The Tribune

By GAMAL NEWRY

READINESS, response and recovery cannot be left to chance. The delivery of a comprehensive security protection programme demands planning, co-ordinated implementation and consistent oversight. More than fence lines, cameras and alarm systems, a modern asset protection system must now include firewalls, anti-virus software and the use of multi-factor authentication. Successful integration of these multiple layers of protection makes for an efficient and effective loss prevention programme. Robust and resilient programmes minimise loss, aid timely recovery and ensure brand confidence.

Now, and even more into the future, we will see the increased use of technology to conduct almost every aspect of business. Everything will move to virtual applications. This was made very clear to me during a recent trip to London in January 2022. As I moved around the city, and observed the changes and dynamics compared to my last visit about three years’ prior, what stood out more than ever was the absence - or extremely diminished use - of paper currency. At no time during my two-week stay did I use paper currency or coins. Every purchase and transaction was done electronically.

SO MUCH FOR THE GENERATION OF THE ARMED ROBBER... OR IS IT?

That dynamic has clearly changed, as less cash is required for transactions. This means less cash will be carried by persons, which also decreases the sums available on-site at businesses. Enter the ‘cyber criminal’ and armed robber of sorts, perhaps not as violent, but one who is certainly very dangerous.

Security in its purest application must be anticipatory. It must forecast potential loss opportunities or attack vectors and, subsequently, close them. In its 2022 Tech Review forecast, MIT (Massachusetts Institute of Technology) lists 14 predictions as they relate to cyber security. At the top of the list is an anticipated increase in frequency and diversification of tactics used to penetrate systems. Change is good, but not under these circumstances, as this type of variation will cause security practitioners and end-users to always be playing a game of catch-up. They will have to adopt a reactionary approach to manage attacks, which is not ideal as it suggests that the penetration was successful and a loss has occurred.

The focus should be on forecasting what attack paths will be taken by monitoring the market and industry trends. This should be a team effort, as system monitoring is dynamic and can be overwhelming, especially for smaller entities. Substantial resources may be needed for this non-revenue generating activity. When we see that approximately 85 percent of small businesses think they are safe from attacks such as data breaches, malware, viruses and the like, we know that the exposure is much greater than what is reported. The delusion that these companies are not targeted because of their size is, in fact, the exact reason they are targeted.

Aggressive, persistent cyber and privacy attacks will continue to be driven by the large financial gains they can bring. In 2021, it was estimated that the loss and damage resulting from cyber crime was around $6 trillion globally. This is a 100 percent increase from the $3 trillion reported in 2015. But these numbers are speculative at best. In my opinion, the cost is much more. There will always be individuals and companies who, for various reasons, will not report loss events.

The rapid pace at which this high reliance on technology was accelerated by COVID-19 has created gaps that many companies are still trying to close. The idea that this risk will be subdued is unrealistic. Even if we see downturns in attack vectors, we should only expect this to be temporary. As such, governments must work closely together to implement stiffer penalties that cross borders. This is easier said than done, as some countries are themselves promoting and sponsoring attacks that fit their own strategies. But when we consider international law enforcement’s collaboration in fighting human and drug trafficking cartels, it is only reasonable to conclude that jurisdictional cyber shield-type initiatives must be implemented. We see steps being taken such as the European General Data Protection Regulation (GDPR); the Chinese Personal Information Protection Law; and the Californian Consumer Privacy Act, which have introduced heftier fines for companies and longer jail time for criminals. These rules force standardised compliance, and make it more difficult for criminals to evade punishment.

Technological innovations must continue to do just that; innovate and adapt. The threat is real and continuous. We are aware that phishing, hacking, scamming and extortion remain the most common and reliable means for penetration considering our continued reliance on electronic transactions. New novelties such as Artificial Intelligence (AI), which were once restricted to the financial services industry for fraud detection, must now be rolled out in some form or fashion, and be more available to the population at-large.

Companies of all types should conduct risk assessments with an emphasis on cyber risk. This should be conducted on their environment to help determine the current exposure. The misconception is that your company has robust programs, but that does not extend to vendors and third party service providers. An assessment should not only be completed by each of your business units but also your business partners. This action will provide practical data to the business that will allow it to develop a strategy and tactics to shore up high-value assets, products and services that are at risk. Your cyber security initiatives are only as secure as the internal and external partners participating in the endeavour. If these stakeholders are not up to par, then relationships will be negatively impacted or even severed.

As always, a proactive mindset enhances prevention, preparedness, and response tactics. We are reminded that this is a war, and cyber security should be approached as such.

NB: Gamal V. Newry is the president and senior consultant for Preventative Measures. He brings over 35 years of insight and experience to the table as it relates to crime and security risk management. Comments inquires, and questions can be sent to info@preventativemeasures.org