As you know, on Friday, May 25th, we hosted a webinar introducing our members and extended community to the intriguing world of cyber security.
Plenty of questions were answered by our panelists, who also provided us with excellent tips on how to best mitigate cyber threats and build a solid cyber security structure within a firm.
We would once again like to thank Dr. Nicholas Ryder, Professor in Financial Crime at UWE Bristol in the UK, and Ruslan Yusufov, Director of Special Projects at Group IB in Russia, for taking the time to cover this critical issue for Taxlinked.
If you missed it, please find below the full edited transcript for your reading pleasure.
There’s also a publication on personal data intelligence offered to our members by Ruslan and you can download it HERE.
Any Follow-Up Questions on Cyber Security?
If you have any additional questions for our panelists, please make sure to submit them below.
FOLLOW-UP CYBERSECURITY QUESTIONS
For now, here are some of the event’s main highlights!
Should hacking be forbidden in the absolute sense?
Dr. Nicholas Ryder: “I think it's one of those questions that really has no right or wrong answer. I think there are benefits to hacking and also weaknesses… In terms of it being forbidden, if you look at some of the attacks on some of the world's largest financial institutions like for example the USBC and NatWest and instances in America were ATM machines are being overtaken by organized criminal gangs, in that sense, it should be clearly prohibited… On the flipside, you then have the ethical benefits of hacking with the Paradise Papers and the Panama Papers clearly exposing a very controversial, some would argue unethical and illegal, link between tax evasion and tax avoidance. Now, under UK law, tax avoidance is not illegal but tax evasion is illegal. Where do you draw the line?”
Ruslan Yusufov: “Hacking per se could be used for good or bad. For example, penetration testers use the same schemes and they use the same instruments to understand the vulnerabilities of an organization or a business or to understand whether the threats are there and they help to fix those vulnerabilities…I wouldn't think that anything related to technology should be forbidden. Technologies are not good or bad, they are neutral. The people that utilize them to commit crimes, that is what we should fight against.”
What shifts have there been in cyber security these days?
Ruslan Yusufov: “People and businesses are negligent and still don't understand that cyber threats are related to them. They think it is not of their concern… Unfortunately, this topic of cybersecurity doesn't have as much attention as it should. I read a recent PWC paper that said that cyber threats are the number one risk for banking and capital markets. It is in second or third place for all corporate risks out there. So, it's not a geek issue, it’s not an IT issue anymore. It's the biggest risk for business…What we need to change is…understanding that cyber security is our number one priority in the broad sense as a society, as a country, as a business, as an individual.”
Can we predict cyber crime rather than simply respond to it?
Ruslan Yusufov: “That's what threat intelligence is for. For example, our threat intelligence system is intended to predict and prevent crimes, part of which is human intelligence, and we see it in many different marketplaces and forums and we read what hackers write. We see how their malicious software evolves and we understand how they are interconnected with each other. And some attacks we can predict before they happen because, for example, somebody is trying to understand how SWIFT works. And they sit and they discuss it together, so we think that probably there will be an attack on SWIFT and that’s what actually happened… Today cyber security is about building networks and understanding how the malware, the infrastructure and the threat actors are interconnected and what their plans are.”
How can an organization mitigate the risk of hacking? What should they be doing?
Ruslan Yusufov: “Today I would say…the first step would be changing your attitude. So any organization today needs to understand that [cyber attacks are] the real threat…I would recommend doing cyber security trainings because most of the attacks, even those first targeted attacks on banks, in the 80 percent start from a phishing e-mail. Each and every employee in the company should understand what a phishing email is, what they should do step-by-step after they click the phishing link, how they should open or not open any attachments to the email and so on and so forth. After that, from a technical perspective, I would recommend running a security audit probably in the form of penetration testing or some source code audit… You will fix those issues and only after that can we start talking about rebuilding the infrastructure because we need to first understand what the infrastructure looks like.”
How can an organization structure itself or how can a business basically have some sort of organizational structure that will actually help it maintain a proper cybersecurity program?
Dr. Nicholas Ryder: “I think what would be a possible weakness in the financial services sector is that when the financial crime reports goes across the CEO's desk, it’s how much attention you pay to it. And, of course, if it's a cyber crime threat, maybe they’ve picked something, a possible attempted hack, they’re not quite sure, how much attention and priority does the company give to that potential threat… I think that maybe there’s an argument here for a compliance system to come in place and, if that compliance system isn't adhered to or followed, then people are fined, companies are fined and people are prosecuted.”
What do you think about money laundering with regards to the crypto industry and the trans boundary movement of capital? What are the main challenges in this sector?
Dr. Nicholas Ryder: “From my understanding of crypto currencies, it is the anonymity which causes a particular significant threat, that’s one point. The second point is that because the current UK AML regime doesn't appear to impose any reporting obligations on the use of the crypto currency, I think that's a major concern. What we're seeing is an extension of the terrorist financing model, especially with ISIS, where they may appear to be using Bitcoin, mine Bitcoin, and obviously gain access to finances… What we are seeing is the evolution of money laundering from money mules to cash-in-hand into the virtual world and this is going to become an ever increasing problem.”