Re­search in­di­cates that 2017 was the worst year ever for breaches in stor­age of per­sonal data around the world, and this year is not look­ing bet­ter. You and your clients can take steps to re­duce your risk

Investment Executive - - CONTENTS - BY DANNY BRAD­BURY IE

Cy­ber­crime is on the rise around the world. There are steps you can take to pro­tect your­self and your clients.

cy­ber­crime is sky­rock­et­ing, and this could be the year it hits you — or your clients.

That’s the word from the On­line Trust Al­liance (OTA), an ini­tia­tive of the Vir­gini­abased In­ter­net So­ci­ety, a non-profit or­ga­ni­za­tion that works to en­sure the health of the In­ter­net. The OTA’s 2017 Cy­ber In­ci­dent and Breach Trend Re­port, re­leased in Jan­uary, states that last year was the worst ever for both breaches in stor­age of per­sonal data and cy­ber­crime in­ci­dents around the world. Glob­ally, there were 159,700 in­ci­dents af­fect­ing in­sti­tu­tions, not in­clud­ing the many virus in­fec­tions, email scams and “ran­somware” at­tacks that hit in­di­vid­ual users. And these were just the in­ci­dents that were re­ported.

The OTA re­port notes an 18.2% in­crease in re­ported breach in­ci­dents, and seven bil­lion per­sonal records were ex­posed in the first nine months of last year. This in­cludes the Equifax Inc. mega-breach that ex­posed the per­sonal data of 145 mil­lion Amer­i­cans and 100,000 Cana­di­ans.

About half of these cy­ber­in­ci­dents stemmed from hacks that ex­ploited holes in a vic­tim’s data net­work. An­other 11% stemmed from in­sider threats, in which poor in­ter­nal con­trols en­abled em­ploy­ees to com­pro­mise data — ei­ther ma­li­ciously or un­wit­tingly. Most of the re­main­ing in­ci­dents came from two tech­niques that con­tinue to dog busi­nesses in the West: ran­somware and com­pro­mised email.

Ran­somware uses ma­li­cious soft­ware to in­fect a vic­tim’s de­vice and en­crypt files so that cy­ber­crim­i­nals can de­mand a fee to un­lock the files. Cy­ber­se­cu­rity com­pany Sy­man­tec Corp. re­ports that ran­somware in­fec­tions al­most dou­bled last year vs the year prior.

Ri­val firm Kasper­sky Lab states that roughly 25% of these at­tacks hit busi­nesses, two-thirds of which lost ac­cess to “a sig­nif­i­cant amount or all” of their data. And while slightly more than a third (36%) of busi­nesses paid the ran­som, one in six of those that did so never re­cov­ered their data.


Crim­i­nals of­ten de­liver ran­somware as mal­ware via ma­li­cious email at­tacks (a.k.a. “phish­ing”). Email also is a de­liv­ery chan­nel for the other fastest-grow­ing form of cy­ber­crime: busi­ness email com­pro­mise (BEC; also known as “whal­ing”).

In a BEC at­tack, a cy­ber­crim­i­nal re­searches a com­pany’s or­ga­ni­za­tional struc­ture to learn who is re­spon­si­ble for mak­ing or ask­ing for third-party pay­ments. Then, the crim­i­nal can: com­pro­mise the email ac­count of an em­ployee or ex­ec­u­tive and use it to send bo­gus re­quests; send fraud­u­lent in­voices to cus­tomers; or send fake re­quests to an in­ter­nal fi­nance ex­ec­u­tive ask­ing for a money trans­fer to re­solve a press­ing prob­lem. These re­quests will list the crim­i­nal’s bank ac­count de­tails.

BEC is a form of “spear phish­ing,” in which cy­ber­crim­i­nals tar­get spe­cific em­ploy­ees by us­ing highly fo­cused email at­tacks. These con­trast with tra­di­tional phish­ing, which uses high-vol­ume spam cam­paigns that in­dis­crim­i­nately fool con­sumers into di­vulging their bank ac­count in­for­ma­tion.

Al­though these at­tacks may seem im­plau­si­ble, they strike home with sur­pris­ing fre­quency. Cy­ber­crim­i­nals cap­i­tal­ize on their vic­tims’ weak­nesses and cre­ate a sense of ur­gency and panic. The FBI be­lieves that BEC crim­i­nals have stolen about $5.3 bil­lion glob­ally since 2013.


Per­haps the most shock­ing statis­tic is that 93% of these flaws could have been pre­vented eas­ily. To re­duce the risk of your data be­ing com­pro­mised, you can fol­low the same ad­vice you should be giv­ing your clients:

Con­duct a proper risk as­sess­ment, in­clud­ing un­der­stand­ing which in­ter­nal sys­tems and cloud-based ser­vices you’re us­ing.

Patch or up­date your soft­ware fre­quently, es­pe­cially when known vul­ner­a­bil­i­ties emerge.

Use an email and mal­ware pro­tec­tion ser­vice (or soft­ware) to fil­ter out phish­ing mail be­fore it lands in your in-box.

Train em­ploy­ees or users to think twice about open­ing or re­spond­ing to emails from sources they don’t know, or to un­usual re­quests from those they do know.

Have rules about who can copy data from your net­work and take that in­for­ma­tion off-site. En­sure that your data are en­crypted, us­ing your own soft­ware and en­cryp­tion pass­words so that if your data stor­age is hacked or data are stolen, cy­ber­at­tack­ers can’t use that data.

Back up your data reg­u­larly to pro­tect your­self against ran­somware at­tacks.

There are few new kinds of cy­ber­at­tack threat­en­ing fi­nan­cial ad­vi­sors and other pro­fes­sional ser­vices com­pa­nies in 2018. In­stead, we are see­ing more of the same. That’s be­cause these at­tacks still work well for cy­ber­crim­i­nals.

Newspapers in English

Newspapers from Canada

© PressReader. All rights reserved.