Each week, each month provides more insights into the level fraud. Senior people are losing their jobs and companies are being sold as ever more fraud comes to light. By far the biggest hack was the loss of over 3bn (yes billion) user details (e-mail, credit card details, etc.) from Yahoo and the company was sold. The most recent large hack was the loss of 145 million customer details from Equifax the credit rating agency, and more details are emerging about competitors attacking/hacking each other.
The only good news is that it is becoming clearer what is going on and what needs to done to prevent cyber-fraud. But ALL vulnerabilities need to be plugged as the recent hack of Deloittes systems showed in which they had the very latest techniques and systems covering most of their operations, but were let down in the US where, The Guardian report, “The breach is believed to have been US-focused and was regarded as so sensitive that only a handful of Deloitte’s most senior partners and lawyers were informed.”
Equifax enquiry insights
Washington’s lawmakers grilled former Equifax Inc. CEO Richard Smith (who lost his job) last week about the hack on the company’s systems and in which they got access to sensitive information on over 140 million Americans and other customers around the world.
There were five ideas suggested at the hearing:
- Replacing social security numbers as the standard verification by, possibly, fedreally issued numbers
- Bigger fines
- Creating a federal breach notification law as well as a law in individual states so that any hack had to be reported, rather than waiting months if not years
- Embedding regulators in the actual credit agencies
- Giving consumers more control by reviewing the role of credit reporting agencies.
I.e. More transparency and more involvement of the regulators.
Beware your competitors
In the Financial Times today, Pilita Clark describes how Phil Nagy, who runs Winning Poker Network, found that his network was attacked when running a big tournament. The attacker made contact on the site’s live chat section where he said, “I have a job, another site pays me to attack you.”
A recent survey by the cybersecurity firm Kaspersky Lab showed that 43% of firms that had been attacked by “distributed denial of service”, or DDoS attack thought that it was by a competitor (versus 38% by a cyber criminal).
A major problem is that launching a DDoS attack is very cheap and very easy to do.
No-one admits to doing, but there is enough evidence to say it is definitely going on. Companies need to be aware and protect themselves accordingly.
“The biggest threat to U.K. businesses isn’t the risk of slowing economic growth or Brexit–it is payments diversion fraud”, according to Andy Fyfe, detective chief inspector at the Economic Crime Department of the City of London Police. But apparently there is, in some ways, an even bigger problem the police have: only some 5% of cases get reported. This is exactly what happened at Yahoo (which took years for the full extent of the fraud to be revealed, and at Equifax and Deloittes who took months to reveal what happened.
This reluctance to report is understandable, but it causes the police huge problems.
CTMfile take: 1) Somehow the regulators and companies need to find a way to improve reporting, and 2) are you being hacked by your competitors or hacking them instead or both?
Cybersecurity is neglected by most companies in annual reports
A survey of annual reports published by 800 companies found that most are not providing enough data on their cybersecurity strategies and few consider it a boardroom issue
Cybersecurity performance can be managed, but only if measured
Creating and Measuring Effective Cybersecurity Capabilities - The Cybersecurity Risk Handbook
Cybersecurity: the only solution that works + “striking right balance” when hacked
Holistic approach across whole company and supply chains + integrated behavioural systems TO REALLY TACKLE FRAUD