An Inside Job: Looking For Cyber Criminals

Everybody in business, and especially in banking, embraces the need for aggressive and comprehensive defenses against hackers, right?

And then comes this report from KPMG with the discouraging headline: “12% of banking CEOs don’t know if their bank has been hacked.”

The audit, tax, and advisory firm surveyed 100 bank executives from banks that have more than $20 billion in assets.

Worse, researchers found that at these banks’ second tier of officers—including executive vice-presidents and managing directors—the level of awareness gets worse. KPMG reported that 47% said they didn’t know if their bank had been victimized by cyber-crooks. The next level—senior vice-presidents and directors—were even worse: 72% were unaware.

“Banks are under an onslaught of attacks from bad actors, so the fact that 12% of banking CEOs reported that they don’t know if they’ve been compromised is troublesome. Cyber is a business bottom-line issue: a true CEO issue,” says Charlie Jacco, financial services cyber leader at KPMG. “While CEOs may be more privy to information regarding the exact number of cyber technology deployments and hack attempts, all employees should know and be in lock-step on their bank’s greatest vulnerabilities and concerns as it pertains to how that bank views cyber security.”

Wait … what?

Before one jumps all over the C-suiters for their apparent lapse of knowledge about hacks close to home, there is this to consider: According to another recent KPMG International report, some of them might actually be the culprits.

This report analyzed profiles of 750 cyber-crooks investigated by forensic specialists across 81 countries, and produced what it calls “the new face of fraud”:

• 69% were between the ages of 36 and 55.

• 65% were employed by the company that was hacked.

• 35% were executives or directors.

• 38% had been with the company for at least six years.

• 38% described themselves as well-respected in their company.

• 62% colluded with others in their crimes.

While personal gain was the predominant overriding motivation for committing fraud (60%), the sense of “Because I can” was third at 27%, according to the report.

The exposure of being unaware

Again, you just have to scratch your head. Insiders, it seems, pose the biggest threat for cybersecurity forces to deal with. This includes not only the bad actors, but also otherwise innocent staff members who are unaware of the threats to their companies, and who don’t know what defenses their companies mount against cyber-threats.

This comes from a joint study by Experian Data Breach Resolution and the Ponemon Institute. They asked more than 600 individuals at companies that currently have a data protection and privacy training program to weigh in on the topic of negligent and malicious employee behaviors.

The study found that 55% of the companies surveyed have already experienced a security incident due to a malicious or negligent employee. Sixty percent of companies surveyed believe their employees are not knowledgeable or have no knowledge of the company’s security risks. Only 35% said senior management believes it is a priority that employees are knowledgeable about how data security risks affect their organization.

“Among the many security issues facing companies today, the study emphasizes that the risk of a data breach caused by a simple employee mistake or act of negligence is driving many breaches,” says Michael Bruemmer, vice-president, Experian Data Breach Resolution. “Unfortunately, companies continue to experience the consequences of employees either falling victim to cyberattacks or exposing information inadvertently.”

And the beat goes on …

To be sure, the usual reports about the growing magnitude of the threat and the certitude of being attacked keep surfacing. Here are just a few recent ones:

• Gartner: By 2020, 60% of digital businesses will suffer major service failures due to the inability of IT security teams to manage digital risk.

“Cybersecurity is a critical part of digital business with its broader external ecosystem and new challenges in an open digital world,” says Paul Proctor, vice-president, Gartner.

• CompTIA: Technology professionals see many steps that could be taken to improve their company’s security, according to a survey of 500 security professionals.

“Just under half (47%) say there’s a belief within their company that existing security is ‘good enough.’ For 43%, other technology needs take a higher priority than security,” according to the report.

• SANS Institute: Malware, unauthorized access, and advanced persistent threats remain the top threats, while a lack of expert staff is harming incident response.

“While automation and new tools are helping response teams,” says Matt Bromiley, SANS analyst, “65% of survey respondents see a skills shortage as an impediment to incident response efforts. Training and experience is the difference between breached and not breached.”

Does old culture not get it?

Interestingly, a recurring theme through some of these reports is the need for cultural change within the organization. That makes sense. If the threats are internal, the defenses also need to be internal.

• Gartner puts it this way: “With the acceleration of digital business and the power that technology gives individuals, it is now critical to address behavior change and engagement—from your employees to your customers. Cybersecurity must accommodate and address the needs of people through process and culture change.”

• Experian puts it this way: “Organizations need to foster a culture of security. The study found that companies are not currently implementing a number of simple incentives that could encourage positive security behaviors. Of the companies surveyed, 67% provide no incentives to employees for being proactive in protecting sensitive information or reporting potential issues.”

• CompTIA puts it this way: “The use of technology has outpaced cybersecurity literacy, so there’s also a growing need for the overall workforce to improve their knowledge and awareness of security issues.”

Banking Exchange:

« Email Scams: Criminals Try To Steal $3bn
Preliminary Agreement On Airline Cybersecurity »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

ICS2

ICS2

ICS² is the first cyber security company focusing on protecting the control system of power, oil, gas, and petrochemicals plants.

Torsion Information Security

Torsion Information Security

Torsion is an innovative information security and compliance engine, which runs either in the cloud or your data centre.

Silensec

Silensec

Silensec is a management consulting, technology services and training company specialized in information security.

Capula

Capula

Capula is a leading system integration specialist for control, automation and operational IT systems across all applications and industry sectors.

IberLayer

IberLayer

IberLayer is the company behind the Email Guardian service, a cloud based Email Total Protection system that filters and blocks email threats.

British Blockchain Association (BBA)

British Blockchain Association (BBA)

British Blockchain Association (BBA) is a not-for-profit organisation that promotes evidence-based adoption of Blockchain and Distributed Ledger Technologies (DLT) across the public and private sector

Startup Capital Ventures

Startup Capital Ventures

Startup Capital Ventures is an early stage venture capital firm with a focus on FinTech, Cloud/SaaS, Security, Healthcare IT, and IoT.

NetTech

NetTech

NetTech’s Managed CyberSecurity and Compliance/HIPAA services are designed to help your company prevent security breaches and quickly remediate events if they do happen to occur.

PKI Solutions

PKI Solutions

PKI Solutions offers Public Key Infrastructure (PKI) products, services, and training to help ensure the security of organizations now and in the future.

Verichains

Verichains

Verichains Lab is a pioneer and leading APAC blockchain security firm with extensive expertise in the areas of security, cryptography and core blockchain technology.

Transatlantic Cyber Security Business Network

Transatlantic Cyber Security Business Network

The Transatlantic Cyber Security Business Network is a coalition of UK and US cyber security companies which facilitates collaboration to help address critical cyber security challenges.

OccamSec

OccamSec

OccamSec is a leading provider in the world of cybersecurity. We provide accurate, actionable information to reduce risk and enable better informed decisions.

DART Consulting & Training

DART Consulting & Training

DART is a leading cyber training and consultancy company. We enhance our clients’ cyber capabilities by growing and strengthening their frontline defense – the cyber teams.

Reach Security

Reach Security

Reach is the first generative AI platform purpose-built to empower enterprise security teams. With Reach, organizations measure, manage, and improve their enterprise security posture at scale.

BCX

BCX

BCX, a subsidiary within Telkom Group, is one of Africa’s largest systems integrator and digital transformation partners for enterprises and public sector organisations.

XBOW

XBOW

XBOW brings AI to offensive security, augmenting the work of bug hunters and security researchers.