The threat of identity theft and cybercrime continue to rise. Increasingly, bankers speak of “when” their institutions will be hit, not “if.” Consider some recent data points:
• Lots of victims. 16.7 million Americans were victimized in 2017, up 8% from the year before, and a record high. Fraud losses were $16.8 billion, up from $16.2 billion the year before (but lower than the record year of 2012, which saw $22.1 billion in losses.)
For the first time ever, Social Security numbers (35%) were compromised more than credit card numbers (30%).
“2017 was a runaway year for fraudsters, and with the amount of valid information they have on consumers, their attacks are just getting more complex,” says Al Pascual, senior vice-president, Javelin Strategy and Research.
• More tries against banks. Attempted fraud against bank deposit accounts reached $19.1 billion in 2016, up from $12.9 billion in 2014. Industry fraud losses rose 16% to $2.2 billion. Debit card fraud accounted for 58%, or $1.3 billion of losses for the industry, about the same as 2014, but check fraud accounted for 35% of fraud losses, the first increase in this category since 2008.
“Fraud moves like water trying to find cracks in the system,” says James Chessen, executive vice-president of the Center for Payments and Cybersecurity at the American Bankers Association. “We have long anticipated that fraudsters would change their tactics and have shifted more to other payment platforms like checks and online transactions.”
• “Oh, is that dangerous?” Understanding of cyber threats continues to be woefully low among consumers. For example, broken down by generational segmentation, only 23.7% of Gen Zs (aged 18-24), 34.2% of millennials (25-34), and 47.6% of baby boomers (55-65+) could accurately define ransomware.
“Despite the widespread threat ransomware presents, consumers still think they are invulnerable to these types of cybersecurity risks,” says Gary Hayslip, chief information security officer, Webroot.
The overall point here is—the cyberthreat environment grows increasingly severe. Cyber crooks grow ever more sophisticated. Cyber defenders continue to struggle to keep up.
Will AI solve this mess? Or make it worse?
Now there seems to be a growing consensus that defensive tools should incorporate ever more powerful artificial intelligent capabilities, as well as quicker, more effective sharing of threat intelligence.
Wait, though, there is more:
67% of chief information security officers surveyed by Ponemon and Opus (which provides compliance and risk management solutions) believe their companies are more likely to fall victim to a cyberattack or data breach in 2018. While these CISOs most fear in-house staff carelessly enabling breaches, they also cite the inability to keep up with the sophistication of attackers.
Which leads to this disturbing thought: 91% of cybersecurity professionals polled in another Webroot survey say they are concerned about hackers using artificial intelligence against companies in cyberattacks. After all, who said AI is only available to the good guys?
To be sure, this survey of 400 cybersecurity professionals at companies with 100 or more employees in the U.S. and Japan shows that the U.S. is an early adopter of AI for cybersecurity. Eighty-seven percent of U.S cybersecurity professionals polled report that their organizations are currently using AI as part of their cybersecurity strategy. Still, 75% believe that within the next three years, their company will not be able to safeguard digital assets without AI.
Rise of “cyber threat intelligence”
“There is no doubt about AI being the future of security as the sheer volume of threats is becoming very difficult to track by humans alone,” says Hal Lonas, chief technology officer at Webroot.
In fact, a new buzz phrase is starting to take hold: cyber threat intelligence.
According to the Center for Internet Security, “Cyber threat intelligence is what cyber threat information becomes once it has been collected, evaluated in the context of its source and reliability, and analyzed through rigorous and structured tradecraft techniques by those with substantive expertise and access to all-source information.”
For example, a February SANS Institute report, cosponsored by DomainTools, found 68% of organizations currently creating or consuming cyber threat intelligence data, and 22% having plans to do so in the future.
CTI, for short, in this survey, is used to detect threats (79%), respond to incidents (71%), block threats (70%), and hunt for threats (62%). The survey involved 300 security and business executives from various industries, including financial services.
“Despite the onslaught of new threats that have been waged this past year, the SANS survey findings reflect threat intelligence platforms and programs are improving overall prevention, detection, and response efforts,” says Tim Helming, director of product management of DomainTools.
Money isn’t the only loss to cybercrime
Notwithstanding the billions of dollars lost due to cyberfraud, what could be even worse is the evident erosion of trust among financial institution customers. It’s worthwhile to return to the Javelin study mentioned above.
Javelin found that 63% of consumers report that they are very or extremely concerned about the threat of breaches, but many are unsure that they have the ability to effectively protect themselves. This leads to a cynicism about breach notifications.
Javelin says 64% of breach victims believe that breach notifications do little to help protect them. In fact, the consumers think the notices come out principally to provide legal cover for the breached company.
And Javelin says this results in a subtle but critical behavioral change: “All of this combined caused consumers to shift the perceived responsibility for preventing fraud from themselves to other entities, such as their financial institution or the companies storing their data.”
Impact keeps ratcheting up
It’s pretty depressing. But it gets worse.
A recent Accenture survey of 42 large financial services companies in the U.S., U.K, Australia, Germany, Japan, France, and Italy tallied the cost of cybercrime. The main finding: The average cost of cybercrime increased by more than 40% over the past three years, from $12.97 million per firm in 2014 to $18.28 million in 2017.
However, says Chris Thompson, senior managing director at Accenture, these same companies are increasing their levels of spending on key security technologies to combat sophisticated attacks.
“This is particularly true with regard to the use of automation, artificial intelligence, and machine-learning technologies, which could be critical to future cybersecurity efforts,” says Thompson.
So what’s new with identity theft and cybercrime in general?
Nothing, in terms of the terrible and increasing threat.
And a lot in how financial institutions are gearing up to deal with it.