Cyber Security – Digital Finance Analytics (DFA) Blog

Another Day, Another Data Breach

Reports of data breaches are an increasingly common occurrence. In recent weeks, Ticketmaster, HealthEngine, PageUp and the Tasmanian Electoral Commission have all reported breaches.

It is easy to tune out to what is happening, particularly if it’s not your fault it happened in the first place.

But there are simple steps you can take to minimise the risk of the problem progressing from “identity compromise” to “identity crime”.

In 2012 former FBI Director Robert Mueller famously said:

I am convinced that there are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again.

The types of personal information compromised might include names, addresses, dates of birth, credit card numbers, email addresses, usernames and passwords.

In some cases, very sensitive details relating to health and sexuality can be stolen.

What’s the worst that can happen?

In most cases, offenders are looking to gain money. But it’s important to differentiate between identity compromise and identity misuse.

Identity compromise is when your personal details are stolen, but no further action is taken. Identity misuse is more serious. That’s when your personal details are not only breached but are then used to perpetrate fraud, theft or other crimes.

Offenders might withdraw money from your accounts, open up new lines of credit or purchase new services in your name, or port your telecommunication services to another carrier. In worst case scenarios, victims of identity crime might be accused of a crime perpetrated by someone else.

The Australian government estimates that 5% of Australians (approximately 970,000 people) will lose money each year through identity crime, costing at least $2.2 billion annually. And it’s not always reported, so that’s likely a conservative estimate.

While millions of people are exposed to identity compromise, far fewer will actually experience identity misuse.

But identity crime can be a devastating and traumatic event. Victims spend an average of 18 hours repairing the damage and seeking to restore their identity.

It can be very difficult and cumbersome for a person to prove that any actions taken were not of their own doing.

How will I know I’ve been hacked?

Many victims of identity misuse do not realise until they start to receive bills for credit cards or services they don’t recognise, or are denied credit for a loan.

The organisations who hold your data often don’t realise they have been compromised for days, weeks or even months.

And when hacks do happen, organisations don’t always tell you upfront. The introduction of mandatory data breach notification laws in Australia is a positive step toward making potential victims aware of a data compromise, giving them the power to take action to protect themselves.

What can I do to keep safe?

Most data breaches will not reveal your entire identity but rather expose partial details. However, motivated offenders can use these details to obtain further information.

These offenders view your personal information as a commodity that can be bought, sold and traded in for financial reward, so it makes sense to protect it in the same way you would your money.

Here are some precautionary measures you can take to reduce the risks:

Always use strong and unique passwords. Many of us reuse passwords across multiple platforms, which means that when one is breached, offenders can access multiple accounts. Consider using a password manager.
Set up two-factor authentication where possible on all of your accounts.
Think about the information that you share and how it could be pieced together to form a holistic picture of you. For example, don’t use your mother’s maiden name as your personal security question if your entire family tree is available on a genealogy website.

And here’s what to do if you think you have been caught up in a data breach:

Change passwords on any account that’s been hacked, and on any other account using the same password.
Tell the relevant organisation what has happened. For example, if your credit card details have been compromised, you should contact your bank to cancel the card.
Report any financial losses to the Australian Cybercrime Online Reporting Network.
Check all your financial accounts and consider getting a copy of your credit report via Equifax, D&B or Experian. You can also put an alert on your name to prevent any future losses.
Be alert to any phishing emails. Offenders use creative methods to trick you into handing over personal information that helps them build a fuller profile of you.
If your email or social media accounts have been compromised, let your contacts know. They might also be targeted by an offender pretending to be you.
You can access personalised support at iDcare, the national support centre for identity crime in Australia and New Zealand.

The vast number of data breaches happening in the world makes it easy to tune them out. But it is important to acknowledge the reality of identity compromise. That’s not to say you need to swear off social media and never fill out an online form. Being aware of the risks and how to best to reduce them is an important step toward protecting yourself.

For further information about identity crime you can consult ACORN, Scamwatch, or the Office of the Australian Information Commissioner.

If you are experiencing any distress as a result of identity crime, please contact Lifeline.

Author: Cassandra Cross Senior Lecturer in Criminology, Queensland University of Technology

Financial Sector Cyber Risk Is Rising – IMF

Cyber risk has emerged as a significant threat to the financial system according to the IMFBlog. An IMF staff modeling exercise estimates that average annual losses to financial institutions from cyber-attacks could reach a few hundred billion dollars a year, eroding bank profits and potentially threatening financial stability.

Recent cases show that the threat is real. Successful attacks have already resulted in data breaches in which thieves gained access to confidential information, and fraud, such as the theft of $500 million from the Coincheck cryptocurrency exchange. And there is the threat that a targeted institution could be left unable to operate.

Not surprisingly, surveys consistently show that risk managers and other executives at financial institutions worry most about cyber-attacks, as in the graphic below.

Financial sector’s vulnerability

The financial sector is particularly vulnerable to cyber-attacks. These institutions are attractive targets because of their crucial role in intermediating funds. A successful cyber-attack on one institution could spread rapidly through the highly interconnected financial system. Many institutions still use older systems that might not be resilient to cyber-attacks. And a successful cyber-attack can have direct material consequences through financial losses as well as indirect costs such as diminished reputation.

Recent high-profile cases have increasingly put cyber risk on the agenda of the official sector—including international organizations. However, quantitative analysis of cyber risk is still at an early stage, especially due to the lack of data on the cost of cyber-attacks, and difficulties in modeling cyber risk.

Cyber risk has emerged as a significant threat to the financial system.
A recent IMF study provides a framework for thinking about potential losses due to cyber-attacks with a focus on the financial sector.

Estimating potential losses

The modeling framework uses techniques from actuarial science and operational risk measurement to estimate aggregate losses from cyber-attacks. This requires an assessment of the frequency of cyber-attacks on financial institutions and an idea of the distribution of losses from such events. Numerical simulations can then be used to estimate the distribution of aggregate cyber-attack losses.

We illustrate our framework using a data set covering recent losses due to cyber-attacks in 50 countries. This provides an example of how potential losses for financial institutions could be estimated. The exercise is difficult and is made even more challenging by major data gaps on cyber risk. Moreover, thankfully, there has yet been no successful, large-scale cyber-attack on the financial system.

Our results should thus be considered as illustrative. Taken at face value, they suggest that average annual potential losses from cyber-attacks may be large, close to 9 percent of banks’ net income globally, or around $100 billion. In a severe scenario—in which the frequency of cyber-attacks would be twice as high as in the past with greater contagion— losses could be 2½–3½ times as high as this, or $270 billion to $350 billion.

The framework could be used to examine extreme risk scenarios involving massive attacks. The distribution of the data we have collected suggests that in such scenarios, representing the worst 5 percent of cases, average potential losses could reach as high as half of banks’ net income, putting the financial sector at risk.

Such estimated losses are several orders of magnitude greater than the present size of the cyber insurance market. Despite recent growth, the insurance market for cyber risk remains small with around $3 billion in premiums globally in 2017. Most financial institutions do not even carry cyber insurance. Coverage is limited, and insurers face challenges in evaluating risk because of uncertainty about cyber exposures, lack of data, and possible contagion effects.

The way forward

There is much scope to improve risk assessments. Government collection of more granular, consistent, and complete data on the frequency and impact of cyber-attacks would help assess risk for the financial sector.

Requirements to report breaches—such as considered under the EU’s General Data Protection Regulation—should improve knowledge of cyber-attacks. Scenario analysis could be used to develop a comprehensive assessment of how cyber-attacks could spread and design adequate responses by private institutions and governments.

Further work is needed also to understand how to strengthen the resilience of financial institutions and infrastructures, both to reduce the odds of a successful cyber-attack but also to facilitate smooth and rapid recovery. There is also a need to build capacity in the official sector in many parts of the world to monitor and regulate such risks.

In sum, strengthening the regulatory and supervisory frameworks for cyber risk is needed, and efforts should focus on effective supervisory practices, realistic vulnerability and recovery testing, and contingency planning. The IMF is providing technical assistance to help member countries improve their regulatory and supervisory frameworks.

UK Banks Not Doing Enough To Combat Online Fraud

The UK House of Commons Committee of Public Accounts has published an important report on The growing threat of online fraud (Sixth Report of Session 2017–19).The key observation is that Banks do not accept enough responsibility for preventing and reducing online fraud and there is no data available to assess how well individual banks are performing. Unless all banks start working together, including making better use of technology, there will be little progress on tackling card fraud and returning money to customers.

One key issue is that unlike credit cards, where transactions are automatically refunded in case of dispute, payments made by customers via online banking on their instruction (“authorised push payments”), to a fraudulent destination is not. It has been estimated that between 40% and 70% of people who are victims of scams do not get any money back. Banks are reported to be holding at least £130 million of funds that cannot accurately be traced back and returned to fraud victims, an amount that UK Finance said was probably a conservative estimate.
As the proportion of payments made by digital means continues to rise, stronger safeguards, and clearer account abilities should be placed on the banks. This is not a topic the banks want to discuss. Indeed, in evidence, individual banks know how they compare with others, but told the committee that banks did not publish individual numbers because then the fraudsters would target the ‘weakest’ of the banks. Of course, it might be in the banks’ own interest not to be transparent and publish individual data, as it could deter customers.
They found card not present fraud was significant, and needed to be reduced.
Finally, there was a need for better consumer awareness.

We suspect the situation in Australia is somewhat similar.

In summary, Online fraud is now the most prevalent crime in England and Wales, impacting victims not only financially but also causing untold distress to those affected. The cost of the crime is estimated at £10 billion, with around 2 million cyber-related fraud incidents last year, however the true extent of the problem remains unknown. Only around 20% of fraud is actually reported to police, with the emotional impact of the crime leaving many victims reluctant to come forward. The crime is indiscriminate, is growing rapidly and shows no signs of slowing down. Urgent action from government is needed, yet the Home Office’s response has been too slow and the banks are unwilling to share information about the extent of fraud with customers. The balance needs to be tipped in favour of the customer.

Online fraud is now too vast a problem for the Home Office to solve on its own, and it must work with a long list of other organisations including banks and retailers, however it remains the only body that can provide strategic national leadership. Setting up the Joint Fraud Task in 2016 was a positive step, but there is much still to do. The Department and its partners on the Joint Fraud Taskforce need to set clear objectives for what they plan to do, and by when, and need to be more transparent about their activities including putting information on the Home Office’s website.

The response from local police to fraud is inconsistent across England and Wales. The police must prioritise online fraud alongside efforts to tackle other sorts of crime. But it is vital that local forces get all the support they need to do this, including on identifying, developing and sharing good practice.

Banks are not doing enough to tackle online fraud and their response has not been proportionate to the scale of the problem. Banks need to take more responsibility and work together to tackle this problem head on. Banks now need to work on information sharing so that customers are offered more protection from scams. Campaigns to educate people and keep them safe online have so far been ineffective, supported by insufficient funds and resources. The Department must also ensure that banks are committed to developing more effective ways of tackling card not present fraud and that they are held to account for this and for returning money to customers who have been the victims of scams.

Banks can’t fight online credit card fraud alone, and neither can you

From The Conversation.

Online credit card fraud is on the rise in Australia, but pointing the finger at any one group won’t help. It’s an ecosystem problem: from the popularity of online shopping, to the insecure sites that process our transactions, and the banks themselves.

A recent report from the Australian Payments Network found that:

the overall amount of fraud on Australian cards increased from A$461 million in 2015 to A$534 million in 2016

“card not present” fraud increased to A$417.6 million in 2016, up from A$363 million in 2015

78% of all fraud on Australian cards in 2016 was “card not present” fraud.

“Card not present” fraud happens when valid credit card details are stolen and used to make purchases or other payments without the physical card, mainly online or by phone.

While these numbers may seem alarming, it’s important to put them in context. Australians are increasingly carrying out transactions online; the report notes that we made 8.1 billion card transactions totalling A$715.5 billion in 2016.

The shift towards online credit card fraud also comes at the cost of other types of fraud. Cheque fraud, for example, was down to A$6.4 million in 2016, from A$8.4 million in 2015.

Still, it’s fair to ask: are the banks doing enough to keep our details secure?

The banks and security

The banks currently have a range of measures in place to protect customers from card fraud:

Chip and pin: Australia mandates the use of “chip and pin” technology. This replaced the need to swipe the magnetic strip on credit cards and is recognised as being more secure.

Two-factor authentication: Many Australian banks use text messages or tokens that generate a unique, time-limited code to help verify the legitimacy of transactions.

Monitoring of customer habits: Australian banks typically have a complex set of algorithms that monitor the spending habits and transactions of their customers. They frequently have the ability to identify a suspicious (often fraudulent) transaction and block it.

Overall, Australian financial institutions are investing time and technology into the prevention of fraud. However, recent allegations that the Commonwealth Bank of Australia breached anti-money laundering laws suggest that the big banks are not immune from the problem.

Data breaches and malware

Credit card fraud is going where the action is.

According to the research company Neilsen, “nearly all online Australians have used the internet to do some form of purchasing activity”. This means that Australians are increasingly sharing their credit card details with companies around the world.

Large-scale data breaches are a common occurrence. Many organisations have been compromised in some way, including Australian companies like Kmart and David Jones. A variety of personal information can be exposed, and this often includes customers’ credit card details.

Batches of stolen credit card details can be sold on the dark web to other motivated offenders. In one UK example, such details were being sold for as little as £1 per card.

Offenders are also using different types of malware, or computer viruses, to obtain the personal information of unsuspecting victims. In many cases, this includes bank account and credit card details through successful phishing attempts (or spam emails).

The liability fight

Banks will generally refund customers for any fraudulent losses incurred on their credit cards. However, customer must take “due care with their confidential data”.

There is also an onus on the customer to check their credit card statements and notify their bank of any suspicious activity.

But this may not always be the case. In 2016, the former Metropolitan Police Commissioner in the UK made headlines for suggesting that customers should not be refunded by banks if they failed to protect themselves from fraud.

Instead, he argued that customers were being “rewarded for bad behaviour” rather than being encouraged to adopt cyber-safety practices, such as antivirus software and strong passwords.

These statements were met with anger by many advocacy groups who equated them with victim blaming. It was further exacerbated by a leaked proposal by the City of London Police to shift the responsibility of fraud losses from banks to the individual.

While this recommendation was never adopted, the tension may continue to grow when it comes to fraud liability.

Looking for answers

Pointing the finger of blame at any one party is not a constructive solution. Banks alone cannot combat online credit card fraud. Neither can their customers.

There are simple steps to reduce the likelihood of online fraud: having up-to-date antivirus software and strong passwords is an important step. There are sites such as haveibeenpwned that demonstrate how vulnerable and exposed our passwords can be.

Still, it’s difficult to protect against social engineering techniques used by offenders to manipulate victims into handing over their personal details. Not to mention, the risks posed by third-party data breaches, which are beyond the control of individuals.

The introduction of mandatory data breach reporting legislation in Australia in 2017 may have a positive impact. By requiring organisations to let their customers know when their personal information has been compromised, individuals can be proactive about cancelling cards, changing passwords and taking out credit reports to check for fraudulent activity.

Businesses also need to recognise the importance of protecting their customer information. It is critical to overcome the mentality that cybersecurity is simply a technology problem or an IT issue. It should be firmly on the corporate management agenda.

Fraud is inevitable, regardless of the technology being used. Collaborative efforts between banks, businesses, government and individual consumers must improve.

No one group alone can effectively end online credit card fraud. Nor should they be expected to.

Author: Cassandra Cross, Senior Lecturer in Criminology, Queensland University of Technology

NZ Reserve Bank outlines stance on cyber issues

The New Zealand Reserve Bank had thought about whether to introduce more prescriptive requirements in managing cyber security risks but decided not to at this stage.

A recent paper by the Committee on the Global Financial System (CGFS) and Financial Stability Board highlights that financial risk in fintech platforms may be higher than at banks due to greater exposure to digital processes. Some new fintech platforms rely on investor confidence for new business, so are particularly vulnerable to a significant operational risk event, including cyber-attack that may result in a loss of investor confidence.

Firms in the finance sector, regulators, and other authorities all have a part to play in managing cyber security risks while still benefiting from the opportunities of new financial technology.

“The dynamic cyber environment means organisations have to be nimble in their approach to cyber security – focused on outcomes, rather than prescriptive compliance exercises,” Reserve Bank Head of Prudential Supervision, Toby Fiennes, said in a speech delivered today to the Future of Financial Services conference, in Auckland.

He said that cyber-attack poses a significant threat to the global financial system, as shown by the ‘WannaCry’ ransom-ware attack that affected more than 200,000 systems around the world and the more recent ‘Notpetya’ attack.

“The nature and incidence of cyber risk is unique, meaning that typical approaches to risk management and disaster recovery planning may not be appropriate. While cyber vulnerabilities can be mitigated, the potential sources of cyber threats and the attack footprint are just too broad, so they can never be eliminated,” Mr Fiennes said.

“We doubt that prescriptive regulations would appreciably improve the outcome, when the technology and threat landscape are both changing so rapidly. We will, however, review this policy stance from time-to-time to ensure that it remains appropriate,” Mr Fiennes said.

“The Reserve Bank is closely watching the emerging wave of ‘digital disruption’ affecting the financial sector as firms react to customer demand for a more online experience. In the short term, digital disruption may result in new risks and increased instability in the financial system but in the long term, digital disruption of the banking sector may improve the efficiency of the financial system. The long-term impact on financial system soundness is less clear.

“We’re working with other agencies, such as the FMA and Ministry of Business, Innovation and Employment, to ensure that New Zealand presents an environment where digital financial innovation can flourish, provided it is done safely. In our view, New Zealand’s financial market regulatory settings support innovation and industry-based solutions and we see no need to actively steer potential solutions from industry by providing a concessionary environment for new entrants.

“As the prudential regulator, we’re looking at whether financial institutions appear to be taking cyber risks sufficiently seriously. We look to self-discipline and market discipline to provide the defences, agility and crisis preparedness that are required,” Mr Fiennes said.

Fraudsters target brokers in Sydney hotspots

From The Adviser.

Incidents of fraud through the broker channel are skyrocketing, according to Equifax, which has now revealed the top suburbs where fraud is most prevalent.

Speaking at the Pepper Money Insights Roadshow in Sydney yesterday, Equifax BDM Steve Arsinoski shared data from the Veda shared fraud database, highlighting a 33 per cent year-on-year (YOY) increase in fraud. Identity theft is the fastest growing type of fraud, with an 80 per cent YOY increase.

“Thirteen per cent of frauds reported were targeting home loans and there has been a 25 per cent year-on-year increase in frauds originating from the broker channel,” Mr Arsinoski said.

“What we have noticed is that fraud through the broker channel is increasing, and that may be because fraudsters are becoming more sophisticated in the way they are applying for certain products. With the technology they have available they can fabricate certain documentation,” he said.

Equifax data found that 27 per cent of all mortgage fraud cases involved falsifying personal details.

While online is the preferred channel for fraudsters (57 per cent), 15 per cent of fraud cases are coming through the broker channel and 13 per cent through branches.

“Branch channel fraud is around 13 per cent, which showed signs of slowing down in 2015 but there has been a resurgence. We are finding branch fraud is continuing to increase,” Mr Arsinoski said.

“Broker fraud is sitting at 15 per cent. It is not drastically higher than branch fraud, but what is alarming is that we are seeing that 25 per cent growth form the previous year,” he said.

Over 72 per cent of all fraud cases are occurring in the Greater Sydney and Melbourne areas. Mr Arsinoski highlighted that Paramatta, in Sydney’s west, was a particular hotspot.

However, the fastest growing areas for fraud in Australia, with a 130 per cent increase in incidents over the second half of 2016, were Newcastle and Lake Macquarie.

Richmond, in Sydney’s north-west, recorded a 127 per cent surge in incidents over the half, while Baulkham Hills and the Hawkesbury region saw a 111 per cent increase.

Illawarra, Brisbane Inner City, the Sunshine Coast and Geelong were also named as fraud hotspots.

The four main types of mortgage fraud are falsifying personal details (71 per cent), identity takeover (19 per cent), fabricated identity (4 per cent) and undisclosed debt/serviceability fraud (4 per cent).

Mr Arsinoski urged brokers to report fraud as early as possible and suggested how it can be identified.

“If you could find or pickup fraud early on and identify any discrepancies, raise them earlier rather than letting the loan application go through. If the lender finds some inconsistencies and reports it to the originator, this is going to be a massive waste of your time and effect your commissions,” he said.

“The biggest impact on a broker is the loss of credibility. I’ve spoken to many brokers and they say reputation and their brand are the most important things in being able to generate leads and referrals.”

How brokers can combat fraud:

Ask questions to uncover fraudsters. The face-to-face interview is the best time to get to know your customer and do a thorough needs analysis. It is also the perfect opportunity to find holes in their story. Use your intuition.

Validate information via internet searches

Ask the borrower to identify any C-level executives at the organisation they say they work for

Get consent to record the interview

Look out for an unencumbered property offered as security.

Ask for original payslips or bank statements, or have the client download them in front of you.

Use ZipID for identity verification

Businesses warned of a malicious NAB email scam

From Smart Company.

A simple email phishing attack impersonating big four bank NAB was reportedly sent to thousands of Australians yesterday, notifying them their account was disabled in an attempt to steal users’ banking details.

Mailguard reports the email was sent around on Thursday afternoon, stemming from a legitimate looking email address,”discharge.authority@nab.com.au”.

The subject line included just the word “Notification” with the email itself being nothing more than a four line message telling customers their account had been “disabled”.

The malicious email then directed users to a website with a realistic-looking NAB login screen, inviting users to enter their NAB ID and password. The website included links to register for a NAB account and “forgotten password” prompts to boost the appearance of legitimacy.

The purpose of a phishing scam is to steal an unsuspecting users’ login details or personal data by posing as a legitimate company. Examples in the past have included emails appearing to be from Australia Post, Amazon, and Twitter.

In response, Fairfax reports NAB had successfully issued a takedown notice for the fake website, with a spokesperson saying “we remind customers, NAB will never ask you to confirm, update or disclose personal or banking information via email or text”.

On the bank’s website, it advises customers to forward any malicious emails to spoof[at]nab.com.au and then delete the email.

Source: Mailguard

Many recent phishing emails have relied on well-crafted and apparently legitimate websites to fool customers, and founder of IT services company Combo David Markus told SmartCompany this morning that setting one of these fake sites up is a matter of “a few hours work” for a cyber criminal.

“Once it’s created, a cyber criminal can create multiple copies of multiple different web servers and run the phishing attack over and over again,” he says.

“Phishing attacks have become a numbers game, with hackers looking for the cheapest and most efficient way to get dollars out of our bank accounts, and it’s all about the number of people they catch.

“If they make $100, that’s a good day.”

Markus says the scammers have chosen to pose as a big bank like NAB in hopes of increasing the number of users duped by the attack, saying people are more likely to click on something they’re familiar with. However, on the spectrum of cyber attacks, Markus call this one “relatively unsophisticated”.

“I would say these days it’s a relatively unsophisticated attack, but unfortunately there are enough unsophisticated recipients they’re going to keep catching enough people out to make it worthwhile,” he says.

Markus’ advice is to avoid clicking on any links in emails like these ones and instead using traditional channels to check the status of your bank account.

“If someone sends you something that you click on and it wants you to enter your password, don’t,” he says.

“Go via the company’s homepage or however you would usually check your account. Never follow any links in emails that ask for your username or password.”

SmartCompany contacted NAB but was not provided with a statement prior to publication

Time To Turn Up The Cyber-security Wick

Given the massive shift to the digital world, cyber-security is something which should be front of the minds of financial institutions. But awareness needs to penetrate throughout these institutions, as well as on to their customers, and up to the executive suite. This is not just something for the IT security “experts”. It is about awareness and cultural change.

As the recent Government Cyber Strategy highlighted Australians have quickly embraced economic opportunities in cyberspace.

In 2014 alone, the Internet based economy contributed $79 billion to the Australian economy (or 5.1 per cent of GDP). This amount could grow to $139 billion annually (7.3 per cent of GDP) by 2020 as more devices, services and people are connected online.

Figures vary, but cybercrime is estimated to cost Australians over $1 billion each year. Worldwide, losses from cyber security attacks are estimated to cost economies around one per cent of GDP per year. On this basis, the real impact of cybercrime to Australia could be around $17 billion annually. These costs are expected to rise. Government, telecommunications, resources, energy, defence, banking and finance sectors are likely to remain key targets for cyber criminals and malicious state actors alike.

It is estimated that by 2020 there will be at least 50 billion devices connected to the Internet globally. This explosion of connectivity will accelerate innovation in products and services, providing new business opportunities and new jobs.

However, the more connected ‘things’ are, the more targets there are for malicious actors. Part of the problem is that online security has not been considered in the design of many of the devices connected to the Internet. This has made it easier for malicious actors to disrupt and damage networks.

As an example of how vulnerable Internet connected devices can be, in 2015 the popular technology website Wired.com reported that security researchers had hacked into the electronics of a US car through its online entertainment system, changing its speed and braking capability before shutting the car engine down remotely. This demonstration led to the manufacturer having to provide software updates for 1.4 million US cars and trucks fitted with the same entertainment system.

Increased connectivity is also changing the relationship between consumers and businesses; it is fragmenting supply chains and business models. In turn, this will affect how people live and work, and how industries and economies perform.

Australia is the third most targeted country for banking botnets.

The need to get serious was reinforced when recently The New York State Department of Financial Services announced that a new first-in-the-nation regulation has been proposed to protect New York State from the ever-growing threat of cyber-attacks. This could become a template for other jurisdictions. It imposes significant mandatory obligations on financial sector firms.

The regulation requires banks, insurance companies, and other financial services institutions regulated by the State Department of Financial Services to establish and maintain a cyber-security program designed to protect consumers and ensure the safety and soundness of New York State’s financial services industry.

The proposed regulation is subject to a 45-day notice and public comment period following the September 28, 2016 publication in the New York State register before its final issuance. It requires regulated financial institutions to establish a cyber-security program; adopt a written cyber-security policy; designate a Chief Information Security Officer responsible for implementing, overseeing and enforcing its new program and policy; and have policies and procedures designed to ensure the security of information systems and nonpublic information accessible to, or held by, third-parties, along with a variety of other requirements to protect the confidentiality, integrity and availability of information systems.

The proposed regulation by the Department of Financial Services includes certain regulatory minimum standards while maintaining flexibility so that the final rule does not limit industry innovation and instead encourages firms to keep pace with technological advances.
New York State Department of Financial Services Superintendent Maria T. Vullo said, “Consumers must be confident that their sensitive nonpublic information is being protected and handled appropriately by the financial institutions that they are doing business with. DFS designed this groundbreaking proposed regulation on current principles and has built in the flexibility necessary to ensure that institutions can efficiently adapt to continued innovations and work to reduce vulnerabilities in their existing cybersecurity programs. Regulated entities will be held accountable and must annually certify compliance with this regulation by assessing their specific risk profiles and designing programs that vigorously address those risks.”

The recent Security Innovation Network’s SINET 61 conference in Sydney highlighted the risks to banks and underscored that this was more a cultural issue, not a technical one. Banking staff need to be sensitised to potential risks around “phishing” emails. Some are being tested with cyber security “cyber security fire drills”. Many speakers suggested that the issue was just not being taken seriously enough.

This despite the 2015 CYBER SECURITY SURVEY:MAJOR AUSTRALIAN BUSINESSES” published by Australian Cyber Security Centre (CSC) with CERT (one of their partner agencies). Industry data was collected from major Australian businesses that partner with CERT Australia, and that underpin the social and economic welfare of Australia and deliver essential services including banking and finance, defence industry providers, communications, energy, resources,transport and water. This component of the survey was hosted online through an online survey platform. Most of the respondents (67%) were from large organisations (200+ employees), 23% were from medium size organisations (21-199 employees) and 10% were from small organisations (less than 20 employees).

The results highlight that cyber security incidents are still common and recurrent for Australian businesses. Half of the respondents reported experiencing at least one cyber incident that compromised the confidentiality, integrity or availability of a network’s data or systems in the last year.

They say that IT security awareness and practices of general staff appear to have improved since 2013. However, many cyber threats now feature well-crafted socially-engineered emails that make it difficult for the user to determine legitimacy, regardless of training. The rise of these threats could be behind the shift in investment moving away from awareness training toward more technical controls in an effort to prevent the user from having to make a judgement call.

The findings also demonstrate that industry organisations are yet to be convinced of the benefits of reporting incidents. Many industry organisations chose not to report incidents as there was no perceived benefit to them.

77% of respondents have cyber security incident response plans in place with 37% of these regularly reviewing it. Industry organisations were asked what other types of IT security policies, plans or procedures they were using.Basic security policies, plans and procedures are being applied by the majority of organisations. For example, 93% have an information security policy, 89% have business continuity/disaster recovery plans, 87% undertake network monitoring and 78% have a backup or archiving policy. While the majority of organisations are using some security policies there are areas for improvement. For example, less than half of respondents have a system security plan in place (44%), and only 51% of organisations have a removable media policy.

Ransonware and malware were the most frequent incidents, but more than 15% were from external unauthorised access, and 10% banking malware.

Australia’s AU$240 million cybersecurity strategy, will focus on closer collaboration with business.

The Australian government will spend hundreds of millions of dollars defending Australia from foreign cyber attacks, and has stated it employs offensive cyber capabilities to deter possible attacks — which could mean employing hackers to disrupt activities overseas.

Technical solutions are important but cultural change will be most effective in mitigating this form of cyber attack.

As businesses and governments we must better educate and empower our employees to use sound practices online. This Strategy seeks to promote an improved institutional cyber culture and raise awareness of cyber practice across government and business to enable all Australians to be secure online.

Time for the carrot and stick I think!