Cybercrime is on the rise: large-scale fraud attacks, consumer data breaches and politically-motivated Distributed Denial of Service (DDoS) attacks on financial institutions and others are costing businesses billions of dollars every year. Much of this growth stems from the maturation of the criminal digital underground and its ‘’industrial’’ approach to cybercrime. The industrialization of fraud has led to both an increase in large-scale data breaches and an increase in the number and size of high-volume fraud attacks.
The recent rash of attacks against Target and other top retailers is likely to be the leading edge of a wave of serious cybercrime, as hackers become increasingly skilled at breaching the nation’s antiquated payment systems, experts say. Target has announced that CEO Gregg Steinhafel, who is also president and chairman of the board, will step down immediately, in large part, due to the costly cyber-attack. That makes Steinhafel the highest-profile corporate casualty in a world where data breaches can affect millions of consumers, and cost a company billions in sales and years of customer loyalty. This action clearly advances the responsibility for protecting a company’s data systems up the chain of command.
In the past, banks, retailers and policymakers have been slow to address the growing sophistication of cybercriminals. Only 11 percent of businesses have adopted industry-standard security measures, said a recent report by Verizon Enterprise Solutions, and outside experts say even these “best practices” fall short of what’s needed to defeat aggressive hackers lured by the prospect of a multimillion-dollar heist. Experts say that reversing the rise in major data breaches would require expensive upgrades, including the adoption of end-to-end encryption, the walling-off of the most sensitive data on separate networks, and the adoption of newer credit card technology that holds customer information on an embedded chip rather than the familiar black magnetic strip now on most American cards. Credit card chips can communicate with banks in a way that better protects a user’s private information, often requiring a personal identification number to verify a purchase. Such systems are widespread in most of the developed world but are appearing in the United States only gradually
In response to its costly experience, Target will switch its branded credit and debit cards to MasterCard from Visa early next year. The new cards will use a more secure chip-and-PIN technology instead of relying on the current magnetic stripe system and earlier this year, Target said it was speeding up a $100-million initiative to make its stores compatible with the upgraded cards.
But while most of the media attention for failures to secure a company’s data systems tend to be reserved for mega company’s, mid and small businesses are likely to become cyber-criminals next favorite target as the larger firms beef up their security making it more difficult for hackers to intrude. Developing an effective, dynamic cyber-security strategy is critical for more modest businesses to survive in the digital business environment. Businesses must take some immediate steps to improve their security systems to adjust to an ever-evolving threat landscape:
- Understand that in the digital world, being able to recognize devices and the relationships between the device and the user, irrespective of the identity they claim to represent, is a key competency.
- Recognize that in an age of industrialized fraud, evaluating whether the person submitting a request is risky is as important as determining whether the request is typical for the customer. To combat this threat, banks should implement capabilities that include a risk component when evaluating transactions.
- Implement measures that search for signs of repeated account surveillance or manipulation activities. All forms of mass production introduce repetitive methods and patterns. These patterns offer opportunities to detect the fraud. Instead of looking at transactions in isolation, banks should look for the signs of an automated process.
- Plan for dealing with spikes in fraud alerts. Automated processes allow an attacker to ramp up their volumes exponentially. Those responsible for fraud detection need to consider how their manual processes would fare against an attack that involves tens of thousands of events within a few hours.
- Improve situational awareness to correlate events across lines of business and channels to detect offending devices.
Cybercrime cost U.S. companies an average of $11.5 million in 2012, according to a study by the Ponemon Institute, up 26 percent compared with the previous year. The effect on victim businesses and consumers alike can last for years as companies struggle to recover from breaches of proprietary data and increasing numbers of consumers are left vulnerable to bogus charges and potential identity theft. A proactive strategy to cyber-security is imperative for businesses to avoid becoming the next cybercriminals “Target”.