Editor’s note:This article originally appeared in Kiosk Marketplace, a Mobile Payments Today sister publication.
As business becomes increasingly digital, proprietary data becomes more vulnerable to cybercrime, which is on the rise. Millions of Americans were reminded of this reality last month when Equifax, one of the three largest credit reporting agencies, announced that 143 million consumers had their personal information breached.
Attendees at October’s Global Gaming Expo at the Sands Expo Center in Las Vegas received an update on public and private efforts to prevent cyber security risks during a panel discussion. While the three expert panelists covered a lot of information about the ongoing challenge of mitigating security risks, their overriding message was that companies need to train employees how to recognize vulnerabilities.
Jennifer Martin, a lawyer at Covington & Burling LLP in Redwood Shores, California who specializes in cyber security, said cybercrime is changing. Where cybercrime initially referred to criminals using the internet to commit traditional crime, it now refers to criminals using technology to attack peoples’ data.
“Cybercriminals,” as they are known, can access proprietary information about people and use it in unauthorized ways.
One of the most common tactics fraudsters use to gain unauthorized access to people’s information online is from “phishing” – attempting to obtain private information by posing as a trustworthy entity in an electronic communication, Martin said.
The threat expands
“There is a huge amount of (exposed) data,” Martin said. “It’s easy for a fraudster to impersonate you.” Much of this data is available on social media and the “dark web,” content that exists on the internet that requires specific software, configurations or authorization to access. Criminals who steal proprietary information often sell it to other criminals on the dark web.
Another factor driving the growth of cybercrime is the increasing sophistication of cybercriminals. Criminals are discovering new ways to hide their activity.
“The cybercriminals have a great sharing network,” said panelist Alan Cohen, senior director of risk management and chief internal security officer at Scientific Games Corp.
Cohen and Martin agreed businesses in general are guilty of a lack of focus on cybersecurity.
Companies need to pay more attention to what exposures they encounter when working with third parties over the internet, said Cohen. “Bring your own device” is increasing as a business tool, he said, and it boosts opportunities for unauthorized access to proprietary data.
“It’s a whole supply chain of cybersecurity,” Cohen said, echoing Martin’s point about the need to train employees not to click on emails they don’t recognize.
What to do
Companies, according to Cohen, need to do five things to strengthen their operations:
- Have malware protection;
- Have some form of threat detection;
- Train employees to notify managers of suspicious activity;
- Have some way to assure the safety of communication with third parties (“who knows who’s on that phone?”);
- Have a crisis response plan.
It’s not even safe to view Facebook messages at face value, Cohen said, since criminals can hack Facebook accounts, then send messages using a hacked account. The recipient is tricked into thinking they are receiving a message from someone they know.
Genevieve Gimbert, a principal at PricewaterhouseCoopers, a consultancy, said companies should determine what activities could exposure their business to fraud. On a positive note, she said more companies are initiating fraud protection programs.
Companies are starting to use behavioral analytics, video analytics, facial recognition technology and advanced machine learning to verify the identity of people they interact with, Gimbert said. Companies are recognizing the need to invest in identity verification as they expand into omnichannel commerce.
Multi-factor identity verification is a technology that considers different aspects of a person’s behavior.
“Multi-factor looks at many things to make sure you are who you say you are,” Cohen said.
Security standards emerge
The panelists also discussed the various security standards that have been developed to prevent cybercrime.
Cohen said there is a non-profit organization called the Information Sharing and Analysis Center that provides a resource for gathering information on cyber threats to critical infrastructure.
The International Organization for Standardization, known as ISO, has voluntary standards covering many aspects of business and technology. The ISO 27000 series has existed since 2013 and includes requirements for assessment and treatment of information security risks.
The National Institute of Standards and Technology, an organization under the U.S. Department of Commerce, is currently reviewing comments to help federal agencies in responding to a Presidential executive order on strengthening the cybersecurity of federal networks and critical infrastructure.
The Securities and Exchange Commission requires risk assessments for publicly traded companies, Martin said.
Martin also noted that the Financial Crimes Enforcement Network, an agency of the U.S. Department of Treasury, requires financial institutions to report suspicious transactions that involve a minimum $5,000 worth of assets. She said the guidance, which is listed on the FinCEN website, www.fincen.gov, is vague.
Regardless of regulatory mandates, businesses of all sizes need three lines of defense: technology operations, risk compliance and internal audit, Gimbert pointed out.
A mock scenario
Near the end of the discussion, the panelists engaged in a mock crisis management scenario. Martin asked Cohen what he would do if he owned a casino and got complaints that the computers weren’t working properly.
Cohen said he would shut down the server, then try to assess what data was damaged.
If there was a ransomware demand, Cohen said he would not pay the ransom. He said he would have seen in advance that all the data was backed up so that the ransomware could not deny him access to his data.
Cohen said he would also call the FBI, along with regulatory officials, depending on what data was compromised.
The panel discussion made it clear that cybercrime presents a serious threat and companies have a lot of work to do to reduce their vulnerability. Fortunately, there are resources available to assist them in the effort.