16 Mar 2021

Event Roundup: Evolving Challenges in Cyber Fraud Prevention 2021

Catch up on our recent event which reviewed the current trends in cyber fraud, and the key recommendations for tackling this growing area of concern.

techUK recently brought together professionals from across the cyber security, crime prevention and finance sectors to explore the continuing themes in cyber fraud prevention; new trends and arising threats in a ‘post-Covid’ world; and key recommendations for tackling cyber fraud – which continues to proliferate at an alarming pace. We were lucky enough to have a stellar line up of speakers to set out the different perspectives in cyber fraud prevention – covering financial services, law enforcement, policy and, of course, the cyber security industry. Here’s a whistle-stop tour of the ground we covered…

It’s time to be upfront about cyber security

Matthew Horsham from cloud experts Kainos, kicked off the event, looking at how we can better articulate in the challenges brought about by the threat environment. Matt highlighted the fact that we often shy away from stating the obvious – for fear of ridicule or repeating what’s been said before – but stating the obvious in cyber security can actually be a very powerful tool. Using the example of moving data to the cloud, Matt underlined the importance of ensuring people understand that the good security practices and attitudes that the industry has been building up over the last 25 years will still apply to cloud hosting, for example, cloud solutions are Secure By Design. And we must be upfront in saying that security is a critical ongoing task: it’s not just a box to tick.

How big is your inbox? How much company confidential information is in there? How many shared mail boxes have you got access to?

These were the key questions posed by David McKenzie from Quorum Cyber who further helped to set the scene for the session by talking attendees through a real-life business email compromise scenario to demonstrate the true cost of fraud. When an employee clicks on a link in a phishing email, designed to enable a fraudster to infiltrate their emails and impersonate them, the ramifications can be huge if the right processes aren’t in place. Of course, there’s the direct monetary loss but, depending on the scope of the breach, there could be plenty more to consider:

Cyber insurance might cover your incident response costs, but there will be a cost on insurance renewal.
A whole host of business disruption costs. (How many projects have to be delayed as a result of the breach? How many staff are off sick with stress caused by the impact of/guilt around the breach?);
Legal and other professional service costs, and ICO fines.
And although the public (worryingly) accept data breaches as par for the course, if you deal with the breach badly, your business reputation will be in tatters.

The key trends in cyber fraud in a world still dominated by Covid-19

Next up was Sanjeev Shukla, Financial Services Security Practice Lead for Accenture in the UK & Ireland who provided an excellent overview of the cyber fraud landscape. Sanjeev began by noting that fraudsters are still using the same-old techniques, such as credential stuffing and synthetic identities, and that social engineering is amazingly powerful to exploit human weakness; however, COVID has provided the ideal opportunity to capitalize on this weakness further. Sanjeev explored this further by taking us through the 5 key trends highlighted in Accenture’s recent cyber security survey:

COVID-19 accelerates the need for adaptive security. Attackers are riding on the back of COVID – for example, targeting vaccine communications and capitalising on the fact that aspects of privacy and security were put aside for contact tracing.
New, sophisticated TTPS target business continuity. Attackers are targeting systems supporting Microsoft Exchange and OWA, such as Access Servers; while at the same time adapting to the attack defences employed by organisations.
Masked or noisy cyberattacks complicate detection. There are a lot more off-the-shelf tools available to launch attacks; and supply chains are being targeted, compromising small firms in order to gain access to their larger partners.
Ransomware feeds new profitable, scalable business models. Developments here have increased the pressure on victims; and the ‘to pay or not to pay’ debate has shifted. Because these attacks are crippling, the focus is moving to involve law enforcement earlier, and to share intelligence to help others avoid similar impacts.
Connectedness has consequences. The increase of OT virtualization, OT cloud connectivity and internet-connected devices has opened up new opportunities for threat actors.

Rethinking the UK response to cyber fraud

Following on nicely from Sanjeev’s presentation, RUSI’s Ardi Janjeva, talked attendees through the think tank’s recent report which outlines a strategic vision for the UK’s response to cyber fraud. This research project aims to voice the concerns of business and law enforcement agencies ahead of the adoption of the next National Cyber Security Strategy; and it’s guiding question was: what are the fundamental roles of different stakeholders in reducing the levels of cyber fraud?

More people are victims of fraud in the UK than any other crime type, and despite costing £190bn a year and directly threating the UK’s prosperity and security, it only commands 1% of the total policing response. Ardi highlighted that the current leadership vacuum; more visible, violent crimes attracting police attention; the lack of law enforcement resource; and the variation in the way in which cyber frauds are conducted come together to create the perfect storm whereby victims struggle to get a response. There has, therefore, been more urgency at policy level to see a step-change in the UK’s overall response, and so we need a new UK Cyber Fraud strategy to, among other things, better organise the right communities. You can find out more about RUSI’s targeted, long-term recommendations here.

Preventing cyber fraud

Neil Sinclair, National Cyber Lead at the Police Digital Security Centre, focused on the practicalities of cyber fraud, highlighting the various types – from identity fraud and online shopping fraud to sextortion; as well as talking attendees through some real-life examples. These included COVID-19-themed social engineering campaigns with distributed malware, such as Avemaria, Lokibot and Danabot; card skimmers and rogue iframe payment forms; and a closer look at how hackers infiltrated a private school with malware inserted to a Word document, resulting in a loss of £250k.

Touching on a point Ardi point made earlier, Neil flagged that, when it comes to responding to crime, the Police use ‘the Daily Mail Test’ – ultimately, violent crime will outweigh any kind of fraud on the front cover of the newspapers and, therefore, the police resource will go where the public safety is most threatened at the time. This means that, when it comes to cyber fraud, the police focus is on prevention and protect – and, therefore, working with a variety of partners is critical to improve awareness and get the message across.

Cyber compliance and the work of the Cyber Risk Institute

The last, but certainly not the least, of our presentations was from Matt Field, Executive Director for Technology and Cyber at JP Morgan who shone a light on the many regulations from different sources (e.g. European Central Bank and US state regulations) and many different requirements that financial services institutions must evidence against. This proliferation sparked a project, which has been underway within financial services for a number of years now, to identify where there’s regulatory overlap and how could this be worked through - the Cyber Risk Institute’s ‘Profile’ is the resulting tool for assessing cybersecurity risk. It consolidates 2,300+ regulations into 277 diagnostic statements and gives financial institutions one simple framework to rely on. Free to anyone who wishes to use it, the Profile is designed to optimize compliance assessments by up to 73%, thereby saving the industry time, as well as enabling it to mitigate risk.

This was a thoroughly varied and interesting session, with some important overarching messages – not least among them being that cyber security is a key enabler of growth in all organisations; and coordination and collaboration are critical if we want to stand a chance of tackling cyber fraud.

Watch the presentations here.