Five ways companies can reduce their risk from cyber-criminals

Some of the biggest bank heists and would-be thefts that we know about have taken place in recent months.

PUBLISHED : Friday, 27 May, 2016, 2:45pm
UPDATED : Friday, 27 May, 2016, 2:45pm

Forget The Great Train Robbery — some of the biggest bank heists and would-be thefts that we know about have taken place in recent months. The Bangladeshi cyber-attack resulted in the theft of US$81 million, one of the top 10 bank heists in history, and involved fraudulent instructions sent to the New York Federal Reserve. In short, it was a global sting.

And it was followed up weeks later with the emergence that a Vietnamese bank was also targeted by robbers via bank transactions.

Cyber-criminal activity is not limited to financial services companies like banks and insurers. Any business that is reliant on networked technology — transferring money to a customer or vendor — is vulnerable to cyber-attacks. Therefore all companies must prioritise mitigating risk. While most companies have invested in monitoring, surveillance and software, it is important not to neglect the risk exposure created by their own people — and, in this digital age, by their customers.

Action novels highlight the more spectacular examples of risk. Usually the plot involves a trusted employee going rogue, or a criminal landing a job in a bank, high-powered company or a third-party vendor for the express purpose of gaining access to passwords and codes to hack the system and steal away with money or intellectual property. But often, the most vulnerable access point for theft is through each of us. Criminals often attack the customer who is the weakest link; storing account information contained on home computers and on mobile devices with weak or no protection.

Often, the most vulnerable access point for theft is through each of us. Criminals often attack the customer who is the weakest link

Criminals install malware, often using “phishing” emails, to compromise customers’ data security and they have even been known to set up fake accounts to direct traffic where they want it to go.

Regardless of where or how the breach takes place, companies, particularly financial services companies that are at the nexus of cross-border payments like those in Hong Kong, need to protect themselves. Companies need to make sure management is aligned — across fraud prevention, IT security and compliance into a more cohesive group, possibly with a chief cyber-risk officer overseeing all digital security measures.

In our work with global financial services institutions, we have identified five key factors that should be addressed:

1. Train: Most institutions have this in place, but it needs to be an ongoing process for staff so they are attuned to the danger signs of the latest cyber activity and ready to respond.

2. Control: There is no substitute for a holistic risk assessment and control management framework, with robust mentoring and testing.

3. Measure: Leverage robotics and analytics to help identify potential risk — such as employees working during non-working hours, employees with poor performance reviews who have access to customer data, or the downloading of unusually large files — which correlate strongly with misbehaviour or outright crime.

4. Cyber tsar: Consider appointing a “cyber tsar” position to set policy and influence activities, or the creation of an enterprise-wide cyber risk function to identify, measure and respond to threats.

5. Response: Plan for the worst. A comprehensive resiliency plan — which includes elements such as event response, communications, crisis management, detection, threat identification and operational monitoring — can help minimise losses and protect the organisation’s reputation in the event of a breach.

A bank heist is good for a sitting-at-the-edge-of-your-chair movie experience, but it’s no fun if it’s your money, from your company, in real life. Given that we’ve lived through two attempts in the region in the past few months, Asia-Pacific companies need to be prepared. A comprehensive, organised approach to training, communicating with and monitoring people can help banks — and indeed all companies — limit their exposure to fraud perpetrated both from outside and inside the institution.

Aliette Leleux leads Accenture’s Finance and Risk business in Asia-Pacific.