Cybersecurity: Time is Up for Inaction

Growing cyber threats

Throughout the past two decades corporates have swiftly transitioned from traditional linear business models to platform based as the demand for quality product outlay in record time escalates. With platform-based models, businesses are able to scale their supply distribution at a faster rate than what they would normally be able to do with a linear model. This capability allows them to meet the growing demands of consumers. As a result of this, businesses have had to heavily rely on digital devices and computer networking systems in order to operate in this ‘new normal’. And this has been the cause for the emergence of new cyber-security threats as hostile criminal attackers seek to take advantage of vulnerable organisations.

These threats exist because businesses are not be taking necessary precautions to protect themselves against mounting fraud risk. As digital innovation evolves so does the degree of sophistication in these attacks, forcing key business decision makers to ensure their operations are protected and one step ahead given they could very well be the next victim.

Cyber-attacks can be conducted by individuals, groups and even governing bodies – all of which can adversely affect business. In Europe, the number of cyber-attacks against corporates has surged in recent years. According to a research conducted by Hiscox, approximately 61 percent of firms in Europe experienced a cyber incident in the past year – up 45 percent since 2018.

Globally, the average cost to a firm for a data breach violation is US$4 million according to IBM.  This alarming figure evidences the costly implications that cyber-attacks can have, encompassing both financial and reputational costs, the latter of which can pose limitless loss to a business.

Banks also have to be on the lookout. According to Verizon statistics from 2017, banks were the target of 47 percent of financial data breaches, most of which were financially motivated. Three years on and banks still remain the most targeted financial institution. Consequently, banks have the responsibility not only to extend support and protection for their valuable institutional clients but to also safeguard themselves.

Private vs. public cloud

An area of growing interest within the cyberspace community is cloud based services. This has often been used for the day-to-day management and operations of a business to ensure the production flows are performing at their optimum. However, within cloud computing there lies a lot of sensitive data which needs to be safely processed and stored.

On one hand, there are a wide variety of corporates who are opting for private cloud-based solutions which allows corporates to enhance the privacy and security of their data through an isolated network. However, this type of cloud-based solution does not allow corporates to up-scale at a fast pace due to the limitations of no direct interconnectivity with suppliers and other third-party providers.

An overarching reluctance to implement appropriate risk management solutions is evident globally. Despite an increasing concern towards payments security, fraud detection and digital protection in Australia, how many businesses are actively implementing protection against the growing number of threats facing them?

East & Partners asked businesses with merchant payments facilities in place, “What processes do you currently have in place to manage transactions for fraud?” The results revealed one in five merchants have no processes in place to manage transaction for fraud whatsoever (19.7 percent), noting Microbusinesses were five times more ambivalent than institutional enterprises at 27.8 percent and 4.6 percent respectively. While large corporates exhibit a higher usage of manual or automated processes, a surprisingly low level of third-party integration is sought out. One in five institutional merchants use third party systems to protect against payments fraud (22.5 percent), falling to only one in ten corporates (10.4 percent) and sub two percent for small businesses.

This is an emotive area for banks and card schemes alike, evidenced by Visa splitting away from the Australian bank majors and merchants on a traditionally unified position towards electronic and digital payments security. The group asserts that regulators’ growing push to reduce card fees could divert investment away from fraud detection. The Reserve Bank of Australia (RBA) continues to force banks to offer the option for lowest cost contactless payments (least cost routing) to maintain competition, particularly as receivables volumes are increasingly routed away from plastic towards phones and wearables.

MasterCard finds that three in five consumers will even use their body parts to identify themselves when making payments by 2025. MasterCard’s data also found that 56 percent of customers would use their fingerprint, 45 percent would use facial, retinal or iris scanning, and 38 percent would use voice recognition. A clear opportunity is present for banks to support highly exposed small businesses and under-protected corporates by highlighting the damaging risk of inaction.

Transaction Fraud Management Processes

% of Total

Source: East & Partners Merchant Payments Program – 2020 (N = 2,242)

In Asia the SWIFT Asia Pacific Corporate Risk and Compliance Index highlighted the nascent level of corporate risk and compliance functionality given a majority of corporates did not have a dedicated Chief Risk Officer (CRO). Key risk and compliance governance gaps identified included the low, although growing, level of cyber awareness at management level and a relative lack of standardised internal procedures to manage newly identified risks. Nearly half of all Asia Pacific corporates experienced a cybersecurity threat in a 12 month period with a mere 15 percent of corporates claiming with certainty that they had not experienced a cybersecurity threat based on direct interview with 915 of Asia’s Top 1,000 revenue ranked corporates across 10 major economies in Asia Pacific.

As large upstream requirements increase, firms will have to meet the need of customers by scaling their physical infrastructure which can be costly and inappropriate for certain industry verticals.

On the other hand, there are a wide variety of corporates who are choosing public cloud-based solutions which enables corporates to build virtual networks facilitating vast scalability in their production and operational needs. It also allows corporates to scale down rapidly in the event of lower levels of consumer demand. Nonetheless, this type of solution is more susceptible to cyber attacks and data breaches as sensitive data becomes more accessible on a public cloud network.  With this being true, it is safe to say that there exists a positive correlation between scalability and vulnerability, leaving small businesses as key targets for cyber-criminals.

Government-backed security measures 

Within Europe, there have been government measures in place to prevent cyber-attacks on businesses and the wider economy. In May 2019, the European Council established a framework which allows the European Union (EU) to impose sanctions on persons or entities who are responsible for cyber attacks or have attempted to conduct cyber-attacks.

European regulators are not alone, with the US also summoning their revised cybersecurity strategy which provides US government agencies greater power to combat cybercrime. The US government have noted that this new strategic plan will only be effective if there is support from the private sector and importantly extends to the sharing of sensitive information and data.

As governments, central banks and regulators do their part in attempting to keep the economy safe, it’s now up to corporates as well as banks to have an appropriate degree of preparedness for potential threats on the horizon.

A final thought

Cyber threats are an ongoing and complex issue with no single-fix solution. Given the data it is clear that businesses are not readily prepared to protect themselves against potential threats – especially among Micro and SME businesses. This raises the following questions: should businesses be doing more to ensure the security of their data? What role do banks play in ensuring theirs and their client’s data are securely kept? Has government managed to find a bulletproof solution to an evolving problem?