Search

Brian Pennington

A blog about Cyber Security & Compliance

Tag

Crime

Combating Cybercrime to Protect Organisations

PWC have released their annual Cybercrime report, “Cybercrime: protecting against the growing threat – Global Economic Crime Survey“, and as usual it makes very scary reading.

The report shows that crime is up and those organisations have been slow to react to the threats. Threats that were highlighted in previous reports.

Organisations of all sizes need to improve their abilities to protect their sensitive data and the report focuses on several area that need addressing, for example awareness of the threats in senior management and training for employees in how to spot crime and how to take the appropriate steps to react to the incident (Incident Response Planning…).

There needs to be adequate protection in the form of technology, procedures and policies for the proposed awareness and training to be effective and efficient.

The report is based upon 3,877 respondents from organisations in 78 countries. The scale of the survey has provided a global picture of economic crime.

The key findings of the report are shown in full, with the remainder of the post focusing on the statistics shown in the report.

Key Findings from the PWC “Cybercrime: protecting against the growing threat” report

Our sixth report paints a dramatic picture of UK organisations still struggling in the face of severe austerity cuts.

Economic crime has risen by 8 percentage points since our 2009 survey, with over half of respondents reporting at least one instance of economic crime in the last 12 months. Even more concerning for Senior executives was the fact that 24% of respondents reported more than ten incidents in the last 12 months.

Our findings suggest that the combination of rising economic crime in the UK, and widespread austerity cuts that limit the resources available to focus on economic crime, has made today’s business environment altogether more difficult and risky.

Cybercrime has become the third most common type of economic crime, whilst levels of ‘conventional’ economic crime have fallen (asset misappropriation has fallen by 8 percentage points since 2009, and accounting fraud by 5 percentage points in the same period). So we think organisations need to take a fresh look at how they deal with fraud.

Cybercrime now regularly attracts the attention of politicians and the media, and should be a concern to business leaders as well. Our survey gave respondents their first direct opportunity to highlight cybercrime as one of the main economic crimes they had experienced, and over a quarter of those who had reported economic crime in the last 12 months did so. The largest number of these were from the financial services sector.

Our survey shows that organisations need to be clear about exactly what cybercrime is, and who is responsible for managing it.

Economic crime perpetrated externally has increased and fraud carried out by employees within the organisation is declining.

Statistics extracted from the report

  • 47% of respondents said the cybercrime threats have increased over the last 12 months
  • 84% of respondents who identified an economic crime had carried out at least one fraud risk assessment in the last 12 months
  • 19% of UK respondents didn’t perform a fraud risk assessment in the last 12 months. This is a much lower figure compared with the global 29% of respondents
  • Over half of UK respondents reported economic crime in the last 12 months, compared with 34% globally
  • 51% of respondents experienced fraud in the last 12 months (UK)
  • 26% of those who experienced an economic crime in the last 12 months reported a cybercrime
  • 48% of respondents felt that responsibility for detecting and preventing cybercrime falls to the Chief Information Officer, the Technology Director or the Chief Security Officer
  • 66% of respondents said they had reported a cybercrime incident to law enforcement, compared with 76% of those who experienced economic crime
  • 54% of respondents representing organisations with offices in more than 20 countries saw an increased risk from cybercrime in the last 12 months. 35% of respondents representing organisations based just in the UK perceived a similar rise

Cybercrime awareness

  • The most effective way to raise cyber security awareness is through face-to-face training. In spite of this, only 24% of UK respondents received this type of training
  • 33% see cyber security as the responsibility of the Chief Executive Officer and the Board, the global figure is 21%
  • One in five respondents said the CEO and the Board only review these risks on an ad hoc basis

Response to cyber crime

  • 16% of UK respondents said their organisation has in place all five of the measures specified in the survey, compared with 12% of global respondents – see the link to the full report below.
  • 83% were concerned about reputational damage
  • 57% of respondents representing UK organisations have a media and public relations plan in place. The global response was 44%
  • 28% of respondents said they didn’t have any access to forensic technology investigators

Profile of the internal fraudster

  • male
  • aged between 31 and 40
  • employed with the organisation for between three and five years
  • educated to high school and not degree level

Top 5 departments perceived to present the biggest cybercrime risk

UK  Global
1. Information technology 52 53
2. Operations 42 39
3. Sales and marketing 36 34
4. Finance 37 32
5. Physical/Information security 22 25

Find the full report here.

.

Advertisements

Advice for Small Businesses on how to avoid Identity theft

The Identity Theft Council (ITC) has recently issued a press release promoting Identity Theft awareness and offered advice on how to avoid the problem.

They quote from a Javelin Strategy & Research study found that fraud suffered by

  • Small Business Owners (SMBO) totaled an $8 billion
  • Banks, merchants and other providers absorbed at least $5.43 billion of that loss
  • The cost to victims was $2.61 billion

According to the U.S. Small Business Administration, the small business represents more than 99 percent of all U.S. businesses, and of the estimated 27 million small businesses, more than 21 million are sole proprietors. The ITC concluded that small business were ideal candidates for identity theft.

“The ITC works with individual identity theft victims and small business owners to educate them about identity theft and to provide resolution services,” said Neal O’Farrell, Executive Director of the Identity Theft Council (ITC), and security expert. “Unfortunately, small business owners are being targeted more today than ever before due to the criminals ability to easily access important information and go undetected.”

Identity Theft Council Tips for Preventions and Detection:

  • Write a security plan. Security starts with a plan. A plan can be as simple as the security rules, guidelines, and goals for your business, and the consequences for ignoring them. A plan is also an easy way to help you remember your security priorities.
  • Do an inventory of your data. Data is what the thieves want, whether its customer account or credit card data, employee Social Security numbers, or even databases of target customers. If you don’t know what data you have in your business, or where it is, then you can’t effectively protect it.
  • Train your employees. Enlist every employee, family member, partner, and contractor as a vigilant sentry so that every stakeholder understands how to protect their corner of cyberspace. Most thieves will target the weakest link, and that’s usually a careless or untrained employee.
  • Guard your business accounts well. As a business owner you don’t enjoy the benefits of zero liability, so if your account is emptied by crooks, the bank won’t bail you out.
  • Restrict employee and insider access to data. For everyone’s safety employees should only have access to the data they need to do their job. And that access should also be monitored.
  • Be especially wary of banking Trojans. These highly sophisticated programs can easily creep on to your computers, steal banks logins and passwords, and quickly empty your bank accounts.
  • Monitor your bank accounts and credit cards constantly. These can often provide the earliest warning that thieves have obtained your account information and have started to use it. Most financial institutions provide free instant alerts to warn you about any unusual account activity.
  • Be wary of business identity theft, too. Business identity theft is a growing problem, and it involves criminals using publicly available information about your company to pretend to be the legitimate owners of your business so they can take out substantial loans and leave you to clean up the mess. An easy precaution is to regularly Google your business name for any clones.
  • Use the available technologies. As a small business owner you have many choices when it comes to protecting your employees, your computers, and your data from cyber thieves. And some of the best tools are free. So make sure every computer in your business is locked down with layers of security technology.

“As a co-founder of the Identity Theft Council, Intersections believes in helping victims of ID theft find resolution, and in educating the community about how to protect themselves from the crime,” said Michael Stanfield, Chairman and CEO of Intersections Inc. “Small business owners are a unique group of victims that straddle between the consumer and business world, and are a prime target for criminals.”

Find the ITC website here

.

FBI Releases Bank Crime Statistics for Second Quarter of 2011

The Seal of the United States Federal Bureau o...
Image via Wikipedia

Whilst not being strictly an IT Security or Compliance story the statistics are very interesting and in particular the break down of who has done what and where which are contained in the full report which can be found here.

During the second quarter of 2011, there were 1,023 reported violations of the Federal Bank Robbery and Incidental Crimes Statue, a decrease from the 1,146 reported violations in the same quarter of 2010.1

According to statistics released by the FBI, there were 1,007 robberies, 15 burglaries, one larceny, and two extortions of financial institutions2 reported between April 1, 2011 and June 30, 2011.

Highlights of the report include:

  • Loot was taken in 91 percent of the incidents, totaling more than $7.8 million
  • Of the loot taken, 23 percent of it was recovered. More than $1.8 million was recovered and returned to financial institutions
  • Bank crimes most frequently occurred on Friday. Regardless of the day, the time frame when bank crimes occurred most frequently was between 9:00 a.m. and 11:00 a.m
  • Acts of violence were committed in 4 percent of the incidents, resulting in 31 injuries, one death, and three persons taken hostage3
  • Demand notes 4 were the most common modus operandi used
  • Most violations occurred in the Southern region of the U.S., with 373 reported incidents

These statistics were recorded as of August 2, 2011. Note that not all bank crimes are reported to the FBI, and therefore the report is not a complete statistical compilation of all bank crimes that occurred in the U.S.

1 In the second quarter of 2010, there were 1,135 robberies, 11 burglaries, zero larcenies, and one extortion reported
2
Financial institutions include commercial banks, mutual savings banks, savings and loan associations, and credit unions
3 One or more acts of violence may occur during an incident
4 More than one modus operandi may have been used during an incident

.

eCrime Trends Report Q1 2011 – Phishing Up – Rustock Down

Internet Identity (IID) has released their eCrime Trends Report: First Quarter 2011.

The report is a summary of statistics and news items from this year’s first quarter and serves as a useful reminder of how regularly breaches occur and how easy it is to forget about the last big breach.

Every month seems to have another record for the largest breach, Epsilon was usurped by Sony, who will be next? This is why quarterly reviews are so important.

The highlights of the IID report are below:

IT security firms in the cybercrime crosshairs

  • Breach of HBGary Federal reveals vulnerability of the extended enterprise
  • Internal emails exposed information about partners and clients
  • RSA Security breach

Notorious Rustock botnet goes offline

  • Microsoft and law enforcement cooperate in unprecedented action to shut down and confiscate criminal servers
  • Significant reduction in spam noted worldwide

Phishing attacks

  • National banks saw increase of 11% over Q4 2010
  • Banks outside the U.S. increased most dramatically
  • Recent database breaches could lead to increased spear phishing in the coming quarter
  • Compared to Q4 2010, Phish targeting larger, national banks increased 11%. Much of the growth was seen in non-US based banks, which took three of the top five spots among banks
  • Phishing in Q1 2011 grew 12% over Q1 2010.

Parts of the Internet went dark in Q1 for a variety of reasons

  • Egyptian ISPs ordered to shut down following Internet-led protests
  • Mooo.com seizure by DHS temporarily suspended 80,000 subdomains
  • Rabobank blackholed its own DNS records in an attempt to combat DDoS attack

“As we’ve seen with recent attacks against Sony’s PlayStation Network and Epsilon, cyber criminals now have inside information about tens of millions of customers to use in highly targeted phishing campaigns,” said IID President and CTO Rod Rasmussen.

“The worry is that with all of this specific data, cyber criminals have all they need to convince people to share their highly valuable personal information. Organizations must ensure they are taking every measure to stop these attacks, including blocking access to phishing sites and command and control domains for malware that exfiltrates data. This should be done with e-mail filtering, firewalls and secure domain name system resolvers.” 

Read the full report here.

.

Risk of identity theft in hotel declines – USATODAY.com

Hotels are no longer the No. 1 target of hackers in their quest to steal credit card information but your data still has a higher chance of being stolen inside a hotel, a veteran cybersleuth tells Hotel Check-In.

Last year, hotels became a top priority for online criminals seeking to steal travelers’ credit-card information and other data.

But this year, online thieves are now focusing on restaurants, Nicholas Percoco, senior vice president and head of SpiderLabs at data security firm Trustwave, told me. That means they might target a posh hotel restaurant with a sommelier, a fast-food joint or anything else in between.

Thieves started to ease up on hotel computer systems in mid-2010, about 18 months after attacking Wyndham hotel computers and computers of other chains.

I asked Percoco if hotels moved down a notch because the industry spent more money to protect their computer systems, if travelers got smarter or if thieves just decided to move on.

It’s a mix, he told me. Many of the big chains – like Marriott, Hilton and InterContinental Hotels Group, though he wouldn’t name names – have thrown resources to shore up their computer security, he told me.

Furthermore, all the media reports about hotels being at risk for cybercrimes made the thieves fearful that they could get caught.

As they did with hotels, these cybercriminals look for a weak link in a restaurant or fast-food chain and enter their computer system to steal credit-card information and other data

Risk of identity theft in hotel declines – USATODAY.com.

http://travel.usatoday.com/hotels/post/2011/02/trustwave-spiderlabs-hotels-hackers-identity-security/142372/1

Create a free website or blog at WordPress.com.

Up ↑

%d bloggers like this: