21 February 2011
A new paper released today by the Australian Institute of Criminology (AIC) has found that although the financial and insurance industry is one of the more sophisticated users of information and communications technologies, there is still a need to maintain vigilance with respect to emerging cybercrime threats

Cyber threat landscape faced by financial and insurance industry analyses data from the 2008 Australian Business Assessment of Computer User Security (ABACUS) study, an Australia-wide survey into the prevalence, nature, costs and impacts of computer security incidents against Australian businesses.

AIC Senior Research Analyst Raymond Choo said that although the financial and insurance industry is the ‘target of choice’ for cyber criminals, not much is known about the scale of their crimes and the impact it has the industry as a whole. “The financial and insurance industry’s increasing dependence on ICT and the size of the industry exposes it to a wide spectrum of financially-motivated cyber criminal activities.

“Rapid changes in technology mean we are still yet to uncover the true extent of cybercrimes committed against businesses,” Dr Choo said.

The paper highlights the need for effective partnership between government and business and the need to develop and implement on an ongoing basis preventative measures such as personnel awareness and education/training initiatives, together with insider and vendor management.

Summary

Cyber threat landscape faced by financial and insurance industry

Cyber crime is becoming increasingly pervasive and sophisticated, and appears to be growing in volume and impact. The 221 FIRs in the ABACUS survey estimated that the total financial losses due to computer security incidents during the 12 month reporting period were approximately $49m. (p4)

However, when asked about the most significant computer security incident that affected their business during the 12 month reporting period, 73 percent of financial and insurance respondents (FIRs) indicated that they had experienced no incidents. (p1)

Of the 34 FIRs who provided a substantive answer (either a yes or no) when asked about experiencing a computer security incident, and described the incident that caused the greatest financial loss to their business during the reporting period, approximately 38 percent indicated the incident involved malware. (p3)

The only FIR that indicated phishing as the most significant incident experienced by their business, estimated that phishing only resulted in financial losses of less than $1,000 during the reporting period. However, six of the non-FIRs who indicated phishing as the most significant incident experienced by their business, estimated that phishing resulted in a financial loss of between $10,000 and $99,999. (p3)

The study also confirmed what many suspected—the financial sector had one of the highest average costs per compromised record and an abnormally high customer turnover as a result of the data breaches. The ABACUS study reported

FIRs were more likely to experience incidents involving unauthorised network access than non-FIRs (3.2% of FIRs compared with 1.9% of non-FIRs). (p3)

Findings of the ABACUS survey in the escalating complexities of the on-line environment underscored the need for on-going training for employees and development of security protocols for companies. When asked about staff/user related policies, an overwhelming proportion of the 221 FIRs (81.9%) and 3779 non-FIRs (87.4%) indicated they did not have such policies in place. (p5)

The paper recommends countermeasures such as deploying technologies such as patching management systems, user awareness and education/training and insider and vendor management.