Cybersecurity and Fraud Protection
The Evolution of Cyberthreats
Since the first cyber “worm” infected computers 30 years ago, the battle against cyberthreats has increasingly turned into a security arms race as companies work to stay ahead of sophisticated schemes posed by cybercriminals and nation-states.
This article was originally published in Commercial Banking’s magazine, Cybersecurity: Technology and Tactics.
While cybersecurity awareness has increased in recent years, cyberattacks are growing at an alarming rate. For example, in the United States, more than 4.4 million internet crime complaints have been reported to the Federal Bureau of Investigation's Internet Crime Complaint Center (IC3) since its inception in 2000. In the agency’s 2018 Internet Crime Report, the IC3 reported that the total losses from cybercrimes grew from $800.5 million in 2014 to $7.45 billion in 2018. Cyberattacks have impacted some of the biggest companies in the world over the past decade—in industries from healthcare to retail to travel and hospitality—with service disruptions and stolen data.
“The explosion of cyberattacks has been extraordinary,” said Jason Witty, Global Chief Information Security Officer at JPMorgan Chase. “In many ways, the increase in threats mirrors the technology advances companies have made, but it’s not enough to develop new technology. You must have processes and controls in place to protect the private information you already have.”
The First Attack
The first major cyber event occurred in 1988 when a graduate student released a worm that exploited weaknesses in UNIX systems to propagate across the internet. The worm, referred to as the Morris Worm, infected an estimated 6,000 computers and slowed systems to the point of almost being unusable. The impact was profound, as cybercriminals then began to launch targeted attacks against organizations, which quickly learned they had to implement new cybersecurity defenses for protection. Cyberattacks have grown in complexity and effectiveness over the decades, ranging from destructive malware attacks that destroy critical data and infrastructure to sophisticated fraud schemes designed to steal tens of millions of dollars from organizations.
In the last four years, the number of cyberattacks aimed at weaknesses in applications and hardware—using phishing, malware, ransomware and business email compromise (BEC) schemes—has increased dramatically. Last year, 80 percent of organizations experienced BEC schemes, up from 64 percent in 2014, according to the 2019 Association for Financial Professionals® (AFP) Payments Fraud and Control Survey Report.
As the frequency of attacks increased, companies have become more aware of the importance of data protection and the need to implement stronger cybersecurity practices and technology controls.
No Business Is Immune
Small businesses present an easier target when compared with larger, well-defended firms, and still hold a wealth of personal data, including Social Security numbers, credit cards and bank account information—making them an attractive mark for cybercriminals.
“The size of your company doesn’t matter,” said Anish Bhimani, Commercial Banking's Chief Information Officer. “Cybercriminals are relentless in searching for vulnerable spots in any network. Companies must be prepared to educate and train employees to recognize an attack, take appropriate steps to stop it and have a recovery plan in place.”
Innovation and Collaboration to the Rescue
The need for a more cohesive approach to address cybersecurity threats led to the creation of major public-private partnerships. In 2001, government agencies and private industry groups launched the National Cyber Security Alliance (NCSA)—a collaboration between the Department of Homeland Security and several private sector and nonprofit sponsors—to increase awareness and develop cybersecurity education initiatives. The NCSA is responsible for promoting National Cyber Security Awareness Month, which is held each October.
Another partnership, the Financial Services Information Sharing and Analysis Center (FS-ISAC), is a collaboration with thousands of financial institutions around the world, including JPMorgan Chase & Co., which shares threat information and cybersecurity defense best practices. Witty serves as the chair of the FS-ISAC.
“We constantly explore the use of new, extensive technology to detect cyberthreats quickly and efficiently,” said JF Legault, Global Head of Cybersecurity Operations at the firm. “We continually work with regulators and industry partners to help protect the financial sector.”
While threats continue to evolve, cybersecurity technologies also continue to evolve—incorporating capabilities such as voice biometrics, artificial intelligence and advanced automation.
“It is important for companies to leverage whatever tools and protocols they have to protect data and minimize damages and lost time,” said Mike Kelly, Head of Commercial Banking Cybersecurity and Technology Controls. “We also want clients to avoid relying on one set of controls as the primary safeguard. You need to have multiple layers. You can have all the controls in the world, but one employee can open the company up to risk if he or she is not trained properly.”