly four percent higher than last year. While this busy shopping period is certainly good for the British economy, it raises concerns about the opportunities for scammers and cyber criminals. Ross Brewer, VP and MD EMEA at LogRhythm, discusses for Finance Monthly below.

Indeed, all eyes have been on who – and there will be some – will fall victim to hackers’ increasingly persistent and clever tactics. Retailers are prime targets because of the confidential data they hold – whether it’s bank details, email addresses or personal information. There’s absolutely no doubt that cyber criminals will have tried to take advantage of the past week’s online sales peaks to access networks unnoticed or execute malware that has been sitting on the network for months. Retailers have a lot to prove when it comes to showing consumers that they are taking modern-day threats seriously.

As we only saw this week with Uber, it isn’t always a breach that makes headlines, it can be how it’s contained and disclosed. In such a competitive industry, retailers rely heavily on loyalty, which means reputation is key. They need to understand the true value of the data they hold and take the necessary steps to protect it.

Monitoring and detection is key

It’s hugely important that retailers are investing in tools that continuously monitors networks for any signs of a compromise. Indeed, online activity and network communications between components in the card processing chain need to be tightly controlled; a process that is specifically mandated by PCI-DSS. With time increasingly of the essence, it is also critical that, rather than simply scanning for threats and raising an alarm if something suspicious is identified, these systems are able to deliver actionable insight with supporting forensic data and contextually rich intelligence. Not only does this ensure that the right information is delivered at the right time, to the right people, but it guarantees that the appropriate context will be attached, significantly decreasing the amount of time it takes to detect and respond to threats.

Most retailers know by now that they cannot afford to take shortcuts when it comes to cyber security. With breaches now a case of when, not if, it’s essential that they are on high alert at all times – particularly during busy shopping periods. Despite growing concerns over the cyber threat, consumers are spending more and more money in store and online each year, but retailers cannot take this for granted. It only takes one data breach to damage a company’s reputation, hinder future sales and/or disrupt pending investments and deals.

The good news is that security intelligence has become so advanced that companies can now automatically detect a compromise as soon as it happens, enabling security teams to stop a cyberattack before any damage is done. With GDPR only a matter of months away, enterprise organisations and retailers are feeling the pressure to identify, mitigate and disclose an attack at the time that it happens. Only with rapid detection and response capabilities will retailers be able to take cyberattackers head on and protect their customers.

With the worldwide number of robots in smart factories now topping a million, Ross Thomson cites a lack of awareness as the reason most operators haven’t tackled the threat.

“Many firms believe hackers only want personal or financial data, but there is a credible risk to industrial robots,” says Mr Thomson, Principal Consultant at Amethyst Risk Management, which advises government and industry on cyber security.

He points out the risk is growing as robots, like other devices, are increasingly connected to wider networks and the internet. That gives hackers more ways in, and the consequences are potentially disastrous.

In one example, attackers locked up a robotic assembly plant in Mexico and demanded a ransom from the operators. Mr Thomson also highlights the safety risk for human factory operatives if a robot were to be hacked.

Lack of awareness and preparedness for a cyber-attack extends to robot makers. Mr Thomson points to an experiment where researchers hacked a robotic arm and forced it to mis-perform, compelling its manufacturer to plug the security hole.

Nightmare scenarios

The threat might come from disgruntled employees, criminals, recreational hackers or nation states.

One kind of attack would inject faults or defects in the production process, or lock it down completely as in the Mexican incident, leading to loss of production and revenue. If defective products make it to market, they can cause reputational damage, a potential advantage that could motivate an attack by unscrupulous competitors.

By manipulating safety protocols, hackers could cause the robot to injure human operators, or to damage itself or the factory environment. Alternatively, attackers might attempt to steal sensitive data from the machines themselves or the wider company network through remote access.

How easy is it to hack a robot? Ease of access to the software varies, making an inside job more likely in some scenarios. Firmware may be freely available online or retrievable from used robot CPUs, and some manufacturers allow programmers to access code in a simulation environment, creating a potential practice ground for would-be robot hackers.

Hackers have other ways to infiltrate, other than via the internet. They may attack from within the factory, for example connecting to the robot directly through a USB port, or physically accessing its computer controller directly or via remote service.

Once they have penetrated the system, they can potentially alter the controller’s parameters, tamper with calibration programmes or production logic and alter the robot’s perceived state, for example to show it is idle when it is not, or its actual state causing loss of control.

How big a risk?

The scale of the threat could be enormous. It’s estimated there will be 1.3 million robots in factories worldwide by next year (2018) and that 12 per cent of jobs will have been taken over by automated systems within a decade anda half. Robots are operating across almost all industrial sectors from car manufacturing to aviation and food processing.

The UK’s National Cyber Security Centre has highlighted hacking of robotic, unmanned and autonomous systems as a subject for attention, both by itself and by the intelligence organisation GCHQ.

A survey of robotic engineers by Italian academics found three quarters had never properly checked cybersecurity in their infrastructure, a third of robots were internet accessible and half of respondents didn’t see a realistic cyber security threat. To make matters worse, industrial robots often have weak authentication protocols and outdated software running on vulnerable operating systems

Operators need to take the necessary precautions

Mr Thomson urges operators of industrial robots to conduct a professional review of cybersecurity risks, have an incident response plan in place in case of a security breach and ensure that software is regularly updated, especially with security patches. The security review should look at what data robots hold and how they are potentially connected to sensitive data elsewhere on the network.

“Considering the risk to production, people and facilities, it must be taken seriously from board level to operational level,” he says. “An internet-connected robot should be treated with the same security precautions as any computer on the network, including setting long, complex passwords rather than relying on manufacturers’ default. There is a temptation to neglect updates because they may cause production downtime, but it needs to be given a higher priority.”

He advises operators to make security a key factor when sourcing new industrial robots, selecting a manufacturer that shows commitment to the issue and provides frequent software updates with security patches.

“Limiting who has access to robots and segmenting machines from networks where possible can also reduce risk,” he advises.

Ultimately, one of the most effective precautions is also one of the most prosaic, and may comfort those who fear their jobs will be stolen by robots, as Mr Thomson explains: “It’s hard to imagine a time when we dare leave robots to get on with it, so until and unless that day comes, we need humans to keep watch on robots at work.”

(Source: Amethyst Risk)

Businesses are pressing ahead with their digital transformation plans, despite fears of being hit by a cyberattack or data protection regulations. This is according to a new independent research report from Advanced, which questioned over 500 senior executives in UK organisations about their attitudes to using the cloud as part of their digital transformation plans.

Most organisations surveyed are concerned about security (82%) and data protection (68%) in the cloud but, perhaps surprisingly, 80% of them are not put off from adopting the cloud following recent high-profile cyberattacks such as WannaCry. A third (33%) of organisations admit to being experienced in the cloud and continue to consider it for all new projects, while 37% have recently launched cloud computing projects for the first time.

Although positive, these findings should not negate the common concerns and challenges. The survey also found that businesses want better support if they are to execute their digital transformation plans effectively. Security is the biggest barrier, with 76% saying that governments should do more to protect businesses and their customers from a cyberattack.

Meanwhile, 82% of organisations want to see cloud providers do more to build confidence among those looking to adopt a digital transformation strategy, of which the cloud is fundamental. When asked what they look for in a provider, most say financial stability (69%), data held in a UK location (65%) and local support (58%) – above typical benefits touted by providers including scalability (46%) and the breadth of application offerings (38%).

Jon Wrennall, CTO at Advanced, says: “It’s encouraging to see businesses are undeterred from using the cloud, which is fast becoming the right choice for many to drive efficiencies, innovate and grow. Sadly we are seeing the same concerns around security and data protection reported over and over again. It’s right to be concerned about security; it’s time that all of us as cloud services providers take a reality check.

“As an industry and profession, we all need to proactively give clear guidance on security responsibilities and support organisations in being better protected, ensuring devices and applications are properly patched and secured – those writing the software are clearly best placed to provide this. With General Data Protection Regulation (GDPR) coming into force next year we also have a duty of care to provide clarity on how data is being stored and secured in the cloud.

“There’s still a job to be done in creating trust in the cloud and helping customers use the cloud in the right way for the digital transformation that’s right for them. Our survey shows most organisations want financially stable providers and prefer those that store data locally and offer local support; this will become even more pertinent as Britain leaves the European Union. They will trust the providers that offer certainty in an uncertain market and those with a vested interest in the UK and the cloud.”

The independent research was carried out following the results of the general election, during week commencing 12^th June. Over 500 participants took part in the survey, which was carried out by Techmarketview.

(Source: Advanced)

Austen Clark, managing director of Scottish IT specialists Clark Integrated Technologies tells Finance Monthly that a ransomware demand can be commercial suicide for a business, as it has the potential to ruin its reputation, send share prices plummeting and it may struggle to recover from the damage done.

Austen’s advice is simple - prevention is better than cure.

“Should companies pay cyber ransoms? The answer is that they should never have been in the position to be ransomed in the first place.

“Ransomware is the most financially successful hacking tool over the past four years. Revenues from ransomware have been increasing exponentially year on year – in 2016 it was reported a 6,000% increase in revenues.

“It is also one of the most publicised forms of attack so companies really have no excuse for failing to have appropriates backups, data recovery and updates in place. This can be avoided – hence why a business should not find itself in this position.”

Even after an organisation has been compromised, it should not consider paying a cyber ransom, explains Austen.

“By paying the attackers, you have confirmed that their method works, and paying a ransom does not guarantee you will get your data back. These are dishonest people, and even when you hand over the ransom there is no guarantee they will honour the arrangement. It has been well documented that they do not always release all of the data, holding out with additional requests.”

Austen outlines practical preventative measures relevant to all businesses to defend against a ransomware attack.

• Install and update a current version of Antivirus/Malware software.
• Update and patch the computer Operating System when advised by your vendor.
• Update and patch Applications when advised.
• Be vigilant and be suspicious: training to recognise a possible attack is recommended
• Make regular back-ups of all of your data

As long as companies continue to pay up, then hackers will strike in this way.

Austen adds: “There are few that will admit to an attack – and even less admit to paying up, so this is vastly under reported but this has crippled companies before, and it will again. Organisations like Nayana will be in the press for a long time and for all the wrong reasons.

“If you follow these points you will reduce the risk of a ransomware attack which really is the best defence. In the event of falling victim you can restore your information and not have to pay a ransom. Back-up data to a separate source like a Data Centre, Cloud, or external hardrive, basically anywhere but your current source.”

The threat of cyber extortionists holding data hostage is significant. Symantec’s 2017 Internet Security Threat Report lists ransomware as the ‘most dangerous cybercrime threat facing consumers and businesses’.

Last week, South Korean web-hosting firm Nayana agreed to pay a $1m ransom to unlock computers frozen by hackers. Security experts warned that firms should not pay such ransoms or enter into negotiations with hackers. In addition, today several firms globally were held to cyber ransoms including banks, airports and government systems around the world. Even DLA Piper suffered an attack according to the BBC.

When considering high-risk industries like financial markets, the data and infrastructure at risk is both incredibly sensitive and complex. Once adversaries gain access to an environment, they can access everything from proprietary algorithms and trading strategies through to sensitive customer data.

This week, Finance Monthly received its biggest ever number of responses to the question ‘Should Companies Pay Cyber Ransoms?’ Below are just a few of the responses from top experts around the world.

Jack Bird, Content Specialist, Team Umbrella:

The magic of the internet and today’s cutting edge technology is based on a give and take relationship. To take all the lightning quick information and globalised communication, we have to give our personal details and highly sensitive information in return; like a sacrifice to the all-powerful cyber gods that we’re forced to trust so our crops might be more fruitful next year.

The easier things get for us, the larger the anvil hanging over our head becomes; and this form of cyber terrorism we’re seeing with Nayana is only going to grow. This might soon see a return to more physical forms of media to avoid the proxy-warfare of recent headlines, but for now, and it is a weak answer: it’s a matter of balances.

Maybe the correct move is to stand up to the bully and not give them your lunch money, because next week they might come back for your homework or the intricate details of your eight figure business plans. Giving in to demands, however, might result in you going hungry throughout the day – or, to put an end to that analogy, your work force of mothers and fathers going hungry because you can’t pay them anymore.

Films taught us to puff our chest out, but, even though this news story might resemble the plot line of a 1980’s Paul Verhoeven film – this isn’t a film. There is no simple answer because every question is different. Is the $1 million more valuable than the files they’re holding a gun to the head of? Maybe they’re outdated and you don’t need the information anymore?

There is no definite answer, which makes this a bad one – but, also, the right one.

Rafe Pilling, Senior Security Researcher, Counter Threat Unit, SecureWorks:

To paraphrase a well-worn bit of philosophy, all that is necessary for ransomware attackers to succeed is for well meaning

organizations to pay the ransom. In 2016, it became common for thought leaders to say “Never pay the ransom, but …” and that “but” was meant to allow wiggle room for instances when a $500 ransom was cheaper than the hassle of not paying, or when healthcare entities were dealing with true matters of life and death. But the problem with either of those scenarios is: As soon as one pays the ransom, then one has reinforced that the attackers made the right decision to attack. The only reason this crime thrives is because it’s profitable organizations (despite what they say publicly) continue to pay the ransom. When that stops, so will the attacks.

Eric Berdeaux, CEO, OXIAL:

If the situation has gone so far that an organisation has actually been breached, then paying can be the best option open to them. Ransomware is truly insidious and can often encrypt most, or if not all of an organisation’s data. This makes it completely unusable and puts a halt to any internal business and IT processes. Such is the professionalism and expertise of modern hackers, it can be very difficult to fend off Ransomware once it has taken hold. To try and clean the virus, delete all of the encrypted files and then restore them, would not only cost a lot of money but would require a number of highly skilled engineers too. Even then, there is no guarantee of success. That’s why I believe that when it has gone this far, the only way is to pay.

Of course, it would have been far better to spend this money in a different way – securing the data properly and effectively in the first place, and covering any residual risk with good insurance. Organisations do not always do this even when they have suffered an attack, believing lightening won’t strike twice. This is misguided. When it comes to cyberattacks, lightning can and will strike on many occasions - the security threat in 2017 is incredibly complex, varied and on-going. Without continuous protection, organisations will be hugely vulnerable and may find themselves facing expensive ransom demands.

Rob Norris, VP Head of Enterprise & Cyber Security EMEIA, Fujitsu:

The news that South Korean web-hosting firm Nayana has agreed to pay a $1m ransom to unlock computers frozen by hackers is stirring a new narrative around whether we should be giving in to hackers. While industry experts have been preaching against this, companies are ultimately left facing the prospect of irreversibly losing valuable data, or paying a certain, often excruciating, amount of money to save their businesses.

Paying ransomware encourages the lucrative side of malicious cyber activity, which subsequently attracts more actors willing to engage for their personal gain. The truth is that many organisations probably don’t see themselves as ‘high value targets’ for attackers and it’s likely that they have very minimal protection or staff training and awareness. However, for many malicious actors finding vulnerabilities is their bread and butter, and they will look to hold organisations to ransom through a ‘soft attack’ that compromises its data.

Organisations should ensure they have good backups if they are infected. They must take a proactive and intelligence driven approach to security, by monitoring phishing campaigns which evade their mail gateway controls for example. Backups, risk analysis, staff training and further practical advice such as application whitelisting and incident response will ensure the risks associated with ransomware are as low as possible.

With this knowledge there is no excuse not to be prepared. Cyber criminals are entrepreneurial, well-sourced and motivated, and we shouldn’t be repaying their efforts in hefty amounts of ransom.

Sarah Adams, Cyber Risk Expert, PolicyBee:

Faced with not having access to your systems, data or website, it’s tempting to take what seems like the line of least resistance and pay a ransom straightaway. But there are good reasons why that might not be the best thing.

From a cyber insurance point of view, the most obvious alternative is to get in touch with your insurer. This kind of situation is exactly the sort of thing your policy is for. Your insurer has access to cyber security experts who will evaluate and deal with the problem for you.

Of course, if there’s no way around it, your policy will cover the ransom. But ideally your insurer will want to sort the situation by other, technical means if possible – there’s no guarantee paying up means case closed. Who’s to say you’ll get your files back, even if you cough up? Your insurer certainly doesn’t want to trust the word of a cybercriminal.

The point here is that two (or more) heads are better than one. You don’t have to deal with a ransomware problem – or any other cyber-attack – on your own.  Cybercrime is alien territory for most businesses, and it makes sense to get help when you need it most. A specialist insurer not only has the money to sort out these situations, it has the time and the expertise too.

Although undoubtedly unsettling and very much an unknown quantity, cyber-attacks involving ransomware aren’t always the business disaster they might first appear to be. Paying up doesn’t have to be a given and doing so, worst-case scenario, can risk turning you into a future blank cheque.

Preventing an attack in the first place can be equally expensive and time-consuming (and, given the odds, arguably futile), so it pays to have help and support on standby for if and when you’re targeted. You don’t need to be a cyber security expert to recover from an attack – you just need to know someone who is.

Dr Guy Bunker, Senior Vice President of Products, Clearswift:

This case sets an unfortunate precedent. Whereby larger organizations are shown to be prepared to pay significant sums of money to cyber-criminals. It will only stoke the fire of ransomware and the attacks on business if the perpetrators think they will get away with it. In the non-cyber world, we saw this with the Somali pirates, where once ransoms started to be paid, there was a huge rise in vessels and crew being taken hostage.

Our advice is always the same for both individuals and organisations: once you’ve been compromised, do not pay the ransom. By paying, you’re opening yourself up to further attacks as the criminals will see that A) the organisation has the willingness to pay ransom and B) the cash reserves to do so. Furthermore, in more than 30% of cases, access to the information is not returned, i.e. you still don’t get your data back in an unencrypted form. All too often, the cyber-criminals take the money and then re-encrypt systems a short while later – as the malware will still be lurking in the background, unless it has been fully removed.

This is not the only issue, negotiations between the criminals and organisation can take up valuable time and resources – according to reports it took Nayana over a week of back and forth with the hackers to come to an agreement. Ransomwares’ biggest impact is downtime of the organization, with several organizations requiring complete IT shut-down and the return to pen and paper while the issues are resolved.

The best defense against ransomware is firstly, to ensure all systems and applications are kept up to date with security patches being applied; secondly, ensuring that security systems are in place that strip hidden active content (the type likely to be ransomware) out of documents and emails coming into your organization; and thirdly, to regularly backup critical information. Backups are key and can ensure that even if information is encrypted, you won’t be in a position where you have to pay – minimizing the harm to you and the reward to the criminal to zero.

Robert Rutherford, CEO, QuoStar:

Ransomware is an increasing threat, and one which is here to stay. Although businesses may not like the thought of paying a cyber ransom, in today’s digital era if an entire business’s IT environment is frozen then they are unable to function, this loss of productivity can come at a far higher cost than the ransom itself.

When it comes to deciding whether to pay a ransom, a business essentially needs to understand how much an outage or a loss of key data assets is going to cost them. This information will allow a business to measure risk against cost and make an informed decision. If a cyber ransom is £500 for example, whereas loss of productivity could cost thousands, the decision can be made easily by those responsible for IT security within a business.

Furthermore, this information should also be used by a firm’s senior leadership team to determine which protections and solutions should be put in place to prevent the business from being infiltrated by ransomware again, or by another type of cybersecurity threat in the future. IT security must be a priority, however, and firms must not wait until ransomware strikes to conduct these risks versus cost reviews and act ahead of time.

Giovanni Vigna, CTO and co-founder, Lastline:

Companies should not pay ransom. However, there might be situations in which not paying ransom would cause irreparable damage to a company, putting the company out of business. In these cases, paying might be the only option, but these situations can be avoided by being prepared. Ransomware, in a way, is not very different from a catastrophic event. What if a room full of server is flooded and the machines damaged beyond repair? Would the company be ready to restore the service (and the associated data) after such an event? If the answer is “yes” the company could probably withstand a ransomware attack as well…

Andrew Stuart, Managing Director, EMEA, Datto:

Firms should never cave in to ransom demands from hackers. First of all, paying up does not guarantee the safe return of data. Datto conducted some research into this topic during the twelve months up until September 2016. We found that almost half – 47% – of the European firms which opted to pay ransoms, didn’t get all of their data back.

Secondly, firms that choose to cough up can quickly gain a reputation amongst cybercriminals for being a soft target. This leaves particularly susceptible to future attacks.

On a wider scale, each and every time a ransom is paid more money is ploughed into the criminal underworld. Today’s hackers work like businesses, with a portion of their income being invested in R&D. This extra cash could be used to develop new strains of malware or to exploit new vulnerabilities. While paying a ransom seems like a quick fix, it has negative, long-term consequences for all organisations.

Instead of paying ransoms – especially ones with $1 million price tags – organisations need to invest in better defences. Patching vulnerable IT systems is vital, as are perimeter defences such as anti-virus software and firewalls. But these alone are not enough. Firms also need to back up their data. If they call roll back their systems to a point in time before their data was illegally encrypted by hackers, firms can carry on as normal, with no dramas and no ransoms.

Andrew Bushby, UK director at Fidelis Cybersecurity:

An analogy often used to describe ransomware and whether to pay up or not is ‘protection racket’. In old-fashioned mob movies, two guys walk into a grocery store saying ‘Hey, nice store. Would be a shame if something were to happen.’ The reason the mob ‘insurance’ scams worked is because the value of the protection was higher than the cost of the insurance – and the mob delivered on their promises. In the case of ransomware, the value of the data is higher than the ransom and operators go through great effort to ensure users get their data back. Occasionally there are errors, but in general, people do get their data back.

In an ideal world, consumers and organisations would be better prepared. With sound backups in place, ransomware infections would merely be annoying exercises involving file restoration.  Ensuring backups of critical or valuable information has been a best practice for decades, but because reality rarely matches the ideal, this often doesn’t happen.  Consequently, a few tips can help those dealing with a ransomware attack:

• 1. Avoid announcing decisions to pay the ransom, as it may induce other cybercriminals to launch similar attacks. Such was the case when ProtonMail came under attack and announced publicly that they paid the ransom. This led to follow on attacks, likely by other individuals;
• 2. Report the ransom payment details to law enforcement agencies or national information security bodies.  The payment details allow investigators to track the payments to identify the individual behind the ransomware campaigns;
• 3. If you don’t want to report a ransomware attack to law enforcement, consider sending details of ransom payments to a security company research team – such as ours – so that data can be used to try to identify the criminals behind these campaigns and bring them to justice.

Stu Sjouwerman, CEO, KnowBe4:

Ransomware has been called the most profitable criminal business model in history. Bad guys infect a workstation or whole network and hold the data hostage until a fee is paid to get it back. Last month, the WannaCry ransomware strain went global, impacting computers in more than 150 countries and wreaking havoc on Britain’s National Health Service, Spain’s Telefonica and France’s Renault automobile factory.

Ransomware has become a “when, not if” scenario for businesses of all sizes. Typically ransomware comes into a company through an employee– usually by opening the attachment of a phishing email which then gives cyber criminals the ability to download the malware onto the users’ computer or network without their knowledge.

Most antivirus programs do not detect it as it is rapidly changing with new variations every day. Being successfully hit by a ransomware attack can set a business back 50 years, using “pen and paper” management and the ransom amount can get very high. WannaCry charged $300/machine, which adds up very quickly, particularly for small and mid-sized businesses (SMBs)

Now to pay or not to pay – this is ultimately a business decision, and one which most organizations do not make lightly. There are different types of ransomware infections:

• Low-grade spray-and-pray phishing attacks that only infect one workstation are relatively easy to fix by IT. Wiping the workstation and rebuilding it from scratch takes about 20 minutes.
• Infected workstation with a connection to a file server – files on that server get encrypted during infection and a whole group of employees are left to sit idle without access to their files.
• Network compromise – when the cyber criminals have been on the network for some time and were able to infect all of the organizations’ machines and lock them at the same time. This type of infection can be detrimental to a business with critical components no longer running and a ransom of $50,000 or more.

It is crucial to start with a so-called defense-in-depth strategy to protect your network, including weapons-grade backups that are regularly tested, ensuring all software is up to date, running antivirus software but not relying on it, identifying users who handle sensitive information and checking firewall configurations to make sure no criminal network traffic is allowed out and educating your users as your last line of defense so they can stop ransomware before it comes in.

Alex Manea, Chief Security Officer at BlackBerry:

Companies that experience ransomware attacks should never consider paying any ransom demand. Not only does it cause reputational damage and a loss in customer confidence, but once an organisation succumbs to paying a cybercriminal there is still no guarantee that full recovery will occur. Trusting cybercriminals to provide a decryption key can often take days, weeks or not happen at all.

Businesses should also keep in mind that cybercriminals are anonymous and they have no reputation to protect, which means they have no incentive to hand over the decryption key, as this could make them easier to trace.

In addition to this, there is now evidence that hackers are actually repeating other hackers’ successful ransomware activities. This not only suggests that businesses that are paying ransoms aren’t getting their data back, but are likely inspiring future attacks.

If a company does choose to pay the ransom, as in this case Nayana did, and they gain access to the decryption key or a tool which can help them to access their files again, there is still no certainty that the organisation is secure again. Indeed, in many ways the company is now more vulnerable to ransomware attacks, as it will have a reputation for paying and this could actively encourage additional ransomware attacks and even bigger financial demands.

We would also love to hear more of Your Thoughts on this, so feel free to comment below and tell us what you think!

This week, IBM Security and Ponemon Institute released the annual Cost of a Data Breach report.

This year’s report found that the UK experienced a decrease in the cost of a data breach, from £2.53 million in 2016, to £2.48 million in 2017. The average cost per lost or stolen record in the UK is estimated at £98.

Key points from the study include:

• Incident Response Leads to Significant Cost Savings: For the third year in a row, the study found that having an Incident Response team in place significantly reduced the cost of a data breach, saving $19.30 USD per lost or stolen record.
• Containment Speed Is Critical: The cost of a data breach was nearly $1 million lower on average for organizations that were able to contain a data breach in less than thirty days compared to those that took longer than 30 days.
• Room for Improvement: On average, organizations took more than 6 months to identify a breach, and more than 66 additional days to contain a breach once discovered.
• By Industry, Healthcare Breaches Most Costly: For the 7^th year in a row, healthcare has topped the list as the most expensive industry for data breaches. Healthcare data breaches cost organizations $380 per record, more than 2.5 times the global average across industries ($141 per record.)
• Top Factors Increasing Cost of a Breach: The involvement of third-parties in a data breach was the top contributing factor that led to an increase in the cost of a data breach, increasing the cost $17 per record.
• Top Factors Reducing Cost of a Breach: Incident response, encryption and education were the factors shown to have the most impact on reducing the cost of a data breach. Having an incident response team in place resulted in $19 reduction in cost per lost or stolen record, followed by extensive use of encryption ($16 reduction per record) and employee training ($12.50 reduction per record).

IBM has also created a “Cost of a Data Breach Calculator,” which can use below.

(Source: IBM)

With cybercrime and ransom hacks being a common occurrence in today’s newsrooms, Karen Wheeler, VP UK Country Manager at Affinion talks to Finance Monthly about the opportunities that can arise from these kinds of threats, for the banking sector in particular.

We’re living in a world where high profile data hacking scandals and cybercrime attacks dominate our headlines on an almost daily basis. New research by Barclays has revealed that last year alone saw a total of 5.6m cases of cyber fraud reported across the UK; a figure accounting for nearly half of all UK crimes, affecting both companies and consumers alike.

The newest member of the ever-growing club of victims is the NHS, which last week saw a colossal attack in which criminals took control of computers and held hospitals at ransom. But despite the mass media coverage, it’s not just high-profile organisations that are targeted. Cyber criminals are also after sensitive customer information and payment details that can be traded on the dark web.

Clearly, no one is exempt from the threat of digital fraud, and Barclays’ research highlights the need for education on protection methods amongst UK consumers. In fact, almost 40% of people believe they can’t prevent cybercrime, according to a survey by Get Safe Online.

While there’s no doubt that cyber-crime exists, the number of reported cases suggests there could be a lack of clarity around who can be targeted and what constitutes risky cyber behaviour. Furthermore, who is responsible to protect against digital crimes and how customers can protect themselves.

Step 1: Recognise the opportunity

Following its research, Barclays’ has also announced plans to lead a £10million campaign against digital fraud with a primary aim to educate customers. Its campaign, and the current climate in which cybercrime is rife, illustrates a clear opportunity for banks to step up and adopt a role of responsibility in this field; positioning themselves as experts in educating on risk and how customers can protect their identities from digital fraud.

While some financial services institutions may question whether or not this is their job, given the amount of money they lose as a result of fraud, perhaps the question they should be asking is whether or not they can afford not to address this issue?

However, the truth is that banks are actually among the most trusted brands by consumers when it comes to data security. The Symantec State of Privacy Report in 2015 revealed that 66% of banks were the third most trusted by their customers to handle data; only hospitals and medical services ranked above.  Evidently, there’s already a great deal of trust and brand value that exists for financial services institutions when it comes to handling data, meaning customers are likely to value their banks’ advice. This is something that currently, many are failing to utilise.

There’s a lot to learn from Barclays and by recognising this as an opportunity, not a challenge, banks can enable customers to make better fraud prevention choices, enhance loyalty and build deeper, more valuable customer relations in a fiercely competitive market.

Step 2: Educate and empower

By enabling people to make better security and fraud prevention choices that are backed up by relevant and knowledgeable support when things go wrong, banks can enhance their reputation amongst existing and potential customers. For example, Barclays’ upcoming digital-led safety campaign provides free support to SMEs as well as an online quiz for customers to assess their overall digital safety level - equipped with advice and tips for improvement.

Whilst this might sound like simple advice, it is guidance that could empower customers to be a little more careful about who they disclose their personal information to. Other examples might include a helpline to provide customers with peace of mind. Such a service could increase a customer’s bond and loyalty to their bank.

Step 3: Offer additional services

In addition to educating and advising customers about risks and ways to protect their identity, banks can also take further steps to build loyalty by offering additional and exclusive services. Barclays is now giving customers the opportunity to set up daily ATM withdrawal limits on their mobile banking app, to prevent the risk of security breaches. This is just one example of an additional account protection service that a bank could offer its customers on top of advice.

By taking responsibility and offering customers not just advice, but an actual service that will help protect themselves, a bank can its extend the influence into customers’ lives, improving their value and retention. In fact, our recent study looking at customer engagement found that banks that offer ‘protecting the customer’ products have 13 per cent higher customer engagement scores compared to the average, meaning they stay longer and are more likely to recommend to others.

Cyber-security attacks have, and will continue to, present a significant threat because of the connectivity of modern life, unless action is taken. There is an ever-rising level of customer data online, which both businesses and customers need to take responsibility for keeping safe. But amidst the threat and concern, there is an opportunity for financial services institutions to look beyond this and instead see the challenge as a chance to build more loyal and lasting customer relations.

According to the latest IMB Security report, the finance industry is facing 65% more cyberattacks than the average organisation. In 2016, the finance industry was the most targeted sector of cybercrime, an increase of 937% from the previous year.

What’s more, up to 50% of security breaches remain unreported to the public by the affected organisations in fear of damaging their reputation and people's confidence in investing with them. The result is that most people never realise their data and money are at risk. The recent cyberattack which affected organisations such as Telefonica, Renault and the British NHS, caused turmoil and panic in businesses across all sectors throughout the world. While cybersecurity is the biggest concern for most organisations today, the finance sector is the one mostly affected by cybercrime on daily basis.

The recent attack is a wakeup call for many who may now question if their money is safe and ask how best to protect it.

What makes a secure hedge fund?

Steven Jupp, CEO of Avem Capital says: “Coming from a technology and security sector, when selecting Avem Capital for a worthy hedge fund to lead, it was my priority to ensure we had the best security and protection of all our data. Naturally, when choosing a hedge fund, cybersecurity is not the biggest concern for most of our Clients. Many don’t even consider such matters at all. It is also a very well known fact that both platforms and the regulators are making keen headway during selection and onboarding processes, as well as during the lifecycle.

“However, concerned or not, in terms of cybersecurity I’m confident that we are one of the most secure and safe hedge funds in the market in respect to data and technological infrastructure.”

With the recent data showing how heavily targeted and poorly protected the finance sector is, it is apparent that cybersecurity is often omitted while thinking of a hedge fund. Avem Capital believes that this should be a priority for both Clients and the Hedge Fund Management – an integral part of its DNA. It is so much more than choosing a good antivirus software.

As Jupp highlights, there are numerous things to look out for when thinking of cybersecurity: “We do our best to prevent any possible attacks from any side, we like to be one step ahead of the game. At Avem Capital we introduced some of the most powerful, pro-active security management systems in the world, many of which are proprietary and reduce the potential fingerprint attacks available to commercial world applications.

“Our in-house logical security engineers are constantly monitoring numerous channels both regular web based and deep web based, in order to protect and defend against zero day exploits.” - says Jupp

Furthermore, Avem Capital also uses Data Loss Prevention systems, both in email and in document management, allowing to track the propagation of a document and secure it from intervention from a third party.

Another approach being adopted by Avem is that all infrastructure and mobile connected devices are patched at least weekly. Critical security patches are then tested against software and operating systems before being deployed on the day of notification. To ensure only secure devices enter the corporate network, Traders and Fund Managers are not able to operate any form of buying or selling over any device other than guarded desktop devices. Bring Your Own Device (BYOD) is not permitted to enter the corporate network at any point. To prevent this, Avem utilises a separate infrastructure, capable of detecting any potential threats or rogue devices.

With companies investing billions of dollars and private investors entrusting their life savings to hedge funds, the finance industry needs to step up their game when it comes to cybersecurity. The key is to always assume the worst case scenario and prevent possible threats by utilising all available tools to assure security.

(Source: Avem Capital)

Forget about high-tech espionage. Many of the headline-grabbing hacks from the past few months hinged on low-tech social engineering—the use of deception to manipulate users into giving up their passwords and other data, writes LeClairRyan attorney David Z. Seide in a new post on the national law firm's "Information Counts" blog.

"This kind of hack takes many forms—examples include security alerts from what appear to be trusted websites to update passwords, and phishing emails from what appear to be known, trusted contacts asking to download files or click on provided links," writes Seide, a partner on LeClairRyan's Compliance, Investigations and White Collar team, based in the national law firm's Alexandria, Va., and Washington offices.

In the Feb. 27 post ("Cyber Security and Social Engineering: A Big Low Tech Problem"), Seide notes that the consequences of computer network penetration through social engineering have been dire for victims. He cites a prime example: the hack of Hillary Clinton's 2016 presidential campaign.

"There, the campaign chair received what appeared to be a genuine email from Google's 'Gmail Team' informing him that a Ukrainian computer had just used his password to try to sign in to his Gmail account," Seide explains in the piece. "The email went on to say that Google had stopped the attempt, advised the chair to change his password immediately, and provided a 'Change Password' link. Believing the email to be authentic, the chair clicked on the link and changed his password."

As the world now knows, of course, the new password went straight to hackers, who promptly downloaded 30,000-plus emails in the account and sent them to WikiLeaks for publication. "This hack succeeded only because hackers used social engineering techniques to trick the unwitting user into effectively giving a secure password to what appeared to be a trusted source," writes Seide, an experienced litigator and internal investigator, who led multiple high-profile internal and financial investigations for several federal agencies prior to joining LeClairRyan last month. Those roles included leading the Department of State Office of Inspector General team that reviewed and published multiple reports in 2016 concerning the use of personal email for official business by Hillary Clinton and four other Secretaries of State.

For the foreseeable future, he notes, low-tech social engineering hacking will continue to be a dominant cyber risk. "If anything, it is likely to proliferate across growing and emerging technology platforms—mobile and other Internet-enabled devices (Internet of Things) and social media," he explains.

This is precisely why defending against such hacks requires more and better "cyber hygiene," which Seide describes as "no different than regularly washing hands to prevent infection." Toward that end, he offers a set of best practices for guarding against social engineering. They include ramping up education about social engineering; closely monitoring the level of security-protocol compliance within your organizations; maintaining vigilance and skepticism, and engaging in timely reporting of hacks or potential hacks.

"Cyber security is an ongoing process that changes as fast as technology changes. And technology changes fast," the attorney writes in the conclusion to the piece. "These suggestions are by no means cure-alls. But they will reduce social engineering risk and may demonstrate a prudent effort to address a serious problem we all regularly face."

(Source: LeClairRyan)