managing cyber risk - profile financial services

Managing Cyber Risk & Identity TheftOscar Martinis Senior Partner

Expect More www.mkmpartners.com.au


ACCC Statistics

YTD 117,425 scams reported to ACC with $89m lost


Headline Cyber Statistics in Australia for business owners

Average total cost of data breach

$2.64mAverage Cost per Stolen record

$142.00

Industries with highest breach costs

Financial, Services, Technology

Primary Root Cause of breach

Malicious or Criminal attack

Source: IBM Ponemon Institute 2016 Data Breach report Australia


Headline Cyber Statistics in Australia

Source: IBM Ponemon Institute 2016 Data Breach report Australia


Common methods of identity theft and Cyber Crime

• Phishing - the scammer tricks you into handing over your personal information by disguising themselves as a trustworthy entity via electronic communication.

• Hacking - the scammer gains access to your information by exploiting security weaknesses on your computer, mobile device or network.

• Remote access scams - the scammer tricks you into giving access to your computer and paying for a service you don't need.

• Malware & ransomware - Malware tricks you into installing software that allows scammers to access your files and track what you are doing, while ransomware demands payment to ‘unlock’ your computer or files.

• Fake online profiles - the scammer sets up a fake profile on a social media or dating site and sends you a ‘friend’ request.

• Document theft - the scammer gains access to your private information through unlocked mailboxes or discarded personal documents such as utility bills, insurance renewals or health care records.


What does a criminal do with your personal information?

• apply for a credit card in your name• open a bank or building society account in your name• apply for other financial services in your name• run up debts (e.g. use your credit/debit card details to make purchase) or obtain a loan in your name• apply for any benefits in your name (e.g. housing benefit, new tax credits, income support, job seeker's

allowance, child benefit)• apply for a driving licence in your name• register a vehicle in your name• apply for a job/employment in your name• apply for a passport in your name• apply for a mobile phone contract in your name.


How can you protect yourself from becoming a victim of identity theft?

• secure your mail box with a lock and make sure mail is cleared regularly• shred or destroy your personal and financial papers before you throw them away, or keep them in a secure

place if you wish to retain them• always cover the keypad at ATMs or on EFTPOS terminals when entering your PIN• ensure that the virus and security software on your computers and mobile devices is up-to-date and current• don't use public computers (for instance, at an internet café), or unsecured wireless 'hotspots', to do your

internet banking or payments• don’t respond to scam emails or letters promising huge rewards if bank account details are supplied, or in

return for the payment of 'release fees' or 'legal fees’• Don’t open email from people you don’t know no matter what they say

• in relation to social networking sites, always use the most secure settings. Take extreme care if placing personal details such as date of birth, address, phone contacts or educational details on your profile, and don’t accept unsolicited 'friend' requests

• Idcare.org


Simple Tips for your IT security

Keep Your Operating Systems Updated: Whether you run on Microsoft Windows or Apple OS X, your operating system needs to be set for automatic updates. Turning off computers at night or rebooting promotes the installation of updates (as well as cleans out system clutter).Smartphones and tablets also set to update iOS, Android, or Microsoft Windows Phone operating systems automatically.Antivirus Updates: ensure that antimalware programs are set to check for updates frequently and scan the device on a set schedule in an automated fashion along with any media that is inserted (USB thumb and external hard drives) into a workstation.Strong Passwords: at least eight characters with a combination of upper and lower case letters, numbers and special characters.Use Automatic Screen Lock: When a mobile device has been idle for a few minutes it should be set to automatically lock the screen. Lost mobiles are a fruitful source of personal data. Always keep it locked.Disposal of old devices. Always ensure your old device is wiped clean of any data.


If you think someone has stolen your identity, you should act immediately:

• Check your statements for unauthorised transactions• Cancel your credit card(s)• Contact your bank• Changing your email address(es)• Change passwords• File a police report• Place a ban on your credit report to help prevent fraudulent accounts being opened in your name.• Get an up to date copy of your credit report to confirm that the information on the file relates to

applications for credit that you have made• Inform the relevant government agency if personal information is stolen. This includes your driver’s

licence, passport, citizenship papers, Medicare card, birth, marriage and change-of-name certificates, tax file number, superannuation or pension.


When a Hacker sits patiently and waits for the opportune moment to strike

$250,000 beach house FRAUD

Email breachSophisticated learning hackerWaited until timing rightHad all the info sent via email for up to 6 months includingcopies of signaturesSent fraudulent instructions to Financial PlannerFraud only discovered 3 months after attack


2016 New York Fed fumbled over the Bangladesh Bank cyber-heist

When hackers broke into the computers of Bangladesh’s central bank in February and sent fake payment orders, the Fed was tricked into paying out $101 million.

$20m sent to Sri Lanka and recovered$81m sent to Philippines, only $18m recovered

Jupiter saved it from being up to $951m

Bangladesh Central bank now preparing a legal case against the New York Fed and SWIFT

http://www.reuters.com/investigates/special-report/cyber-heist-federal/

http://www.reuters.com/investigates/special-report/cyber-heist-federal/


When a Hacker Destroys a business

http://forums.overclockers.com.au/showthread.php?t=1128742

Launched 2002 as domain name register businessBy 2011 had 3 data centres, 10% market share with 250,000 domain names under management, 200,000 customers with 30,000 hosted clients on infrastructurePlans for possible IPO in 2014Breach identified 3 June 2011Out of business by 21st June 2011 Net Registry bought what was left of the business on that day.

http://forums.overclockers.com.au/showthread.php?t=1128742


Calculating the cost of a data breach for business owners

Typical activities for discovery and the immediate response to the data breach include the following:

• Conducting investigations to determine the root cause of the data breach

• Determining the probable victims of the data breach• Organising the incident response team• Conducting communication and public relations

outreach• Preparing notice documents and other required

disclosures to data breach victims and• regulators• Implementing call centre procedures and specialised

training

The following are typical activities conducted in the aftermath of discovering a data breach:

• Audit and consulting services• Legal services for defence• Legal services for compliance• Possible discounted services to victims of the breach• Identity protection services• Customer acquisition and loyalty program costs

Indirect and Opportunity costs are more difficultto calculate however include• Organisation time effort and resources• Opportunity costs from lost business


Summary

Cyber Risks are real and Identity theft can be painfulPhishing is not a fun family activityEven well resourced and technically savvy entities are targeted and successfully hackedA common sense simple approach will eliminate most risks

managing cyber risk - profile financial services

Documents