Cybersecurity turmoil continues

Cybersecurity risk not only remains a supremely threatening issue for banks and businesses of all kinds, it shows signs of becoming even more insidious and hard to counter.

That may seem old news. But what’s different now is that the risk is being taken more and more seriously by corporate decision makers. On the bright side, there may be a potential for a real and practical partnership between businesses and their customers to mutually deal with cyber threats.

As with many challenges these days, it all comes down to new technology.

On the threat side, cyber risk associated with the Internet of Things is starting to heat up. On the counter threat side, new biometrics and the increasingly ready acceptance of same by customers could bolster defenses.

First, though, the latest from the front lines.

Visibility of threat continues to rank

Protiviti and the North Carolina State University’s ERM Initiative recently issued its annual top ten list of global risks for 2018. Holding steady at No. 3 on the list is the concern that an organization “may not be sufficiently prepared to manage cyber threats that have the potential to significantly disrupt core operations and/or damage its brand.” 

Significantly, the researchers point out that “cyber risks continue to be a moving target as cloud computing adoption, mobile device usage, creative applications of exponential increases in computing power, and innovative IT transformation initiatives constantly outpace the security protections companies have in place.”

No. 7 on this list—related to the above—is that “privacy/identity management and information security risks may not be addressed with sufficient resources.”

Moving on, ACI Worldwide, in conjunction with Ovum, issued its 2018 Global Payments Insight Survey: Bill Pay Services.

One of its conclusions: “Across all industries, 36% of organizations believe they are at a greater risk of data breach than a year ago.” At the same time, though, 44% agreed with the view that: “My company would not invest in fraud solutions that add friction to the customer experience.” On a positive note, however, this latter sentiment is down from 57% a year ago.

“This year’s survey has revealed that the balance between prioritizing customer experience and protecting against data compromise has tipped toward security,” says Kieran Hines, head of industries, Ovum. “While addressing security risks will remain a top priority, delivering both a low-risk and low-friction customer experience will continue to drive investment in modern payments and security technology.”

Bad guys keeping pace

In separate research, Trustwave issued its 2018 global security report, based on analysis of billions of logged security and compromise events worldwide and hundreds of hands-on data breach investigations.

“Findings depict improvement in areas such as intrusion to detection; however [they] also showed increased sophistication in malware obfuscation, social engineering tactics, and advanced persistent threats,” the report concludes.

Some of its findings include:

• 50% of incidents investigated involved corporate and internal networks (up from 43% in 2016), followed by e-commerce environments at 30%.

• In corporate network environments, phishing and social engineering at 55% was the leading method of compromise, followed by malicious insiders at 13% and remote access at 9%.

• 100% of web applications displayed at least one vulnerability, with 11 as the median number detected per application.

• The median time between intrusion and detection for externally detected compromises was 83 days in 2017, up from 65 days in 2016. However, the median time between intrusion and detection for those discovered internally dropped to zero days in 2017, down from 16 days the year before.

“As long as cybercrime remains profitable, we will continue to see threat actors quickly evolving and adapting methods to penetrate networks and steal data. Security is as much a ʻpeople’ issue as it is a technology issue,” says Steve Kelley, chief marketing officer at Trustwave.

Two points jump out of that statement. One is the fact of quick and evolving methods, and the other is security as a “people” issue.

The IoT factor

In the evolving method arena comes the rapid use of IoT devices, particularly in industrial applications. The threat really comes when big manufacturers—i.e., commercial bank customers—use new technology to streamline and optimize production.

“Interest is growing in improving automation in operational processes through the deployment of intelligent connect devices, such as sensors, robots, and remote connectivity, often through cloud-based services,” says Ruggero Contu, research director at Gartner.  “This innovation, often described as industrial internet of things (IIoT) or Industry 4.0, is already impacting security in industry sectors deploying operational technology, such as energy, oil and gas, transportation, and manufacturing.”

Gartner projects that worldwide spending on IoT security will reach $1.5 billion in 2018, up from $1.2 billion in 2017.

Even so, Gartner notes: “Technical standards for specific IoT security components in the industry are only now just starting to be addressed across established IT security standards bodies, consortium organizations, and vendor alliances.”

A separate Trustwave report issued in February states this more severely. It found that while most organizations surveyed plan to increase adoption of IoT into operations, only 28% consider security strategies specific to IoT as “very important.”

“Any device or sensor with an IP address connected to a corporate network may open the doors to a devastating security incident,” says Lawrence Munro, vice-president of Spiderlabs at Trustwave. “As IoT adoption continues to proliferate, manufacturers of IoT are sidestepping security fundamentals as they rush to bring products to market … Organizations need to properly document and test each internet-connected device on their network or face introducing potentially thousands of new attack vectors easily exploitable by cybercriminals.”

Human factor represents a positive

Now back to the “people” side of the equation. There’s a little brighter side to be seen here.

Javelin Strategy and Research, in a new report, introduces the concept of “the role of applicant behavior in identity proofing”—which actually is the title of the report.

The report, sponsored by BioCatch, explores how inconspicuous, dynamic solutions like behavioral biometrics have a distinct role to play in how institutions manage the growing risk of application fraud caused by the rise of stolen and synthetic identities in the online application process.

As opposed to identity verification where the goal is to assess whether elements of personal data match a known identity, the report says, identity proofing should provide certainty that both the identity is valid and that it also belongs to the applicant.

How to do this? “Behavior has a role to play in identity proofing, regardless of the financial product or customer segment targeted,” the report says. “Inconspicuous fraud mitigation controls are crucial in digital channels where applications are increasingly being submitted and where the fluidity of the experience matters.”

Here is why this may be a bright spot. A Fiserv survey on consumer experiences and expectations shows at least the potential for customer acceptance of some types of biometric authentication.

It comes up with this finding: “Consumers show interest in solutions that both protect and ease the money management process, and 66% of consumers would be interested in a security program to safeguard mobile activity, while 56% indicate interest in voice, fingerprint, palm, or retina scan to verify identity when banking online or using a mobile device instead of passwords or PINs.”

In other words, customers themselves would generally accept biometric forms of authentication/verification, while providers (banks) would be able to tout relatively frictionless methods of “identity proofing.”

It seems like a positive step, at least, in an otherwise gloomy cyber risk environment.