‘Change risk-reward equation to deter cyber crims’
Digital bad actors make straightforward decisions about pay-offs so make their lives more difficult, says security specialist.
Cyber criminals make hard-headed, rational decisions about risk and reward so making their task tougher is always worthwhile, says one digital security specialist.
Eftsure head of marketing Niek Dekker said recent government moves to actively counter cyber criminals would change the equation.
“For most of these criminals it's a financial risk-reward balance. So it's all about how do you make yourself a less attractive target,” he said on the latest Accountants Daily podcast.
“Cyber criminals quite like a easy crime, right? There's no guns involved or anything like that. As a criminal it’s a high-reward, low-risk crime compared to robbing a bank.”
“Now the Australian government can go after these people that will make them go somewhere else.”
He said many companies were still unaware of the potential weak spots in their defences or focused all their efforts on external threats.
“A lot of these larger organisations spend a lot of money time and effort to make sure nobody's infiltrating the system,” he said.
“However, if one of their suppliers gets infiltrated and they send an email from their legitimate email address with a malicious invoice, there's no protection other than the people and the processes that they've put in place.”
“So what we tell a lot of our customers – as a CFO and head of accounts payable – work with your IT, make sure that all your systems are in place, take responsibility for that to some extent. But also make sure to get some view about how it integrates with your financial controls.
“You have your cybersecurity strategy and financial controls, merge those together and for your cybercrime strategy.”
“There's two separate departments … they don't talk all that much to each other. And that's exactly the point of vulnerability that gets exposed.”
A key weakness across the system was the absence of name checking by banks, but that was problematic for two reasons.
“That data is very hard to keep track of first and foremost. A business would have many entity names that they'd be trading under.”
Keeping a database up to date and allowing for all the variations in business identities was a challenge. The other problem was who paid when something went wrong.
“The banks can't be liable for any of your payments,” he said, and everybody has to be on the same page.
“In the UK they are introducing a technology similar to what some of the banks here call name check. It's called confirmation of payee. First and foremost other banks need to participate in that – not all of them do.
“And the liability question is still an issue for them as well.
“So they're now coming up with regulations where one bank is working with confirmation of payee and the other one isn't, then whether they are the receiving or sending bank, the one that's not on confirmation of payee has to carry the liability.
“It's just going slower than what some businesses would like to see. So our advice is take responsibility for your own payments.”
He said the source of payment scams was an invariably a fraudulent communication.
“The fraud happens in the email. You got this email from someone, some source, that you didn't check, you didn't look, the person could be anyone.”
Call-back checks were vulnerable to failure because if the account number and invoice number was changed, then the phone number could be as well.
So the check call had to be to a number reliably sourced from elsewhere and staff should be taught to avoid “leading the witness” by asking, “Is your number 1-2-3-4-5?”.
About the author
