Bill Murphy, SVP, CIO & CRO, Fidelity Bank of Florida N.A.
“My model for business is the Beatles. They were four guys who kept each other's kind of negative tendencies in check. They balanced each other, and the total was greater than the sum of the parts. That's how I see business: Great things in business are never done by one person. They're done by a team of people."
“The information we learn from a data breach, spear phishing attempt or any other Cyber Fraud attack must be shared within our community of CIO’s to help each of us prevent the same attack being performed on our business”
Steve Jobs 2003
I feel the same way regarding the issues of Cyber Fraud. We cannot fight this long hard battle alone; we need the support of the management team, our vendors, our colleagues and most of all our staff. The Cyber Fraud Industry in the U.S. is an industry that stole over $100 Billion in 2015. The money involved in Cyber Fraud last year worldwide was more than the illegal drug trade. This issue is not going to go away and the attacks are getting more frequent and complex. It is no longer someone putting graffiti on your website or doing a Denial of Service attack to shut your site down. The new age Cyber Fraud Industry wants all your data regarding your business and customers. It may be money driven, data information captured or merely planting something in your network to monitor everything you do until the right time to make an attack.
I call it an industry because they are set up like any good business with an organizational chart and assigned duties for its members, with a management team that decides what and when to attack. In each of the businesses there are assigned duties—some of them write the code, and then there are the ones that sell the stolen data and another group that provides services like money mules to move the money out of the country. The only difference is that they are not licensed or have to pay taxes; otherwise they are like any other company.
How do we combat an organization that works 24 hours a day with a network of professionals whose only goal is to steal our data.
We must request our vendors to develop stronger security for their products. It is no longer good enough to just lock the door of their house, they need to put on a dead bolt and install an alarm system to assure our data is safe and secure. The day of controls being weak is a thing of the past like the days of a horse and buggy.
The next step is difficult because we have to admit we have had issues, even if we plug the hole, and communicate the issues with our colleagues. I am not talking about just reporting to the public like we are required to do but to share how you were breached with colleagues. The information we learn from a data breach, spear phishing attempt or any other Cyber Fraud attack must be shared within our community of CIO’s to help each of us prevent the same attack being performed on our business.
I realize this type of communication is difficult but if we are going to slow down the Cyber Fraud Industry, we need each other’s help to do this in the future. The second part of this communication is that what we share needs to stay private and only share with people that need to know.
The constant training of our teams is of the utmost importance. Keeping current on the ever changing landscape for the IT team is challenging. The push back from management is that training or conference is too costly and we do not have the money in the budget. My argument is that spending money proactively to prevent Cyber Fraud is a lot cheaper than the cost you incur after an attack. Putting the issue of Cyber Fraud in front of the management team helps when you ask for training dollars. Awareness to this issue must happen throughout the year. The training does not stop at the IT team; it must be pushed out throughout your organization.
We all need to remember:
“A human is most often the issue not Technology”
I always tell my team “I could build the perfect secure network if it was not for the users”
Cyber Fraud is the greatest economic issue this country has faced since the Great Depression. None of us know how long this will last but my guess is it will never end and just continue to grow. Think about how much stronger the U.S. economy would be if we added a $100 Billion last year. Just because you or your business has never experienced Cyber Fraud; does not mean it won’t happen tomorrow. Preventing Cyber Fraud is something we all have to do to protect our company and its data. This fight will require resources and will become one of the largest items in your budget. The cost to prevent Cyber Fraud is costing your company, R&D dollars, marketing dollars, employee salary and bonus money. It is very important as CIO’s that we spend our dollars and time wisely when attacking this epidemic.
Now is not the time to say I have bigger issues to worry about and Cyber Criminals will never attack my business. If we all work together, we can start to prevent Cyber Fraud in our industries.