Impact of cyber fraud and cyberattacks on organizations

By Risk Performance and Technology group

Original, as it appears on Finance et Investissement –

A few months ago, I talked to you about a case involving the evolution of bank technician cyber fraud that I investigated; there have been cases of more complex and hybrid fraud since that article.

Without necessarily going into the details of this cyber fraud, I am writing today about its impact and the recommendations to be followed as soon as possible in your business and personal lives.

I gained an awareness through investigations. Businesses that were victims of fraud and cyberattacks, besides suffering a direct financial loss in dollars related to cybercriminal fraud, were literally shocked. Shocked, as in an initial burglary, a crisis of trust due to an embezzlement of funds, or a totally unexpected executive shuffle. Unfortunately, these states of shock are not quantifiable, even though they directly affect the culture and individual motivations of the organization.

These investigations allowed me to understand that, in 2017, cyber insurance is almost compulsory for any business activity that integrates the Internet and data processing into its business model.

All of these victims asked the famous “why me” question. The answer is simple: Each corporate entity or private individual has a “digital persona” that is assessed and defined as more or less vulnerable by cybercriminals. Such is the case if you or your business replied easily and willingly to a few marketing surveys, or questions on your or your co-worker’s responsibilities within the hierarchy, or if your organization has had a few compromised identities published on the Dark Web and if several vulnerabilities were identified during a quick website or IT infrastructure scan. The cybercriminal will then conclude that you are a more profitable, preferred target (effort vs success of cyberattack) than your neighbour.

You understand, then, that your holistic victim profile created by cyber fraudsters and cybercriminals is a direct result of your or your co-workers’ business, and sometimes even personal, browsing behaviour, practices and habits.

You will understand that going from the status of target to that of victim is often related to the human factor and your ability to question “what seems shady”. In the investigations that I conducted, considerable damage and financial loss might have been avoided if the targeted individual had asked a few questions. This conclusion also applies to bank employees who were the last line of defence. In short, good antivirus or anti-malware software does not protect you from excess confidence; in fact it even aggravates matters. My clients who were victims of cyber extortion sometimes tell me that they will never give in to criminals, while others tell me it is always easier to pay them. The answer is not black or white. It is definitely grey; negotiation is necessary. It may involve a cyber intelligence strategy, but to identify what it could be, you have to simulate the situation.

You understand that the impact of a cyberattack is quite often human because it targets “the essence of who we are”. If you are starting to think that you should act, then take a holistic approach: Am I personally at risk? Check the status of your identity via Breach Alarm or Haveibeenpwned. Then, consider not using the same password everywhere. Separate the ecosystem of your personal data from your business information insofar as possible. For example, sending work using your personal email is really a habit to break for contractual, legal and security reasons.

In conclusion, you must be ready. That means opening a cryptocurrency portfolio in advance so that you can react quickly as required. Ask questions and remain vigilant. Always ask the person you are communicating with if you can contact them again at the official email address or telephone number of their organization. Simulate cases of cyber crises. Imagine that your clients’ data has been disclosed, and identify a response scenario. You understand that even if the word “cyber” implies technology, the differentiating element is you, your co-workers and your vigilance.