A few may have remarked on the cost to UK plc when investors' money is lost to legitimate business, while most may simply have reflected that fraudsters targeting pensioners with worthless shares was sad but of little concern to CEOs.
But the case may have been more instructive than many realise. This was a crime that neatly illustrated the changing nature of fraud – indeed, the very fact that a family with criminal intentions should choose to focus on fraud is notable in itself, highlighting the perceived profits to be made from the crime.
Most significantly of concern to business is the way the crime relied on data. Fraudsters need potential victims to target. In this way, personal information – in this instance a list of people who have invested in stocks and are perhaps people who have been conned by other fraudulent schemes – is a valuable, tradable commodity.
Technology might be fanning the flames of fraud, but data is the fuel fraud needs to survive. While individuals focus on shredding old utility bills and protecting their PINs, the reality is that businesses are a far greater source of data, with many holding thousands, even millions, of customer details. In today's fight against fraud, businesses are becoming a major battleground.
The financial losses and reputational damage inflicted on businesses from a data breach will always outstrip the cost of putting in place security systems that can keep cyber criminals at bay. Years of good governance and healthy profits can be damaged or even destroyed in a moment.
The issues Sony faced earlier this year after their digital security was breached are a well-documented lesson in the reputational cost of losing customer data.
Put simply, if a business's relationship with customers involves it holding detailed client information, then its reputation for safeguarding data is not important, it is imperative.
What is required is not simply a change of process, but a fundamental change of attitude. If the Sony story taught us anything, it is that data risk is a corporate concern. This means more than defending a business against malware and phishing.
Stroll through many offices who consider their systems secure and you will see employees tapping away at computers equipped with USB and DVD drives that have "write" capability as standard.
Likewise, office infrastructures can have little partitioning of data to limit access based on appropriate need and security clearance. Criminal gangs are known to target staff susceptible to bribery; taking away that access takes away the temptation.
The key is to set systems and processes driven by dynamic threat assessment. For instance, a business moving to cloud computing may entrust its data to a third party, an outsourcing that in theory amplifies risk by essentially broadening access. Comprehensive risk assessment would identify whether the contracted business has the requisite watertight systems.
A change in approach of this sort is not unprecedented. Many large businesses have adopted a similar shift in the last 10 years in response to the threat of terrorism, natural disaster and other aspects of commercial loss.
The key difference in terms of data security is the relatively immature business processes involved in assessing the risk. This is understandable to some extent, but only reacting when things go wrong is not the mark of a strong business.
I should stress that businesses are not alone in their fight against this corporate crime. The police service is developing a far more sophisticated approach to tackling fraud and cyber crime.
The establishment of a National Fraud Intelligence Bureau in 2010, to bring together and analyse intelligence that would otherwise have sat in isolation on IT systems across the public and private sector, is helping us identify those criminals looking to steal data and commit fraud.
The system has so far analysed 2m reports of fraud, many of which are drawn from the financial sector. It is now using this data not only to help police catch criminals, but also to help business better protect itself.
Last year, the force worked with one of the world's largest technology companies after a suspected abuse of its systems. The investigation, which is ongoing, looks promising, with a number of arrests already made. But the financial cost to the company is already all too clear: the apparent crime has given it 12m reasons to change its attitude to data security.
0 comments:
Post a Comment