The Problem With Online Financial Fraud Prevention
Ross Hogan, global head of the Fraud Prevention Division for Kaspersky Lab, discusses the results of a new survey on how businesses are addressing online financial fraud.
By Jack Rosenberger
When it comes to preventing online financial fraud or detecting it in real-time, many organizations confess that they need to do a better job, according to a new global survey by Kaspersky Lab. Nearly half of the respondents (45 percent), for instance, admit their online defenses are inadequate and that they need to "take improved measures to protect financial transactions."
The survey also found that many businesses say data protection is highly important to them, but one in four businesses "is willing to suffer losses incurred by cybercrime because they believe the cost of protection will outweigh the cost of dealing with the losses."
The report, "Global IT Security Risks 2014—Online Financial Fraud Prevention," is based on the answers of 3,900 respondents in 27 nations, with 54 percent of the respondents working for mid-size, large and very large companies. The survey asked the participants, who work in 15 different industry sectors, about cyber-attacks, data loss, mobile transactions, and about businesses' attitudes toward banks and financial institutions vis-a-vis data breaches, their security reputations, and more.
Among the Kaspersky Lab report's findings:
Forty-eight percent of online retailers and 41 percent of financial services firms lost financial-related data to cybercriminals during the last 12 months. The true cost of financial data loss, according to Kaspersky, ranges from $66,000 to $938,000 per incident.
eCommerce Lags Behind
Online retailers, as a whole, fared poorly in the survey. For instance, only 53 percent of them gave a positive response to the question, "We make every effort to ensure our anti-fraud measures are up-to-date." This score is the lowest for any of the 15 sectors surveyed, and is significantly below the overall score, which is 62 percent.
Mobile Security Misperceptions
Many businesses are unaware of the reduced levels of security associated with mobile phones, according to Kaspersky. Just 49 percent of the respondents understood that mobile phones are less secure than a laptop or desktop computer; 41 percent wrongly said that they are equal in terms of security.
Ross Hogan, global head of the Fraud Prevention Division at Kaspersky Lab, was interviewed, via email, by CIO Insight Managing Editor Jack Rosenberger about the report, and shared his thoughts on cyber-attacks and brand damage, the "poor security hygiene" of certain mobile apps, and which survey results most-interest him.
CIO Insight: What are the report's key takeaways for enterprise CIOs?
Ross Hogan: Cyber-attacks are increasing in frequency and severity. These attacks are now not only widely reported, but have entered our public consciousness. This means that the financial losses associated with past attacks will pale in comparison to the crippling brand damage awaiting the victims of current and future attacks. Also, younger generations are quicker to adopt technology and less lenient about the culture, values and reputation of the companies with which they do business. As these trends converge, it portends to dire circumstances for businesses that do not take adequate and continuing efforts to protect their customers and, thus, their brands.
CIO Insight: Regarding the financial institutions and online retailers that aren't taking adequate protection measures, such as having specialized security software inside their own infrastructure, what don't these businesses understand about security?
Some of these businesses may be holding on to a false sense of security. They perceive that their risk of compromise is low or view security as an impediment to revenue-generating activities. Successful institutions approach IT security decisions from the context of a broader risk management perspective and implement security strategies that align with business initiatives. A careful selection of security solutions and policies helps balance security requirements with business enablement.
CIO Insight: The survey found that organizations in North America and Western Europe were the lowest in the category of being willing to accept a certain amount of loss as the cost of doing business. But these two regions were also the lowest in the category of willing to improve their financial transaction security measures. What's happening here?
Organizations in these regions see some of the highest transaction volumes and also a high frequency of attacks. Financial transaction security measures are put in place to reduce fraud to an "acceptable value." A huge emphasis is placed on customer convenience, especially in North American culture. It would be quite rare for a financial institution to implement a security control that puts customer convenience at risk in exchange for a marginal reduction in fraud risk—the cost of customer retention has a very real impact on these decisions. However, there are some changes occurring as more breaches are reported and more people are aware of current threats and fraud incidents. Customers are demanding an increasing level of security assurance from their financial institutions, and we expect to see this trend continue.
CIO Insight: In the context of today's increasingly mobile world, what do CIOs need to better understand about the reduced levels of security associated with mobile devices? And what should they be doing better?
Many organizations releasing mobile apps choose to implicitly trust the security protections built into mobile platforms to secure their app and data. Unfortunately, like their desktop counterparts, these platforms are just as susceptible to vulnerabilities and poor security hygiene. This makes them ill-suited to protect sensitive data. Organizations can overcome these deficiencies by removing the user and their device from security decisions using a combination of server-side controls and embedded security protections. This ensures that trust in the user and device is earned and never assumed.