What do NSA and Target Corporation have in common? They both have enormous databases of sensitive information about individuals that have been penetrated by the likes of Snowden, Wikileaks, and worse criminal conspiracies. According to James D. Ratley, President and CEO of the Association of Certified Fraud Examiners, cybercrime is one of the biggest emerging fraud threats in 2014.
Ratley mentions hacking schemes like the one that shocked Target, as well as other malicious activities like malware and phishing schemes. He rightly says that these schemes can be foisted on individuals, small or large businesses, or any type of organization.
But we think there is a very good reason why cybercrime could be the biggest emerging fraud threat for years to come. It is rooted in the fact that organizations will not forego the tremendous power of networked computers and huge databases, and these are rapidly evolving. Every innovation in automated business processes creates new opportunities for hackers. The prize at stake is huge.
This means that exactly HOW the frauds are perpetrated is changing. Not meaning there are fads in fraud, like fashion trends that come and go. The point is that organizations are adapting to changing regulations, technical capabilities, or competitive markets, and these changes create exposure to new kinds of risk—that is, new opportunities for fraud are created. Pre-existing risk mitigation tactics may not even address the evolving conditions of a dynamic organization.
The growth in opportunities for cybercrime is a direct outcome of organizations developing new business models as part of their adaptation to change. For example, some companies have turned to outsourcing for manufacturing or using networks of suppliers or partners who contribute to a joint service or product. These linked partnerships inevitably require some integration of networks, but the protection of these networks is not under the direct control of any one partner.
A perfect example of this, once again, is the Target data breach, in which it was recently reported that the initial intrusion into its systems was traced back to network credentials that were stolen from a third party vendor—a Target HVAC contractor.
Companies, like Target, want to use the power and efficiency of networks to link distributed data into centralized processes. The centralization is required to gain the benefits of efficiency, but it also exposes ever more private information to a single breach of security. The stakes go up.
Building Controls Against Cybercrime
For starters, companies need to make cyber risk analysis a prominent part of their routine risk management reviews. Virtually every company uses some types of control to manage who can access specific resources, and how they can use them. But new networking options, cloud computing, and wireless connectivity are changing the game of how employees—and external hackers—can get into cyber systems.
Every change in usage of computer or cloud-based networks should be accompanied by a risk review. Network managers need continuous training in security by well-qualified teachers. Every network connection point is a potential opening for someone with fraudulent intentions. Identify and control those doors.
When it comes to combating cybercrime, the speed of change is not likely to slow down anytime soon. It will continue through good economic conditions and bad as corporations seek to identify their vulnerabilities and develop policies to cope.
If you need help formulating your enterprise risk management strategy, let’s talk.