As more companies report major cybercrimes and many of us learn we have been a victim—compromised credit card information or data breaches online—cyber risk is increasingly recognized as a serious threat that companies need to address. Recent events demonstrate that cybercrime is increasing rather than decreasing. Therefore, additional and concerted effort from all parties involved (perhaps even the cyber criminals themselves—more on that later) is required to stem the tide.
In this light it was very timely for the Association of Chartered Certified Accountants USA and Pace University convened the second annual cybercrime symposium and panel discussion, Cybercrime in the World Today 2014: Emerging Threats, in New York on April 3, 2014.
After introductions from Judge Robert G.M. Keating, Vice President for Strategic Initiatives at Pace University, and David Szuchman, Executive Assistant District Attorney Chief, Investigation Division, Manhattan District Attorney’s Office, moderator Jonathan Hill, Associate Dean, Seidenberg School of Computer Science and Information Systems, Pace University, chaired a panel discussion that featured:
- Charles F. Gilgen, Special Agent, US Federal Bureau of Investigation;
- Bernadette Gleason, North America eCrime Laboratory Manager, Citi;
- Robert A. Zandoli, Senior Vice President, Global Chief Information Security Office, AIG; and
- myself, representing IFAC and the accountancy profession.
From the ensuing discussion it became clear that enhanced cyber security is not only a technical issue, but equally a behavioral issue. People and their motivations are behind every threat but people also make or break the lines of defense. Here are some examples.
Ingrained in all your actions
It is important that organizations regularly talk about cyber security with their staff to give them a baseline understanding of the risks involved and the potential consequences , as well as what they can and should do to address it. However, many people and organizations alike seem to separate the management of cyber risk from their regular decision making and activities. As if cybersecurity is something separate, often to be dealt with by others.
Maybe we should, therefore, not look at cyber threats as an individual risk category, but instead at how these risks might affect the achievement of an organization’s objectives. After all, technology and the resulting risks to a company’s processes and data are infused throughout the enterprise. As a consequence, not only the IT team but everyone in the organization—and its external counterparts—should take cyber risk into account while making business decisions, integrating the notion of cyber security into all organizational decision making and operations that involve the company’s computer networks and data.
It’s a little bit like driving a car. Safety is an issue all the time you’re driving. The same applies with risk management and taking care of cyber risk. With employees connecting to a firm’s systems from remote locations, often from a mobile phone or tablet, it’s not something that you do only on the afternoon when we have our cyber risk meeting. It’s something you need to integrate in every decision we take and in everything we do.
Us vs. them?
And what about the cyber criminals themselves? In the fight against cyber threats, is it really the good guys against the bad guys? Who are the bad guys? Can you easily recognize or identify them? Who tells us that the good guys cannot turn bad or, alternatively, that the bad guys cannot turn good?
A clear theme in the discussion at Pace University was that cyber security is not an “us versus them” scenario where the line is clearly drawn between “us” and rogue employees and/or external hackers who are threats. Every login to the network bears some associated risk and the responsibility for risk assessment is as incumbent on the users as it is on the IT staff.
The current approach against cybersecurity seems predominantly focused on “end-of pipe” solutions: countering rather than reducing the threat, for example by building ever “higher” firewalls. However, we know from combatting other forms of crime that a multifaceted approach is often more effective. For example, organizations may also need to pay attention to the front end through lowering the incentive to commit cybercrimes, decreasing the opportunity to carry out the crime, rewarding good behavior, and discouraging bad behavior. Perhaps even engaging former cyber criminals in the fight against cybercrime. At least they would bring a lot of knowledge and experience!
Interested in more?
If you are interested in seeing more of the discussion, the webinar is available online. We would also like to ask your assistance with Dr. Hill’s new cybercrime research by filling out a short survey about your company’s security practices. The survey is anonymous and should only take 2-3 minutes to fill out
