Date posted: 1/12/2016 6 min read

Cybercriminals target business data

Cybercrime is a business risk, not a technology problem — and your business data is a target

In brief

  • Cybercriminals use business models, hire experts and share knowledge and proceeds around the globe
  • CEOs and CFOs should be involved, as cybercrime is a business risk not a technology problem
  • Perpetrators are targeting data that will lead them to other valuable assets

By Bernard Kellerman

If the experts can agree on one thing, it’s that cybercrime is a fact of life.

As Ivan Zasarsky, a Deloitte partner specialising in countering financial crime says, there are two categories of individuals: “Those that have been hacked, and those that don’t know they’ve been hacked.”

What has changed in recent times is that the success of earlier crimes has meant the “black hats” are able to organise themselves along similar models to those followed by legitimate businesses, hiring the best experts with particular knowledge and sharing the criminal proceeds around the globe.

These coordinated criminals have the potential to do massive damage to a business. By way of example, Zasarsky points to the experience of the retailer Target in the US last year. An attack on its point-of-sale devices resulted in the theft of credit card details of up to 40 million customers. What followed was degradation of Target’s brand and market capitalisation that was “certainly in the hundreds of millions of dollars”, Zasarsky says.

A recent report from IT security firm McAfee used that same Target incident to highlight the effectiveness of the “cybercrime-as-a-service community”, noting with a keen sense of irony how well the malware industry serves its customers.

“They even had a ready and efficient black market for selling the stolen credit card information, including an anonymous, virtual-currency-based point-of-sale payment system. Raw materials, manufacturing, marketplace, transaction support — it’s all there for thieves to use,” according to Vincent Weafer, senior vice president of McAfee Labs.

In Australia in 2011, a large number of IGA franchisees’ EFTPOS terminals in country Victoria and New South Wales were compromised via an internet attack by a Romanian criminal gang. The stolen data was used to create fake credit cards, which were onsold and re-used in the original regions to reduce suspicion. The losses from this fraud were estimated at $30 million.

C-suite issue

The message for business leaders is that they need to come to terms with the potential impact on the balance sheet, and the value of the company, from incidents like these, Zasarsky and his peers are keen to stress.

This warning gets wholehearted support from Alastair Gibben, director of the Centre for Internet Safety at the University of Canberra and managing partner at Surete Group, a consultancy that advises on internet fraud reduction.

Gibben says that the CEO and CFO should be involved in the process, as cybercrime is a business risk, not a technology problem. All too often, they are not involved.

“From an IT security point of view we’ve allowed the technology people to own the conversation and I don’t think that’s the right approach,” says Gibben.

“It’s a business problem and needs to be dealt with by the business people, along with the technicians. If you’re potentially losing several percent of your profit margin on fraud in your transactions, it’s a real economic loss.”

Dr Paul Twomey, managing director of Argo P@cific, a consulting firm specialising in the internet and digital economy, also advises that coping with cybercrime needs a risk management approach.

“We’re looking at the whole issue of exercising to prepare for these sorts of penetrations,” Twomey says.

“It’s to test an organisation’s ability to respond as a whole, and is much more part of a risk management approach than for the IT side.”

Breach notification

Twomey points out that in the US the majority of state jurisdictions require companies to report incidents where personal information is stolen and require the firms to contact each person whose personal data has been compromised.

“What this has done is change the whole culture at board level where data breaches are now taken far more seriously,” he says.

In Australia, government agencies will share information at a certain level and so will some sectors such as financial services and telecommunications firms. However, that’s where it stops, which bothers Twomey, who describes himself as “a proponent for public reporting of breaches”. 

He asserts that publication of this information will show just how much industry is “self-insuring” — that is, absorbing its own losses — and will give more information to the risk markets to let them develop new insurance products.

“Such public reporting could be anonymous, providing we get more transparency about Australian data, including by industry,” Twomey says.

So far, legislation to enable this in Australia has been introduced twice into the federal parliament over the past year or so, and rejected both times.

If you have someone in your organisation who is prone to bullying behaviour … you should look further than the behaviour itself, in isolation, because we have found that someone who has a propensity to bully is often someone who also commits fraud.

Old is new again

It’s not all about digital, though. According to PwC’s latest global economic crime report, based on responses from more than 5,000 senior executives, cybercrime has become less of a worry for large and mid-sized businesses in the past two years than a new wave of procurement fraud. The findings are consistent worldwide, although there are local variations.

“What’s interesting for Australia is where that type of fraud is occurring — mining construction and utilities,” says Malcolm Shackell, PwC’s forensic services leader.

“We’re seeing, particularly in those industries, an uptick in fraud at different points on the procurement cycle. Companies are being ripped off by suppliers and contractors, with the help of someone on the inside, who’s being paid a bribe.”

He explains that this type of collusive fraud has come into the spotlight as a result of a deeper focus on costs, due to stalled top-line growth in once-booming sectors.

The fraud is typically around overpaying for existing labour hire or plant and equipment contracts, along with cleaning contracts or office fit outs. Shackell’s also seen a rise in office expense account and staff credit card fraud, sometimes running into hundreds of thousands of dollars.

Shackell says there is a link between bullying and fraud. “If you have someone in your organisation who is prone to bullying behaviour — and it’s often a senior person — you should look further than the behaviour itself, in isolation, because we have found that someone who has a propensity to bully is often someone who also commits fraud.”

Understated and underclaimed

In New Zealand, Eric Lucas CA, PwC NZ forensic services partner, drawing on his firm’s local responses, also highlights the much higher rate of asset misappropriation, procurement fraud, bribery and HR fraud over cybercrime. Nevertheless, he’s not inclined to dismiss cybercrime.

He says his corporate clients are now getting an understanding of the “insidious nature” of the crime, and that perpetrators, rather than going directly for financial assets, are targeting data that will lead them to other valuable assets.

“They’re spending time, for example, fossicking on social media for comments by staff that will give clues to their passwords, and even disclose financial data on their Facebook pages.

“We see plenty of instances of IP theft, which often goes unreported, and it’s very hard to quantify the impact of that,” he says.

“As a matter of course we advise our clients to inform police that they’ve been compromised, but then there’s always the problem of proving the loss.”

“We haven’t come across anybody who’s wanted to claim on an insurance policy.

Bernard Kellerman is an Australian journalist specialising in finance, banking and business.

This article was first published in the August 2014 issue of Acuity magazine.