Cyberfraud risks are whens, not ifs

Computer analysts say the term “cybersecurity” is outdated. The more accurate word is “cyberinsecurity” because it is no longer a question of if your database will be breached, but when.

Given the inevitability of hackers breaking into your system, the principal challenge is trying to limit the damage they can do.

That task becomes increasingly difficult with the progression of technology, according to security experts who spoke at the Mortgage Bankers Association’s annual convention late last year.

Downloading trouble and grief

Roger Cressey, a counterterrorism expert who has appeared on NBC News and a partner with Liberty Group Ventures, told the bankers to consider how many of their employees probably conduct company business on their private mobile devices.

A recent survey found that 50% of government employees download work on their personal phones and computers. If that many are doing it in the government, Cressey said, how many are doing it in the private sector?

Another major concern is that your security is only as good as that of your electronic correspondents. “Everyone in your supply chain touches your corporate network,” Cressey said. “What are their policies?”

Anthony Johnson, vice-president and chief information security officer for Fannie Mae, said the company looks at its partners’ security credit ratings, which demonstrate commitment to due diligence.

“If you try to solve cybersecurity as an IT problem, you’re going to miss the relational aspect that is the biggest threat,” Johnson said. Target, for instance, was breached by hackers accessing the system of its HVAC provider. “The danger of interdependencies cannot be overestimated,” added Cressey.

Malware in a fortune cookie

What also can’t be overestimated is how cunning cybercriminals can be.

Cressey, who held senior cybersecurity positions in both the Clinton and Bush administrations, told the bankers about an oil and gas company targeted by hackers who couldn’t crack its system’s “front door.”

After some reconnaissance, the hackers noticed that company employees often ordered their lunches from a nearby Chinese restaurant. Assuming correctly that workers preordered their meals online, the hackers installed malware on the restaurant’s take-out menu that allowed them to infiltrate the utility company’s computers.

“The bad guys are playing chess, while most of us are playing checkers,” Cressey said.

And no one knows how to fight back effectively.

If you launch a cruise missile, it detonates, explodes, and goes away. “When you launch the equivalent in cyberspace, it lands but it doesn’t go away, since nothing goes away in cyberspace,” Cressey said. “So the risk is that if we counterattacked with our own malware, the enemy might take the code, tweak it, and send it back to damage us.”

Minimize your risks

The common language of cyber risk management doesn’t include the word “prevent,” said Cressey, “because everyone accepts the reality of successful attacks.”

To minimize the damage when they are breached, he recommended that bankers understand three things:

1. Cybersecurity isn’t an IT issue. It’s a C-suite issue.

“The Federal Trade Commission has prosecuted more than 50 companies for malfeasance in handling people’s personal data, citing them for failing to take reasonable measures to protect clients’ data,” Cressey said. “If you do a better job managing your cyber risk, you create a narrative, so that when you’re breached, you can show that you took reasonable measures to prevent it.”

2. Not all data are created equal.

Ask yourself what you can least afford to have violated and build your thickest firewalls there.

“If you don’t manage the threat yourself, the government will tell you how to do it,” said Cressey, “and they will tell you to do it in a way that’s wrong for you. That’s how government works.”

3. Make intrusion tough as possible.

Although you cannot eliminate the possibility of being hacked, you can make it harder for the attacker to gain traction in your system.

“Change administrative passwords so that no one password gains access to the whole network,” Cressey suggested. “Maybe put different administrative passwords on every desktop.”

It may lessen your level of convenience, he acknowledged, but it raises your level of security.

Johnson said cybersecurity can be boiled down to this basic principle: “Don’t talk to strangers.”

You may not have business in China, but if your partners are in communication with that part of the world, you’re exposed to their risks. Extricate yourself from that line of communication, and you eliminate a substantial threat, he said.

Maximize your awareness

Johnson also urged bankers to update their concept of the enemy.

“We used to think of hackers as teenagers in basements. Now they have corporate structures,” he said. “There are complete websites where you select software and select whom you want to hack. It’s that easy.”

Also keep in mind that not all cybercriminals want to steal data.

“There’s a new kind of hacker who just wants to see the world burn,” Johnson said. “If one of them successfully destroyed all your servers, do you have your information in backup files?”

Mortgage lenders must be particularly vigilant because hackers are focused on the mortgage industry. Since September, Johnson said four organizations in the housing sector have lost a combined $20 million in wire transfers to hackers in other countries.

James Deitch, CEO of Teraverde Financial, suspects one of the reasons attacks on the mortgage industry are rising is because they’re a profitable crime.

“You can be an entry-level hacker and still figure out how to get $10,000 of closing cost money transferred to your account,” he said.

Linglong He, CIO of Quicken Loans, said the mortgage industry is particularly attractive to cybercriminals because it’s one of the few places where all an individual’s data, financial and personal, is held—and must be kept for many years.

Size doesn’t impact risk so much

Panelists debated whether the size of a company affects its risk of being breached. Deitch said the base-level risks are the same, regardless of a company’s size.

“Your sales force is typically taking mobile devices into the field,” he said. “Those laptops expose your technology, especially when salespeople use Wi-Fi in unsecured areas.”

Johnson argued that it’s easier to protect a small company simply because fewer people can enter the system. He compared the situation to giving out keys to your house. “If only one other person has a key to my home, then I know who has access.”

Yet Johnson conceded that 77% of all e-crime targets are small- to medium-sized businesses because hackers perceive them as soft targets—and the businesses often don’t think they’re at risk.

Washington can’t help you

Cressey said bankers must not expect any help from the government. Johnson noted that industry has taken the lead. He described how the card industry is a great example of how the private sector addressed the problem very successfully, referring to the development of the EMV chip card standard by Europay, MasterCard, and Visa.

“The technology was changed, and credit cards are becoming less of a target,” he said.