The Problem With Online Financial Fraud PreventionBy Jack Rosenberger | Posted 09-08-2014
The Problem With Online Financial Fraud Prevention
By Jack Rosenberger
When it comes to preventing online financial fraud or detecting it in real-time, many organizations confess that they need to do a better job, according to a new global survey by Kaspersky Lab. Nearly half of the respondents (45 percent), for instance, admit their online defenses are inadequate and that they need to "take improved measures to protect financial transactions."
The survey also found that many businesses say data protection is highly important to them, but one in four businesses "is willing to suffer losses incurred by cybercrime because they believe the cost of protection will outweigh the cost of dealing with the losses."
The report, "Global IT Security Risks 2014—Online Financial Fraud Prevention," is based on the answers of 3,900 respondents in 27 nations, with 54 percent of the respondents working for mid-size, large and very large companies. The survey asked the participants, who work in 15 different industry sectors, about cyber-attacks, data loss, mobile transactions, and about businesses' attitudes toward banks and financial institutions vis-a-vis data breaches, their security reputations, and more.
Among the Kaspersky Lab report's findings:
Forty-eight percent of online retailers and 41 percent of financial services firms lost financial-related data to cybercriminals during the last 12 months. The true cost of financial data loss, according to Kaspersky, ranges from $66,000 to $938,000 per incident.
eCommerce Lags Behind
Online retailers, as a whole, fared poorly in the survey. For instance, only 53 percent of them gave a positive response to the question, "We make every effort to ensure our anti-fraud measures are up-to-date." This score is the lowest for any of the 15 sectors surveyed, and is significantly below the overall score, which is 62 percent.
Mobile Security Misperceptions
Many businesses are unaware of the reduced levels of security associated with mobile phones, according to Kaspersky. Just 49 percent of the respondents understood that mobile phones are less secure than a laptop or desktop computer; 41 percent wrongly said that they are equal in terms of security.
Ross Hogan, global head of the Fraud Prevention Division at Kaspersky Lab, was interviewed, via email, by CIO Insight Managing Editor Jack Rosenberger about the report, and shared his thoughts on cyber-attacks and brand damage, the "poor security hygiene" of certain mobile apps, and which survey results most-interest him.
CIO Insight: What are the report's key takeaways for enterprise CIOs?
Ross Hogan: Cyber-attacks are increasing in frequency and severity. These attacks are now not only widely reported, but have entered our public consciousness. This means that the financial losses associated with past attacks will pale in comparison to the crippling brand damage awaiting the victims of current and future attacks. Also, younger generations are quicker to adopt technology and less lenient about the culture, values and reputation of the companies with which they do business. As these trends converge, it portends to dire circumstances for businesses that do not take adequate and continuing efforts to protect their customers and, thus, their brands.
CIO Insight: Regarding the financial institutions and online retailers that aren't taking adequate protection measures, such as having specialized security software inside their own infrastructure, what don't these businesses understand about security?
Some of these businesses may be holding on to a false sense of security. They perceive that their risk of compromise is low or view security as an impediment to revenue-generating activities. Successful institutions approach IT security decisions from the context of a broader risk management perspective and implement security strategies that align with business initiatives. A careful selection of security solutions and policies helps balance security requirements with business enablement.
CIO Insight: The survey found that organizations in North America and Western Europe were the lowest in the category of being willing to accept a certain amount of loss as the cost of doing business. But these two regions were also the lowest in the category of willing to improve their financial transaction security measures. What's happening here?
Organizations in these regions see some of the highest transaction volumes and also a high frequency of attacks. Financial transaction security measures are put in place to reduce fraud to an "acceptable value." A huge emphasis is placed on customer convenience, especially in North American culture. It would be quite rare for a financial institution to implement a security control that puts customer convenience at risk in exchange for a marginal reduction in fraud risk—the cost of customer retention has a very real impact on these decisions. However, there are some changes occurring as more breaches are reported and more people are aware of current threats and fraud incidents. Customers are demanding an increasing level of security assurance from their financial institutions, and we expect to see this trend continue.
CIO Insight: In the context of today's increasingly mobile world, what do CIOs need to better understand about the reduced levels of security associated with mobile devices? And what should they be doing better?
Many organizations releasing mobile apps choose to implicitly trust the security protections built into mobile platforms to secure their app and data. Unfortunately, like their desktop counterparts, these platforms are just as susceptible to vulnerabilities and poor security hygiene. This makes them ill-suited to protect sensitive data. Organizations can overcome these deficiencies by removing the user and their device from security decisions using a combination of server-side controls and embedded security protections. This ensures that trust in the user and device is earned and never assumed.
The Problem With Online Financial Fraud Prevention
CIO Insight: Which of the survey results most-interests you as someone whose job for Kaspersky Lab is to prevent online financial fraud?
Personally, the percentage of large businesses and enterprises "willing to bear the cost of some financial losses due to cybercrime because it will still be less than the cost of upgrading our IT systems" is staggering. If these organizations considered the "total cost of fraud," which includes not only financial losses, but operational costs, legal and regulatory impacts, reputation damage and PR headaches, customer attrition, the increased cost of acquiring new customers, and the overall emotional toll and loss of moral, they would certainly think and act differently.
Furthermore, I believe that many businesses are jaded as they are tired of spending time and money on overly expensive point solutions from either startups or generalized, oversized technology and service providers. Kaspersky Lab customers consistently carry a different perception shaped through the experience and results from working with a world leader that specializes in security and security only. I always say, You don’t buy sushi from Walmart or from a cart on the sidewalk, so why would you treat your company’s and customers’ security any differently?
CIO Insight: What are your tips for CIOs about how to prevent online financial fraud and data loss?
My top three are:
1. Put security at the forefront of all IT decisions
2. Secure from the inside out
3. Never assume your enterprise is secure
Not only are my top three a great start, but they should be a part of every organization's holistic approach to security in general. As far as online financial fraud and data loss are concerned, the transaction needs to be secure on both ends. There are many different approaches you can take to achieve this. Encryption is, and will continue to be, at the top of the list.
As data breaches occur, the confidence in financial institutions is faltering. The time has come for financial institutions to project to their customers that security is their number one priority. By having mobile applications and web-based applications with built-in security features like on-access malware scanning, safe input of data and risk detection, the level of confidence can remain high.
About the Author
Jack Rosenberger is the managing editor of CIO Insight. You can follow him on Twitter via @CIOInsight. To read his previous CIO Insight article, “The Importance of Location for Digital CIOs," click here.