Post on 02-Jun-2020
A presentation by
The rising threat of Cyber Attacks
& expectations from the
Professional Accountants.
1
Mohammed Humayun Kabir FCA
Council Member and
Past President, ICAB
April 10, 2016
The rising threat of Cyber Attacks & expectations from the Professional Accountants.
We are living at the digital (internet) age where liquid assets are
increasingly being transferred between parties via electronic means.
The thief or “Chor” that relies upon electronic means to commit the
Chori is in today‟s jargon a „Cybercriminal‟ or „Hacker‟. The thief is no
longer one with a stocking over his face and wearing a striped
jumper, he or she is more likely to be a geek sitting at home with
other geeky friends thinking up ways to steal your electronic identity
or use some sort of digital Trojan horse to enter your system and
steal your cash. The accountancy profession is used to handle big
numbers and there are big numbers around when it comes to
cybercrime.
If we are asked to get split into two categories - those that know they
have been hacked, and those that have been hacked but don‟t know
it, probably the „hacked but don‟t know it‟ category would be large.
2
The rising threat of Cyber Attacks & expectations from the Professional Accountants.
3
Cyber attacks pose a threat to all organizations & Individuals
using internet. Financial institutions are particularly at risk. Cyber
attacks involving data breaches caused by hackers or
unauthorized parties have grown in number and sophistication in
recent times across the world. Cybercriminals often target one
organization and steal a large amount in a short period of time. In
a cyber heist, large known accounts or institutions are often the
focus; at other times the target may be many customer accounts
that collectively contain a large sum of money.
There are two types of hackers. Yellow hackers may be just to
warn you that there is a need for improvement in your cyber
security system. But if you are under attack of black hackers, their
objective is not innocent but to commit a crime of stealing or a
heist.
The rising threat of Cyber Attacks & expectations from the Professional Accountants.
4
The Black hackers may carry cyber attacks to -
Untargeted Targeted
In an untargeted attack, criminals do
not focus on a particular victim but
target as many devices, users or
services as possible through cyber
attacks such as phishing; water
holing; ransom ware; and scanning. Phishing is sending mass emails requesting sensitive
information or directing users to visit fake websites.
Water holing is creating fake websites or compromising
legitimate websites in order to exploit visitors. Ransom
ware is locking out and holding files hostage via
encryption or other means until the owner of the system
pays a ransom to have the files unlocked, which often
does not happen even after the ransom is paid.
Scanning is attacking wide sections of the internet
randomly.
Cyber criminals are increasingly
employing targeted attack strategies
specifically against the financial
institution, including through spear
phishing (sending emails with malicious software
attached to individuals at the institution), launching
distributed denial of service attacks (shutting off internet access to bank services by
directing waves of internet traffic from compromised
computers to the bank, sometimes involving efforts to
distract bank personnel while criminals gain
unauthorized remote access to accounts),
and subverting the supply chain (attacking the equipment or software that is delivered to
the organization).
Cyber Attacks may be against :
5
Individuals Property Society at large Government.
Harassment via E-Mails
Intellectual Property Crimes
Child Pornography
Cracking into a government or military maintained website by enemy state or by individual(s) patronized by enemy state(s) There is increasing threat of destructive cyber attacks by enemy state(s). If you are connected to the Internet, you are vulnerable to determined nation-state attackers.
Cyber-Stalking Cyber Squatting Cyber Trafficking
Defamation Cyber Vandalism Online Gambling
Hacking Hacking System Financial Crimes
Cracking Transmitting Virus Forgery
SMS Spoofing Cyber Trespass
Carding Internet Time Thefts
Cheating & Fraud
Assault by Threat
Obviously to carryout these attacks one needs sophisticated/ expert knowledge in ICT
The rising threat of Cyber Attacks & expectations from the Professional Accountants.
Cyber attacks against Banks & Financial Institution :
Bank heists were surprising because it made no difference to the
criminals what software the banks were using. It remind us that the
world's financial systems are vulnerable to cyber attacks.
Online banking accounts are often the targets of cyber heists. The
accounts may be found through hacking or phishing campaigns and
cashed out in a single operation. The theft may involve a specific bank‟s
customers or a single large account.
Credit cards, debit cards and bank accounts are also targets in cyber
heists. Cybercriminals might steal track 2 data credit card or debit card
data and use card embossers and magnetic strip encoders to create card
clones. Point- of -sale malware is often used to acquire massive
numbers of cards. In either case, the cybercriminals might use cloned
credit cards for cashing out at ATMs or sell them on underground online
sites. 6
The rising threat of Cyber Attacks & expectations from the Professional Accountants.
7
In December 2012, for example, cybercriminals stole $45 million from
two Middle Eastern institutions, the Bank of Muscat and RAKBANK.
Withdrawals where made from 27 different countries through over
36,000 transactions. Forty million was stolen within 10 hours from Bank
of Muscat, the larger of the two.
In the series of coordinated bank cyber attacks that was initiated in late
2013, an unknown group of criminals stole as much as USD$1 billion
from banks and financial institutions in USA. The criminal group gained
access to 100+ banking entities via spear phishing emails sent to bank
employees. The emails appeared to be legitimate banking
communications in the form of Microsoft Word and CPL files. The
emailed files contained malware that, once the files were opened onto
the institution‟s network system, exploited vulnerabilities in Microsoft
Office and Microsoft Word and executed a remote backdoor providing
criminals remote access to the banks‟ computers.
The rising threat of Cyber Attacks & expectations from the Professional Accountants.
8
Once access was achieved, the attackers installed additional software
and spied on the activities of bank employees and administrators
through video surveillance, allowing the criminals to impersonate
legitimate users to perform later actions, including manipulating
accounts, transferring money and ordering ATMs to dispense cash at
designated times and places.
In most cases, the institutions‟ accounts were compromised for several
months before the attackers actually stole any funds. Particularly
concerning to banks is that, the bank heists were surprising because it
made no difference to the criminals what software the banks were
using.
Among the more notable cyber attacks was a July 2014 attack
involving a large regional bank network in USA that was accessed by
an unknown third party, and placed over 72,000 customer accounts at
risk of exposure.
The rising threat of Cyber Attacks & expectations from the Professional Accountants.
9
In 2014, cybercriminals waged what appears to be an
expanding offensive of cyber attacks on financial institutions in
USA. Following an investigation, it was determined that the
unauthorized third party may have obtained access to customer
information, including names, addresses, account numbers,
account balances, and personal identification numbers. In
another cyber attack several weeks later, a large national bank
was victimized by one of the largest cyber security breaches
involving a U.S. bank, with approximately 76 million household
and 7 million small business accounts compromised. The cyber
attackers gained access to the bank‟s servers that housed
consumer account information.
The rising threat of Cyber Attacks & expectations from the Professional Accountants.
10
Due to the manner in which the cyber attack was orchestrated,
the attack went undetected for almost two months before the
bank discovered it and moved to close access paths of over 90
servers. A particular aspect of cyber attacks that complicates
the ability of banks effectively to monitor and maintain adequate
cyber security protocols is that sometimes an attack may come
from very conventional means that exploit a network system or
process vulnerability that may not be evident or obvious to an
institution. This was the case when a highly publicized mobile
payment platform was unveiled and cybercriminals seized upon
a method employing identity theft, rather than hack into the
payment system, to exploit the customer sign-up process to
validate credit cards for use on the new payment system.
The rising threat of Cyber Attacks & expectations from the Professional Accountants.
11
The cyber criminals exploited the sign-up process at the front end
by taking easily obtainable customer information to validate a
credit card to participate in the mobile payment system counting
on the fact that some banks would be motivated to streamline the
customer account sign-up process and not require additional
verification information to validate customer credentials, i.e., to
make the process as seamless as possible. As a result,
notwithstanding an extremely secure token security methodology
embedded in the mobile payment platform, cybercriminals were
able to infiltrate customer bank accounts at the bank end of the
validation process via relatively rudimentary means. As a result,
the mobile payment provider and banks are reviewing procedures
to prevent this issue from repeating, including the possibility of
utilizing a PIN issued by a bank to its customer for a one-time use
to register a new card.
The rising threat of Cyber Attacks & expectations from the Professional Accountants.
12
In February 2016, Cyber criminals stole $81 million from
Bangladesh's central bank. The theft surely qualifies as one of the
biggest cyber heists ever. The cyber thieves hid their tracks by
installing malware that manipulated a central bank printer to hide
evidence of the heist, according to a person familiar with the
investigation. A computer and printer that the Bangladesh Bank used
to order SWIFT wire transfers was manipulated so that authorities
could not see records of outgoing wire transfer requests or receipts
confirming that they had been received. Details about the issues with
the computer and printer were among the first clues to surface as to
how the attack was carried out. Malware was suspected to have
been installed on the central bank's computer systems. Then, the
hackers appeared to have stolen Bangladesh Bank's credentials for
the SWIFT messaging system, which banks around the world use for
secure financial communication.
The rising threat of Cyber Attacks & expectations from the Professional Accountants.
13
The computer linked to the SWIFT system at Bangladesh Bank
was supposed to keep records so they could be easily reviewed
by bank staff. The officials saw the first signs that something was
off on February 5, 2016 when they noticed a glitch with a printer
that is set up to automatically print all SWIFT wire transfers.
When they realized the previous day's transactions had not been
printed, they attempted to manually print them but were unable to
do so. One official asked that the printer to be repaired before
leaving the office that day, which was a Friday and the first day of
the weekend in Bangladesh. Other bank employees later decided
to wait until the next day to fix it. When the officials tried to
access the computer the bank uses to send SWIFT messages,
they got messages saying a file NROFF.EXE "is missing or
changed.
The rising threat of Cyber Attacks & expectations from the Professional Accountants.
14
They were eventually able to access the SWIFT messaging
system on February 8 and print out messages after obtaining
clearance to use other means to access the system from senior
bank officials. When they printed the SWIFT messages there
were three from the New York Fed seeking information about
several suspicious transactions, which flagged them to the heist.
Brussels-based SWIFT, a bank-owned cooperative that runs a
secure private messaging system widely used for requesting
money transfers said that "SWIFT's core messaging services
were not impacted by the issue and continued to work as
normal."
The rising threat of Cyber Attacks & expectations from the Professional Accountants.
15
The money moved from Bangladesh's account at the Federal
Reserve Bank of New York to private accounts in the Philippines,
from which it was channeled to other accounts, including those of
some gambling operations and a casino. The New York Fed has
disclaimed any responsibility for the fraudulent transfers. In a
statement, it said: “There is no evidence of any attempt to penetrate
Federal Reserve systems in connection with the payments in
question.... The payment instructions in question were fully
authenticated... in accordance with standard authentication
protocols.” Assuming the Fed's defense survives scrutiny, it
suggests, but does not prove, an inside job at Bangladesh Bank
and at least one bank in the Philippines. Were people bribed to
reveal the access codes or to overlook suspicious transfers? Did
the criminals plant people inside the bank to orchestrate the theft?
We don't know.
The rising threat of Cyber Attacks & expectations from the Professional Accountants.
16
Another source of confusion is that the theft occurred in February
but wasn't revealed - even to other parts of Bangladesh's
government - until March. What is known is that the scheme's
ambition far exceeded the $81 million that was transferred to the
Philippines. The original goal was apparently about $1 billion to
be conveyed through 35 separate transfers. Most of those
transfers were never made. Why? By one press version, doubts
emerged when a word was misspelled on one transfer document.
(The word "foundation" was spelled "fandation.") By another story,
the fact that so much money was going to private accounts stirred
suspicions. It's unclear whether someone at the New York Fed
stopped the transfers and, if not, who did. The hackers may have
penetrated the central bank's computer system for several weeks
before the transfers occurred.
The rising threat of Cyber Attacks & expectations from the Professional Accountants.
17
Whatever the final story, there are lessons to be learnt. Whatever the
Fed's direct involvement, it failed to spot a phony transaction before
the funds were sent. Why was this? Can screening be improved?
Bangladesh cyber heist should ring alarm bells for financial world :
Central banks make fat targets. Those in the developing world, with
lots of new capital but not as much digital fortification, are especially
at risk. Bangladesh has some $28bn in foreign currency reserves
with alarmingly rickety fences around it: A hacker‟s dream. Officials
at Bangladesh Bank also kept quiet for more than a month, a grim
reminder of how crucial information sharing is. Even after a
successful heist, preventing hackers from moving the money
requires global co-operation. The thieves in this case laundered
much of the cash through casinos in the Philippines where casinos
are exempted from otherwise strict anti-money-laundering
requirements.
The rising threat of Cyber Attacks & expectations from the Professional Accountants.
18
What's ultimately at stake is a stable global financial system.
Financial networks depend on trust that what's deposited won't
vanish, and that transactions are legitimate and not falsified. The
loss of trust threatens to undermine payments networks and the
reliability of financial record keeping. The theft confirms that most
electronic networks are no stronger than their weakest links. "More
connectivity“ - making networks more useful - "means more
vulnerabilities“- making networks more defenseless. This dilemma
defines the Internet Age.
The government has to recognize and take appropriate steps to
respond to the growing threat of cyber terrorism. There is need for
sharing of cyber security threat information within the private sector
and between the private sector and the government through the
formation of Information Sharing and Analysis Organizations.
The rising threat of Cyber Attacks & expectations from the Professional Accountants.
19
Professional Accountants in Practice are sometime responsible for
advising the organizations improving their cyber security. Professional
Accountants in Business are part of the team responsible for governance
of the organizations. Both group should know & see that effective Cyber
Risk Management Program – CRMP are functioning in the organizations
they are related to. The core components of an effective CRMP is:
Risk management and oversight involves governance, allocation of
resources, and training of employees. The Senior Management should
clearly defines the roles and responsibility for identifying, assessing, and
managing cyber security risks across the institution. Training programs
should be updated to respond to changing circumstances and provided
routinely.
Risk
management
and oversight
Collaboration Security
controls
External
dependency
management
Cyber incident
management
and resilience
The rising threat of Cyber Attacks & expectations from the Professional Accountants.
20
Collaboration requires the analysis of information to identify, track
and predict cyber attacks, and includes monitoring and sharing
information from multiple sources.
Cyber security controls should include preventative controls to
impede unauthorized access to systems, detective controls to
identify attacks, and corrective controls to address identified
vulnerabilities. Financial institutions should incorporate measures
that impede unauthorized access to their internal systems and
consumer data, such as by encrypting consumer information.
Institutions should also invest in and implement anti-virus and anti-
malware detection tools, routinely scan information technology
networks for vulnerabilities and suspicious activity, and test systems
for exposure. Furthermore, institutions should develop and test
processes for shutting down unauthorized access and remediating
damage to IT systems.
The rising threat of Cyber Attacks & expectations from the Professional Accountants.
External dependency management involves connectivity to third
party providers and customers and the financial institutions‟ oversight
of these relationships. Institutions consider the risks of each
relationship and evaluate a third party‟s cyber security controls before
entering into third party contracts.
Cyber incident management and resilience involves incident
detection, response, mitigation and reporting. Financial institutions
should have procedures for notifying customers, regulators and law
enforcement when incidents occur. Institutions should also develop
business continuity and disaster recovery plans, and test such plans
across business functions to identify gaps before cyber attacks occur.
21
The rising threat of Cyber Attacks & expectations from the Professional Accountants.
Cost of cyber attacks : There are numerous additional costs that
institutions must consider in the new world of cyber risks and
vulnerabilities. Besides loss of money (own/depositors), all
organizations particularly Banks and other depository institutions
must be mindful that they may incur additional cost consequence to
cyber attacks.
Litigation cost - Identity theft and breaches of consumer privacy
expose financial institutions to a significant risk of consumer
litigation. For example, in 2014, a USA hospital sued its bank to
recoup losses from a cyber-heist in which cyber thieves broke into
the hospital‟s payroll accounts and put through three unauthorized
payments, siphoning over $1 million. The hospital sued the national
bank for processing an unauthorized transfer request, arguing
breach of a contractual provision, which require the bank to
implement a risk management program. 22
The rising threat of Cyber Attacks & expectations from the Professional Accountants.
Cost to comply regulatory requirements - The pace of new
regulatory requirements can challenge the change-management
capabilities of some financial institutions and lead to increased
operational and compliance risks if banks do not adequately
invest in control processes, systems, or staff. Institutions may be
cited for weak cyber security systems and inadequate controls as
part of an overall operational risk review. Of particular concern is
the likelihood that the industry will see increased enforcement
actions given increased regulatory concerns over data privacy
and cyber terrorism. Cyber attack could lead to the imposition of
regulatory, civil and/or criminal fines and penalties arising from
the failure of a depository institution to maintain an adequate
cyber security program.
23
The rising threat of Cyber Attacks & expectations from the Professional Accountants.
Goodwill /Reputational Loss – Data breaches expose
customers to an increased risk of identity theft and loss of
privacy, which will result in loss of confidence in a financial
institution‟s security systems and in the financial institution
itself. Not only can a cyber attack damage an institution‟s
relationship with its customers, but the negative publicity
surrounding a breach can have long-term impacts. A
successful cyber attack not only can lead to loss of business,
but can expose the financial institution to consumer litigation,
regulatory enforcement actions, and even criminal
investigations, all of which will further exacerbate damage to
the institution‟s reputation.
24
The rising threat of Cyber Attacks & expectations from the Professional Accountants.
Other Costs – One cost that many institutions are now taking on
involves cyber insurance policies that can help to mitigate some of the
costs and liabilities created by cyber attacks and data breaches.
Specialized cyber insurance policies now cover data breaches, identity
theft, loss of data, business interruption, cyber extortion, crisis
management, and other cyber-risk areas. As with any other significant cost
decision, institutions must carefully weigh the extent of the additional
insurance and whether the cost is justified based on the additional
insurance protection provided under a particular cyber insurance policy.
Third-Party Risk Management – Vendors may sometimes provide a
“backdoor entrance” for hackers seeking to steal sensitive bank customer
data. An area of particular concern to bank regulators is the exposure and
vulnerability of banks to third party service providers that may not be
adequately prepared or equipped to address their own cyber-security
vulnerabilities and, thus, may wittingly or unwittingly act as a Trojan horse
to expose banks to new cyber-risks. 25
The rising threat of Cyber Attacks & expectations from the Professional Accountants.
Impact on Smaller Institutions – Larger banks generally have
sophisticated IT systems to guard against cyber attacks. By
contrast, smaller community-based banks generally lack such
systems and, therefore, are often a prime target for cyber
thieves. However, many institutions, particularly smaller
community-based institutions, have yet to face a full-blown
cyber attack and, thus, may not fully appreciate the extent of
the risk. This remains a significant industry challenge.
26
The rising threat of Cyber Attacks & expectations from the Professional Accountants.
Cyber Attcaks in Business Organizations: So far we have discussed the
cyber attacks in Financial Institutions. Let us now look the cyber attacks
in Business organization perspective:
Cyber attacks are becoming more common, more varied and more
sophisticated. As John Chambers, executive chairman of Cisco, the US
network equipment company, said: “There are two types of companies:
those who have been hacked, and those who don‟t yet know they have
been hacked.”
The list of well-known companies whose IT has been hacked is growing.
After TalkTalk announced that it had been hacked its shares fell sharply
and the company‟s chief executive, Dido Harding, struggled to reassure
customers, investors and the media that the company was getting to the
bottom of what had happened. Just a few days later a second telecoms
company, Vodafone, also said that it had been the victim of an attack by
hackers. 27
The rising threat of Cyber Attacks & expectations from the Professional Accountants.
The company directors who more often discharge their duties by
delegating them to professional accountants, who then have to come
up with methods to protect the company silver increasingly in a
digital environment. No doubt there is merit in creating complex
passwords, keeping passwords secure, changing them frequently but
accountants have to keep up with changing technology. The
increased use of smart phones and apps where many employees use
one devise on which to perform their professional and social activities
could lead to a cyber-breach. Cybercriminals often use pieces of
information from social media pages to assemble a target‟s identity.
we are overly casual with our cyber hygiene. From top to bottom
passwords are often shared, sensitive information is dropped in
conversation; systems are left running and unattended. As
professional accountants working in industry some ownership or
rather leadership has to be adopted to drive cyber hygiene in our
organizations. 28
The rising threat of Cyber Attacks & expectations from the Professional Accountants.
Cyber Protection : Biometrics
Cyber attackers demonstrate considerable agility and
adaptability. In some cases, savvy attackers used increased
levels of deception by hijacking companies‟ own infrastructure
and turning it against them. Advanced cyber attackers are using
legitimate software on compromised machines to continue their
attacks without risking discovery by anti-malware tools used a
company‟s management tool technology to move stolen IP
around the corporate network built “attack software” inside their
victim‟s network, on the victim‟s own servers. Protection against
cyber attacks therefore has become more challenging than ever
before. However many experts recommend for using Biometrics
to tighten security.
29
The rising threat of Cyber Attacks & expectations from the Professional Accountants.
Biometric technology, which identifies a person by their unique physical
or behavioral characteristics, is increasingly used as a convenient
alternative to a password, authorizing online payments or gaining entry
to a building. Convenience may have drawbacks, though. Some
security experts reckon that hackers will focus more on stealing
people’s biometric data as it becomes more widely employed.
Therefore Biometric security isn‟t mainstream yet.
What can companies and their accountants do to minimize security
risks, then? Some suggestions are :
First, get an overview of your IT. Keep an up-to-date inventory of your
hardware – your devices (all servers, workstations, laptops and remote
devices connected to your business network) and software
(particularly the stuff that has security vulnerabilities and software
that‟s not authorised for business use). This should make it quicker to
find and fix IT after it has been hacked.
30
The rising threat of Cyber Attacks & expectations from the Professional Accountants.
Next, review the information your business holds, work out what‟s the most
important information (for example, designs for an innovative new car if
you‟re a car maker or customer credit card details if you‟re a bank). Make
protecting this information a priority.
Don‟t rely on one type of security technology, such as anti-virus software on
workers‟ desktops. Add more controls like anti-malware technology and
email gateway security controls (technology that blocks spam emails and
also helps to prevent the loss of data).
More employees are using their own smartphones and tablets for work,
which can improve productivity and make it easier to work out of the office. It
can also cause IT security problems if workers download customer data and
other intellectual property, and possibly viruses, onto devices that may not
be as secure as ones supplied by their employer. Develop company rules for
using own device by the employees. Some companies give workers “read
and write” access to data on a mobile device but doesn‟t allow them to
extract it outside the corporate network.
31
The rising threat of Cyber Attacks & expectations from the Professional Accountants.
Cloud Security
Cloud computing − large networks of web servers and data
centers that are run online rather than on customers‟ own
computers – is increasingly popular in business, including for email
system customer-relationship management and accounting
software and document-sharing applications such as Drop box.
Storing data online is usually cheaper and can be a useful backup
for data stored in company offices. If there‟s a fire or major IT
failure at your company, retrieving data from the cloud can be
done quickly.
But take care. Companies are responsible for any security
breaches on the part of the supplier holding their data, so it‟s
important to check the supplier‟s arrangements for security and
data backup/business continuity. 32
The rising threat of Cyber Attacks & expectations from the Professional Accountants.
IT security for Accounting
Accountants need to get their own houses in order first. There are firms of
accountants who do payroll accounting for lots of their clients, so they hold
personal data, such as bank account details that are considered sensitive. If
they lose clients‟ data, or if the data is hacked, accountants could be fined and
jailed if found guilty. As accountants, you hold significant amounts of
confidential data. Cybercriminals will get in, take your data and leave and make
every effort to not leave a trace. Do you know whether your data has been
accessed, read, copied? Most won‟t.
Opportunities for Accountants
Cyber threats could also be good news for accountants. The reality is that
there‟s no one explaining IT security to small and medium businesses. There is
a huge opportunity for accountants to provide new services to engage with
clients and have sensible discussions about information security. Security
training doesn‟t have to be overly technical. It‟s useful for accountants to know
how to install a firewall but they probably don‟t need to know how to write
computer code.
33
The rising threat of Cyber Attacks & expectations from the Professional Accountants.
Accountants can help business clients identify their most important
information, how serious the security threats are to that information and
any gaps in security, such as staff who need training in IT security.
Employees are often the cause of accidental leaks of data.
While preparing for discussion with management for advisory services on
cyber security look for the answer to the following questions:
Does the organization use a security framework? For example NIST 800-
53 (U.S. Federal Government comprehensive framework). COBIT
framework (Governance, Risk, and Control).
What are the top five risks the organization has related to cyber security?
The potential areas of risks are: Proliferation of BYOD and smart
devices; Cloud computing Action; Outsourcing of critical business
processes to a third party (and lack of controls around third-party
services); Disaster recovery and business continuity; Periodic access
reviews.
34
The rising threat of Cyber Attacks & expectations from the Professional Accountants.
How are employees made aware of their role related to cyber
security?
The organization should have a security awareness training
program, and each employee should be required to review the
training and pass the test annually. The CEO (or other top
executive) must communicate the importance of safeguarding
the organization‟s critical assets.
Cyber security, though prosaically boring, is everyone‟s
responsibility. (“I am not a technical person,” explanation can‟t
help.) Making better use of encryption, access controls and
strong verification systems with constant updating can help, but
nothing can substitute for training and vigilance. The financial
world needs be on alert round the clock.
35
The rising threat of Cyber Attacks & expectations from the Professional Accountants.
Who is accessing what IT
Keeping track of who is accessing what IT is another important part of
information security. Companies can reduce the damage caused by
successful hacks by encrypting their most important information (for
example, credit card data for banks or patient records for hospitals).
Does the business have a continuity plan? A good business continuity plan
can also help minimize the damage if security fails. The plan, which should
be tested at least once a year, can help maintain business functions or get
them up and running again quickly if there is major disruption, such as a
fire or flood, serious illness among workers, or a massive cyber attack.
Business continuity plans vary but most will focus on three things: people
(are staff trained to take on different jobs if a disaster happens and
colleagues are injured or killed?); premises (relocating workers to another
company building if the head office is damaged/destroyed, or enabling
them to work remotely); and technology (running computer systems from
backup locations).
36
The rising threat of Cyber Attacks & expectations from the Professional Accountants.
You should define what is classed as a disaster for your
businesses, how quickly you need to be operational and identify
key people and systems which are mission critical to the operation
of the business. Your service level agreement with your provider
should reflect these. As each business is different so is a business
continuity plan - it‟s all about understanding your objectives.
As technology becomes more advanced so do hackers and
organized crime. The mass of information and claim and counter
claim about security threats and technology to deal with them can
be confusing. Accountants can help business clients be prepared
for the worst hacks and boost their fees at the same time. prepare
for discussions with management and internal audit. For simplicity
and brevity, each question outlines suggested action items.
37
The rising threat of Cyber Attacks & expectations from the Professional Accountants.
Business complacency is one of the real concerns today. The following
statements are against cyber security :
We don‟t need protection as we have never had a data loss or breach;
Our email is already secure enough;
Of course we are fully protected, our IT guys sort all that out;
If we implement security for our customers they will go elsewhere;
We have added a disclaimer to our emails;
We are insured so it doesn‟t matter;
We think the problem is over-stated; and
Our board won‟t spend the money.
The list is actually far longer but you will see a common theme here,
which is: a failure to assess the risk and a failure to act upon it. The first
point is the strangest. It is analogous to saying I don‟t need to wear a
seat belt as I have never had a crash. 38
The rising threat of Cyber Attacks & expectations from the Professional Accountants.
One thing is clear, countries need to act and needs to act fast. The time that
businesses are taking to get their house in order and the complacency
around the general population is having a marked effect. Cybercrime is
growing in two ways. The first is in quantity – there are increasing levels of
attacks against individuals and businesses. The second growth is in
sophistication – their methods are becoming more cunning. If you put fast
growth in cybercrime activity and slow growth in our ability to deal with it, you
can easily spot the issue. We have a growing gap between the rate we are
able to detect, protect, catch and prosecute and the rate at which cybercrime
is growing.
If you believe that cybercrime does not concern you and it is something that
impacts other people, think again. One of our biggest challenges is simply
lack of imagination. Cybercrime is high volume, low value on the whole. They
may not be targeting you specifically because of who you are, you are simply
in a numbers game. You may not be targeted for any other reason than you
have inadequate protection and you can be exploited. Your data is valuable. 39
The rising threat of Cyber Attacks & expectations from the Professional Accountants.
So what has this to with the accountancy profession? E-mail is the
backbone of our communications. But is our email protected? The
answer is either yes or no. If it is protected you will know it as you will be
doing something extra to normal email. If you simply think that it is
“probably secure” then it isn‟t. If your email is not protected, then maybe
it‟s time to stop contributing to the wider risk of cybercrime.
Protecting yourself from viruses, spyware and phishing scams may seem
obvious when you receive an email from someone you do not know
saying you have won £500,000,000. But what about when it 'appears‟ to
be from somebody you know and trust?
Most threats are designed to be tricky to spot which is why you need be
alert and ensure that you are protected at all times. You don‟t need to
know everything about computers to protect yourself; you just need to
know what to look out for and how to avoid it.
40
The rising threat of Cyber Attacks & expectations from the Professional Accountants.
Some tips to help stay protected:
Match the person or company sending you the email with the context
before deciding it is real. Your bank will never send you an email asking for
your personal details, just because it looks nice doesn‟t mean it is right. In
almost 100% of cases what is actually happening is a hacker has masked
their email address to look like it is from someone else. You click the link
and navigate to the FAKE website so they can capture your details. The
next minute you have no money left.
When downloading a file online be wary of what you are downloading, a
virus won‟t be called virus.exe, it may be called something like receipt
29836 or summer_photos Oct. Just because something looks genuine it
doesn‟t mean it is, always check who is sending you these files and if you
are getting them from a website, is the website trusted. Anti-virus software
will not always save you when downloading a virus, sometimes it may be
able to detect it when you try downloading the file but sometimes it won‟t.
41
The rising threat of Cyber Attacks & expectations from the Professional Accountants.
Just because you have anti-virus software doesn‟t mean you are safe. Be
vigilant when browsing the internet and don‟t visit pages you are unsure of.
Be careful when opening attachments, do you know the sender? Are you
expecting the email? Although anti-virus will protect you 90% of the time,
nothing gives you 100% protection. Think of it like this, you don‟t need a lock
on your front door, but is much harder for a burglar to break in if you have
one! Sometimes, using common sense is the best way forward. You wouldn‟t
let a stranger in your house so why do the same to your computer.
Phishing is one of the main threats to people and to businesses. Phishing
appears in many different ways but its end goal is always the same, they
want your personal information to take your data and/or money. Do you know
where that link is actually sending you? It is not hard to make a link look like it
is going to Google when it is actually going to some server elsewhere. When
you receive a link, you can hover your mouse over it to reveal the true
destination. Try it now, your web browser should show you the address
actual www.hallidays-it.co.uk (Chrome users hover then look bottom left).
42
The rising threat of Cyber Attacks & expectations from the Professional Accountants.
The link above looks like Hallidays' IT website but it actually links to
moneynowsucker.com. This is called Phishing – the term used when you
think you are clicking on a link to do one thing, but what actually happens
is another. This type of threat is something that an anti-virus cannot
protect you from.
Cyber criminals will usually send you something like this to make you think
that your account is in danger. To protect yourself just log in and change
your account details. What they are really doing is sending you to a bogus
site to log your information. Phishing has become increasingly common
and as it is rarely detected by anti-virus, many people are affected.
Is your computer password......password? Perhaps password123? Do you
use your name, your pets name or your date of birth? Hacking is much
easier when you use simple or personal passwords. The best way to
protect yourself is to use something random, something that nobody could
guess from any personal information. 43
The rising threat of Cyber Attacks & expectations from the Professional Accountants.
Misconceptions surrounding computer security
When you get a virus you lose everything on your computer AND
need to buy a new one.
You need to be a computer expert to protect yourself, your family
and your business.
FREE antivirus is just as good as a paid for service.
NONE OF THE ABOVE IS TRUE! Computer security is an ever
increasing headache for business owners and users. The first
thing you need to do is be aware. Once you are armed with the
right knowledge, you are already much better prepared.
Working in partnership with auditors can go long way and if
managed effectively, can help in improving security posture of the
Organization.
44
The rising threat of Cyber Attacks & expectations from the Professional Accountants.
All types of cyber crimes involve both the computer and the
person behind it as victims. Cyber crime could include anything
as simple as downloading illegal music files to stealing millions
of dollars from online bank accounts. Cyber crime could also
include non-monetary offenses, such as creating and distributing
small or large programs written by programmers called viruses
on other computers or posting confidential business information
on the Internet. An important form of cyber crime is identity theft,
in which criminals use the Internet to steal personal information
from other users. Various types of social networking sites are
used for this purpose to find the identity of interested peoples.
45
The rising threat of Cyber Attacks & expectations from the Professional Accountants.
In conclusion, computer crime does have a drastic effect on the
world in which we live. It affects every person no matter where
they are from. Hackers are as old as the Internet and many have
been instrumental in making the Internet what it is now. It is our
role to keep the balance between what is a crime and what is
done for pure enjoyment. Passwords might be replaced for more
secure forms of security like biometric security. Criminals have
also adapted the advancements of computer technology to
further their own illegal activities. Without question, law
enforcement must be better prepared to deal with many aspects
of computer-related crimes and the techno-criminals who commit
them. Certain precautionary measures should be taken by all of
us while using the internet which will assist in challenging this
major threat Cyber Crime.
46
The rising threat of Cyber Attacks & expectations from the Professional Accountants.
Recommendation
Establishment of Regulatory Authority for framing framework & standards
for cyber security.
Updating of ICAB study manuals & syllabuses on ICT & cyber security.
Holding workshop to strengthen IT knowledge & cyber security issues for
members.
47