22 February 2014

Fraud Trends: Hedging Transnational Organized Crime...

The facts and the results of forensic investigations across the cyber domain are telling a significant story.  The question remains, will CxO's take the time to digest and think about what is happening within their Enterprise Risk ecosystem?  Operational Risk Management (ORM) has four key dimensions:

  • People
  • Processes
  • Systems
  • External Events

Each of these dimensions must be looked upon in a holistic and interdependent manner, realizing that they are all indeed interconnected.  One may impact another or managing risk in some but not others could bring the entire enterprise to it's knees.  This is understood.

You are no doubt utilizing a myriad of strategies to deter, detect, defend and document the Operational Risks within your specific industry and associated with the adversaries and regulations pertinent to your business.  So why is this still the state-of-play?
Companies are beginning to change how they think about cybersecurity – viewing it as a business issue, not just an IT issue. Forty-four percent of U.S. organizations that experienced fraud in the past 24 months suffered from cybercrime; and 44 percent of all U.S. respondents indicated they thought it was likely their organization would suffer from cybercrime within the next 24 months. 
Seventy-one percent of U.S. respondents indicated their perception of the risks of cybercrime increased over the past 24 months, rising 10 percent from 2011. U.S. respondents' perception of the risks of cybercrime exceeded the global average by 23 percent. Despite having more to lose, U.S. respondents were generally less aware of the cost of cybercrime: 42 percent of U.S. respondents were unaware of cybercrime's cost to their organizations, compared to 33 percent of global respondents.

Didier Lavion, PwC principal and lead author of the U.S. report, said, "U.S. corporations need to better leverage and implement the computational and analytical power of cybersecurity technologies to help combat the increasing global presence of cybercrime."  --Source:  PwC's Global Economic Crime Survey 2014

The reason that the state-of-play remains in turmoil, is the inverse of what the survey is reporting. 29% of U.S. respondents have no perception that the risks of cybercrime has increased over the past 24 months. The 29% who do not perceive this, must be in an industry group that is either not connected to the Internet, does not use mobile devices or are using paper and pencils to run their business.
So for the other 71%, the perception of the risks of cybercrime has increased.  Again, what are the business details of these respondents?  What would be interesting is to ask the question:  How many U.S. citizens have been issued a new credit or debit card last year due to fraudulent charges?  Perhaps the 29% are the unbanked population of the U.S. who are not issued cards because they do not participate in the formal banking system?  Unlikely.

Cybercrime analysis needs to go deeper.  As an example, it would be interesting to discover what percent of cyber fraud victims in 2013 currently run a Microsoft-based operating system on their computer? No doubt the highest, due to the vast installed base of Microsoft-based PC's over the years.

Executive Management of companies with over 1000 employees who do not perceive the risk of cybercrime on the rise, may have other more pressing issues.  Labor, raw materials, weather, or other factors that may be impacting their business.  It makes some sense.

Over the next decade, the tide will turn on the motivation to pursue petty cybercrime and fraud.  Not because the laws and enforcement are more effective.  Not necessarily because the fraud opportunity becomes too difficult because of the effectiveness of new technology. Not even because the Microsoft Operating System installed base, dwindles to a minority percentage.  Why?

It is because the best cyber Transnational Organized Crime (TOC) organizations will become allies with nation states or even terrorist non-state actors.  They will be paid much more handsomely and they may not even have to disclose their true identities.  The stakes and the fortunes to be made in TOC are rising.  The cyber domain is now a race for superiority.  The best of these skills and knowledge will come from the "dark side" to start, and at a high premium.  So what are you to do, if you are the CxO of a top Global 500 organization?

Pray longer.  Allocate a treasure chest to invest in your long digital war ahead.  Hedge the risk...
New threat actor: Spanish-speaking attackers targeting government institutions, energy, oil & gas companies and other high-profile victims via cross-platform malware toolkit 
Today Kaspersky Lab’s security research team announced the discovery of “The Mask” (aka Careto), an advanced Spanish-language speaking threat actor that has been involved in global cyber-espionage operations since at least 2007. What makes The Mask special is the complexity of the toolset used by the attackers. This includes an extremely sophisticated malware, a rootkit, a bootkit, Mac OS X and Linux versions and possibly versions for Android and iOS (iPad/iPhone). 
The primary targets are government institutions, diplomatic offices and embassies, energy, oil and gas companies, research organizations and activists. Victims of this targeted attack have been found in 31 countries around the world – from the Middle East and Europe to Africa and the Americas. The main objective of the attackers is to gather sensitive data from the infected systems. Several reasons make us believe this could be a nation-state sponsored campaign.

02 February 2014

Future Risk: What is True...

On the dawn of the U.S. Super Bowl XLVIII, Operational Risk Management (ORM) professionals are on edge.  Readiness and contingencies are at their highest level in anticipation of a globally televised event.  The same crisis management environment exists four or more times a year within the confines of the Board Room and Executive suite.

Operating at the "Speed of Business" and effectively managing daily, weekly, and quarterly risk management tasks requires an adaptive and resilient culture.  A culture that has been born and evolved from its Genesis to a daily run rate based upon two main components.  Trust is the first one and to many a given in any high performing environment.  To be able to trust the person to your left and to your right requires many tests.  It builds over time yet it must start with the right elements and be nurtured for it to flourish.

The second component is far more complex.  It requires you to embark on a continuous discipline with yourself and the people to your left and right, to know "What is True."

"What is True" means one set of reality for you and perhaps something different for those around you.  Your mission is to get to a single version and reality of what is true faster than your competition, your adversary or your partner.  Survival will be a factor of your speed to understanding as a team, "What is True" and then your adaptive nature to the consequences of your actions.

Are you accountable for your outcomes?  Have you accepted the consequences of your behavior?  So what does all of this have to do with Operational Risk Management?  It has everything to do with it. The most high consequence event to any risk matrix, is the fact that people do not see themselves or others in a "True" perspective.  They are not operating in reality.

What is your willingness to bring current problems to everyone to dissect, understand and solve?  Those who continue to operate without a proactive problem-solving environment are headed towards disaster.  Surprises.  Being blind-sided.  Never saw it coming.  When you hear people saying these things.  You have someone who has not been proactive in the continuous identification of problems and communicating those problems to the team to be solved.

You see, leadership is about continuously testing, designing and improving the process or the product.  The thinkers and the doers, the blueprint and the construction, the designers and the operators must be in a synchronous harmony together.  The "Speed of Business" is the environment and the successful outcome we all seek and is captured in three words.  "What is True."

Ask yourself; how is this movie unfolding compared to the script that was written?  How has the change and the rate of change had consequences?  What have I and my team done to adapt, by changing the design or the people to achieve the mission?  Last fall, on the eve of September 11, Katherine Zimmerman outlined the problem for the United States:
The reality is that despite more than a decade of direct and indirect warfare against the group, al Qaeda continues to be a threat to the United States and its interests. The closure of more than 20 diplomatic posts across the Middle East and North Africa on August 4, 2013, underscores the group’s continued virulence and reach. AQAP, the affiliate from which that threat allegedly emanated, has spearheaded efforts to target the United States using innovative tactics. Its rise in the network was predictable in retrospect, yet America’s strategy did not adjust to effectively counter it. 
Understanding precisely which groups contribute to the al Qaeda network and how they operate within that network will better enable American policymakers and decision makers to develop a comprehensive strategy to defeat al Qaeda. Absent that understanding, the United States will continue to engage in a tactical battle that promises only occasional battleground victories, but no real prospect of winning the war.
"What is True."  As we approach the kick-off of the Super Bowl later today, or the lighting of the Olympic torch in Sochi, Russia the question remains.
(Reuters) - Bomb attacks of the kind that tore through mass transit sites in Russia ahead of the upcoming Sochi Olympics are a top concern of security officials preparing for Sunday's Super Bowl, the head of the New Jersey State Police said on Wednesday.
While law enforcement officials said they were not aware of any specific threats targeting the February 2 National Football League championship in East Rutherford, New Jersey, attacks like those that killed 34 people in two days in Russia late last year are their biggest worry. 
"Of particular concern to us is what was going on overseas in Volgograd in regard to the Sochi Olympics. As you know both of those bombings were targeting mass transit," Rick Fuentes, superintendent of the New Jersey State Police, told reporters. "That is a concern with the mass transit; we've prepared ourselves for it."

Officials have sharply limited parking at MetLife Stadium, where Sunday's game will be played, and expect as many as 30,000 people to arrive by bus or rail. Security screening will start at train stations, where fans will not be able to board stadium-bound trains or buses without tickets to the game, officials said.