Panellists in the 'Fighting fraud' session, at BNP Paribas's Cash Management University in Paris last week, said that the problem is probably even bigger than we imagine.
Software engineer and former hacker (now the “ethical hacker”) Jamie Woodruff made the extent of the problem clear: “Hacking is a huge industry. Anyone can be hacked. There's a huge organised business in cybercrime.” He also made it clear that, when developing cybercrime prevention strategies, companies should think of a data breach event in terms of “not if but when”. The problem for most organisations is that hacking into their servers is all too easy and often the staff themselves are the weakest part of a corporate's infrastructure. Woodruff famously hacked Kim Kardashian and he now gets paid to do the same for big companies, to uncover their weak security spots, often through social engineering. Sometimes he turns up at a company dressed as a UPS deliverer or a pizza deliverer and can often walk straight through and access sensitive data.
No more blame culture
Philippe-Emmanuel Crolus, a treasury and cash management expert at Novartis, agreed that, unfortunately, people are the weakest point, so organisations should focus on how to educate their workforce. He said: “It's important to be very transparent – if we blame people, the risk is that they won't alert their managers if there is a security breach. So we need to encourage people to speak openly and not to hesitate in coming forwards. Too often, employees are hesitant to question invoices signed by a CFO or senior executives. We must get rid of the stigma of double-checking and questioning people higher up the corporate hierarchy.”
BNP Paribas Fortis's Jan De Blauwe, the bank's chief information security officer, was also on the panel and he said that the current situation is alarming, as there has been a clear acceleration in threats across banking, retail and public sector, such as the WannaCry attack that affected UK hospitals earlier this year. De Blauwe said: “Thankfully there has also been an acceleration at bank level, with increased investment and more resources focused on cybersecurity.” However, De Blauwe also agreed that we are now at a stage in which prevention isn't enough and organisations should really be focusing on contingency plans and strategies for managing what seems to be an almost inevitable security crisis or data breach. He noted: “The idea that investing is enough to protect you is proving false – we need to change our mindsets to reacting to what is an almost inevitable security breach. The security community doesn't need to be convinced about that.”
So how are banks working with their customers to protect their shared environment? De Blauwe said: “We're trying to step into a leadership role and calling for more openness and sharing results from ethical hacks. So, for example, we need proactive approaches with customers and in our payments business, we have a long-running project for fraud detection.”
Crolus reiterated the need for collective and transparent efforts in fighting cybercrime. He said: “We need to work with others, share best practices and work collaboratively with other organisations. We need to lose our fear of others thinking we need help or of disclosing data to other organisations. We all need to get used to working together.”
The threat might be more pressing than ever, but there has been a significant shift in how banks are proactively fighting cyberfraud. De Blauwe explains: “Ten years ago, 80 per cent of incidents were brought to our attention by customers – now the bank identifies 80 per cent of attempts before the customer is aware. So there's a lot more focus on actually recovering the stolen money.”
Don’t do an Uber; prepare for the aftermath of a data breach
Few corporates are confident of their ability to detect sophisticated cybercrime but a strategy to respond to a data breach and comply with legal obligations should be part of every corporate plan
Cybersecurity is Achilles heel of Asian corporates
Nearly half of all Asia Pacific corporates have experienced a cybersecurity threat in the past year but only 15 per cent are certain no breach has occurred
Cyberattacks: do you know when you’ve been hit?
It's not always instantly obvious that cybersecurity has been breached but detection and response times are critical because immediate detection reduces the average cost of recovery dramatically