In February, thieves stole $45 million from thousands of ATMs worldwide in a matter of hours. In New York City alone, 2,904 machines were hacked, yielding $2.4 million. According to Brooklyn’s federal prosecutor, information used to carry out the hack was initially located in India, but the withdrawals were made from ATMs using Visa and MasterCard prepaid debit cards issued by Ras Al Khaimah Bank in the United Arab Emirates and by Bank Muscat in Oman.
Such events point to the risks of our increasingly connected world. The vulnerabilities available to criminals, competitors and disgruntled insiders are increasing. According to the Gartner Group, the financial impact of cyber crime will grow 10 percent per year through 2016. In 2007 and 2008, the cost of cyber crime worldwide was estimated at approximately $8 billion. In addition, cyber criminals have stolen intellectual property with an estimated value of up to $1 trillion from businesses worldwide, according to Interpol.
In a survey by consultant group PricewaterhouseCoopers, 61 percent of respondents indicated that they would stop using a company’s services or products after a security breach.
Certain industries, such as banking and financial services, public utilities and energy, are considered to be high-value targets. But other industries, and even individuals, are under attack as well. Whatever the organization, there may exist a strong motive to target it, including theft of customer data and intellectual property, unauthorized access to financial holdings and reputational damage.
Stories of compromised nuclear, oil, gas or other utilities facilities are in the news almost every day. They highlight the frontlines of the modern, global, electronic battlefield.
When it comes to information security, there appear to be more questions than answers. Discussions about managing the risks of compromised information technology (IT) systems are nowadays relatively common. But regulatory bodies and company boards across all industries have to pay more attention.
There are no real and accurate numbers that represent the magnitude of the threat in the Middle East. But it is as real and perhaps even more grave here as it is in other regions due to the maturity level of executive management.
The awareness and training required to secure a company’s cyber presence is absent from the majority of the senior executives and management teams, including those in the banking sector. Those who are knowledgeable are often the ones who have already suffered an attack.
Even when the problem is addressed by hiring “experts”, management teams often are at the mercy of differing opinions and strategies. Perhaps the best place to start is to try to increase our collective understanding with regards to the potential dangers before figuring out what we can do about it.
The increased use of mobile devices coupled with social media such as Facebook or Twitter has led management teams to realize that they cannot live without sophisticated IT systems. Large reservoirs of data, such as analyses of customer behavior, create a new set of cyber-security issues. So, pragmatically, what are we talking about within the banking and financial services?
While many IT departments within the companies do try their best to create a secure environment with the maximum amount of protection, the fact remains that “attackers” have a totally different mindset and approach to compromising the systems.
The first lesson learned from management teams who have survived a cyber attack is that this is not an issue that one can just delegate. The responsibility of defining how cyber security plays a role in the company rests with senior executives.
The second lesson is that this is not necessarily just a technology-related problem. While technology can be a source for the vulnerability, there is a human element that is just as important.
Lastly, having a false sense of security is very dangerous. A banking institution that separates its banking environment onto a specific network with no connection to the Internet, does potentially a good thing, but this does not guarantee that the network is invulnerable.
While it may appear that purchasing specialized consulting, expert services and other security-related items is yet another expense, it is an important precaution. A successful attack could be far more expensive and devastating.