Tag Archives: KPMG

“International tensions heighten cyber security risks” warns KPMG

Malcolm Marshall – UK and global lead in KPMG’s cyber security practice – has commented on the impact that international political disputes can have on organisations’ ability to conduct ‘business as usual’.

“While attention is focused on the search for resolutions in the ‘corridors of power’,” stated Marshall, “businesses need to be ready to defend themselves, as the cyber space in which they operate increasingly becomes the new battleground.”

Marshall continued: “Businesses are so focused on cyber attacks by organised criminals that it’s easy for them to ignore the possibility of being targeted by groups wanting to make a political point, possibly even with backing from a hostile Government.”

He went on to comment: “Over the past five years, the international business community has seen a number of incidents where websites have been hacked so that political messages can be uploaded where they will receive widespread exposure. The Syrian Electronic Army is just one example among many. ‘Hacktivists’ are certainly more active during periods of international tension, but the next step is the one that businesses should be wary of.”

Malcolm Marshall of KPMG

Malcolm Marshall of KPMG

KPMG’s cyber leader explained: “Cyber attacks are becoming part of international conflict, and it seems that probing cyber attacks are likely to be the first element in the hostile phase of future conflicts. The well-worn phrase about who has their ‘finger on the button’ has taken on a new meaning. This is something that banks, financial institutions and global businesses need to consider. After all, the ability to disrupt electronic trade, divert funds or overload IT systems so that transactions cannot be completed may have an effect that stretches far beyond the geographies where disputes are raging.”

In conclusion, Marshall said: “This doesn’t mean organisations should panic and ‘bunker down’. What it does mean is that, just as scenarios are planned to help in dealing with major physical security breaches, so organisations need to put plans in place that recognise we now operate in a world without cyber borders. If businesses can successfully build these defences and take proactive steps to protect themselves, they will reduce the chances of inadvertently becoming embroiled in a wider dispute.”

Vehicles should be ‘Secure by Design’ when it comes to cyber security

Maintaining the cyber security theme, Wil Rockall – director of information protection within KPMG’s cyber security practice – has voiced his opinions on news that security experts have developed technology that would keep automobiles safe from cyber attacks.

“As the automotive industry increases the level of technology used in new vehicles,” said Rockall, “the nature of the threats faced also increases, particularly in the form of cyber attacks. These attacks could potentially allow cyber criminals to penetrate in-car systems, either using physical interaction or by seizing control through attacks over the Internet.”

Typically, a connected car network has over 50 potential access points for a cyber attacker, and this will only increase as the level of technology integrated within cars escalates.

“Three years ago, criminals sought access to vehicles by stealing the keys,” asserted Rockall, “but today three-quarters of cars stolen in London are stolen without them, principally through electronic methods.‎ It’s important that cyber attacks don’t become physical ones because manufacturers are unable or unwilling to design-in security.”

Rockall believes the automotive industry needs to invest in creating systems that are securely built and well-tested, with capabilities that can be improved as threats evolve and vulnerabilities are discovered.

The public must be able to trust the new systems put in place, suggests Rockall, and be confident that when operating their vehicles a ‘crash’ isn’t going to be caused by cyber attackers.

“Simply introducing a car ‘security product’ isn’t a strong enough defence,” urged Rockall, “and neither is it a wise strategic direction of travel for the industry. We should look towards making vehicles ‘Secure by Design’. This will provide security measures aimed at preventing vulnerabilities from being ‘attackable’ rather than accepting flaws in design and masking them with a third party conventional security product.”


Leave a comment

Filed under Uncategorized

Going beyond law: businesses demand cyber expertise from legal teams

A rising level of threats to business, and increasing numbers of regulatory requirements, are combining to ensure in-house General Counsel are no longer focused solely on company legal matters. Instead, a new report from KPMG reveals that in-house lawyers’ work is dominated by commercial decision-making as Boardrooms seek validation of their business and operational plans.

The ‘Over the Horizon’ report, which is based on a series of in-depth interviews with General Counsel, reveals that senior in-house lawyers have adopted six new core functional responsibilities in addition to their role as legal advisers. Chief among these is a focus on cyber security, as concerns rise about the risk of data breaches brought about by human error and intentional sabotage.

Malcolm Marshall, global head of cyber security at KPMG, states: “In the last five years we’ve seen cyber security move from the back room to the Boardroom and, in extreme cases, the court room. Against this sort of backdrop, few people will be surprised to see it come in as the fastest-growing risk for General Counsel. That’s why in-house legal teams should have a seat at the table providing advice about the policies and vigilance required to tackle cyber risks for business.”

A rising level of threats to business, and increasing numbers of regulatory requirements, are combining to ensure in-house General Counsel are no longer focused solely on company legal matters

A rising level of threats to business, and increasing numbers of regulatory requirements, are combining to ensure in-house General Counsel are no longer focused solely on company legal matters

Expectations placed on General Counsel

In addition to the new focus on cyber security, the report highlights that General Counsel are now expected to manage:

• enterprise risks (such as geo-political events or technological failures)
• a rising tide of regulation as the ‘new regulatory norm’ increases global compliance demands
• corporate liability for the conduct of third parties
• execution of contracts (in addition to long-held expectations around the negotiation and drafting of contracts)
• flexible approaches to dispute resolution rather than an outright reliance on negotiation

KPMG’s analysis goes on to reveal that there is a growing demand for in-house lawyers to conduct due diligence of suppliers, customers and other business parties as corruption through the supply chain is tackled through increasingly tough legislative and judicial actions.

According to the report, senior executives are also turning to their legal teams in recognition that their professional training ensures General Counsel can ‘take on complex issues, distil them and arrive at a sensible conclusion’ (with many respondents indicating that their lawyers are more likely to find solutions to common business problems than colleagues in other business departments).

David Eastwood (global head of contract compliance at KPMG) comments: “As General Counsel roles become weightier, so lawyers are making themselves indispensable as managers of risk and complexity. General Counsel who navigate this well will see their stock rise significantly. The challenge for General Counsel, of course, is that as their stock rises so do the expectations.”

Eastwood continued: “It means the pressure is on for General Counsel to demonstrate the right blend of legal and business ‘savviness’. Those that grasp this opportunity will shape the long-term development of their organisations.”

Leave a comment

Filed under IFSECGlobal.com News

Traditional ‘low tech’ fraudsters make hay as organisations focus on ‘high tech’ attacks

KPMG’s bi-annual Fraud Barometer has shown a high volume of fraud cases prosecuted in the past year, but at much lower value levels than recorded in previous years (the average case value this year being £2.9 million compared with £6.1 million over the last five years).

The report also shows that, while fraudsters are at the cutting edge of technology – attacking banks in the virtual world, for example – some have reverted to ‘paper and pen’ as organisations focus their security efforts on technology-driven defences.

Hitesh Patel, UK Forensic Partner at KPMG, commented: “It’s certainly the case that we have seen fraudsters using very clever high tech frauds to attack banks, businesses and local authorities, but we’ve also seen some of the biggest frauds in more low tech scams. As old forms of transactions, such as cheques, are phased out, so organisations are focusing on developing sophisticated lines of defence. Yet, rather than putting criminals off, many fraudsters are ignoring the challenge of triumphing over technology in favour of using simpler methods of deception.”

‘Old-fashioned’ habits die hard

The data shows that con artists still rely on ‘old technology’ to perpetrate fraud, with a number of schemes in 2013 based on counterfeit cheques.

In one strikingly simple case a local Government employee processed cheques for legitimate payees using disappearing ink. She secured the signatures of senior management for cheques reaching a total value of £162,000 and waited for the ‘payee’ details to disappear before substituting them with her own name.

In a case worth £20 million a businessman paid a series of worthless company cheques into an account based in the UK. He – and the gang involved – succeeded in transferring three-quarters of the funds into a foreign account before suspicions were raised and the account was frozen.

Another case involved a conman who attempted to buy £1 million of cars by visiting dealerships on six occasions, paying by cheque for an Aston Martin, Maserati, Ferraris and a Bentley. The man was caught when the cheques bounced and one of the dealerships visited his home to reclaim the vehicles.

Hitesh Patel of KPMG

Hitesh Patel of KPMG

Fraudsters’ determination to focus on the so-called ‘old-fashioned’ scams and avoid elaborate methods of deception is also evident through a resurgence of cases involving tax rebates, loans and mis-selling.

Combined, these three forms of fraud totalled more than £343 million – up from £41 million in the previous 12 months. This trend shows that, although the motivation to deceive comes in a variety of forms, many criminals are still prepared to rely on the traditional conman artistry of making financial gain through misplaced trust, attacking people’s vulnerabilities and sensibilities.

Virtual world becoming a home to fraudsters

Meanwhile, there were cases where banks and businesses were attacked online, with fraudsters using computers, turning to robotics and malware in an attempt to avoid detection.

One example involved eight people arrested in connection with a £1.3 million theft by a gang who took control of a bank’s branch computer system. They had placed a ‘keyboard video mouse’ and 3G router on one of the computers inside the branch when one of the fraudsters posed as an engineer, saying he was there to fix computers.

The ‘fix’ enabled the gang to control computers remotely using code and surveillance to find holes in organisational cyber defences and transfer money into different bank accounts.

In another case, fraudsters posted fake adverts for work at Harrods on a website as part of a £1 million scam to trick desperate job hunters out of their savings.

The con involved writing ‘Trojan’ malware which was hidden in job application pack downloads posted on the free website Gumtree. Once embedded on computers, the software copied bank log on and security details of those seeking work before forwarding them on to the criminals who netted in excess of £1 million.

Bribery and corruption on the radar

Despite organisations seeing a decline in internal cases of fraud, the latest KPMG Fraud Barometer highlights the first prosecutions under the UK’s Anti Bribery and Corruption legislation.

In a case adding £23 million to the total figure in this year’s Fraud Barometer and relating to the purchase of 6,000 hectares of land in Cambodia bought through senior military officials based in the country, three senior executives have been charged with making and accepting a financial advantage in breach of the Bribery Act.

As well as focusing on how they were able to purchase the land, the case examined whether the company missold bio-fuel investment products after the authorities were alerted to the possibility they were providing false information to clients.

“The pressure to compete lies at the heart of attempts to bribe and corrupt,” said Hitesh Patel, “and the old adage of every person having their price is now much more likely to trigger criminal repercussions.”

Continuing this theme, Patel concluded: “The UK has seen its first corporate prosecution under the new anti-bribery legislation. With it being widely known that other cases are in development, fraudsters may begin to fear the ramifications of being caught. If guilty verdicts are returned and heavy punitive measures imposed, perhaps we will start to see people thinking twice before attempting to corrupt others in the pursuit of unfair advantage.”

Leave a comment

Filed under IFSECGlobal.com News

‘Invisible criminals’ set to replace people as biggest perpetrators of fraud

Computers, rather than conmen, are set to be the future face of fraud as criminals turn to robotics in an effort to avoid detection.

According to the latest report from KPMG, organisations are set to battle against so-called ‘seeker bots’ defined as self-learning and self-replicating Artificial Intelligence that will render the faces of criminals invisible.

KPMG’s Profile of a Fraudster report is based on the analysis of 596 fraudsters investigated by the firm between 2011 and 2013. Based on the modus operandi of fraudsters’ crimes, the report predicts that traditional fraudsters (identified by KPMG as 36–45 years of age, acting against his/her own organisation and in executive positions) will be replaced by ‘seeker bots’.

Infographic produced by KPMG KPMGInfographicFraudsters

These ‘bots’ will be designed to continuously test a company’s cyber defences in an attempt to find a ‘hole in the fence’, meaning that attempts to second guess or pre-empt tactics used by real people will not always be worthwhile.

The KPMG report warns that, on finding a gap, the bots will analyse the potential for fraud and then launch a highly specialised ‘attack bot’ uniquely designed to suit the type of business, size, infrastructure and data set-up of the victim. The ultimate aim will be to remove assets to a virtual delivery location which can then be accessed by the fraudsters.

Taste of things to come

Hitesh Patel, UK head of forensics at KPMG, commented: “This is not science fiction, but a taste of things to come. We are already seeing highly trained hackers link up with the organised crime network. The ‘faceless’ criminal is not far away. Cyber crime is already on the rise and we expect cyber attacks and high-tech fraud to grow exponentially.”

Hitesh Patel: UK head of forensics at KPMG

Hitesh Patel: UK head of forensics at KPMG

KPMG’s report argues that, to unravel the frauds of the future, the best investigators will be those who are able to reduce large amounts of data to identifiable events. Yet some skills will remain as current tomorrow as they are today, with successful defence requiring an ability to operate seamlessly across borders, sharing corporate intelligence to ensure quick historical and geographical reach enables organisations to track ‘bot behavioural patterns’ as swiftly as they happen.

At the same time, the report reveals that the criminal(s) behind the changing face of fraud are by nature collaborative, preferring to collude with others instead of following the perceived stereotype of a reclusive loner.

The data shows that the proportion of cases involving collusion rose from 32% in the 2007 survey to 61% in 2011 and 70% this year. In many cases, perpetrators were highly respected (39% of all cases analysed), regarded as sociable (35%) and/or an extrovert (33%).

Patel added: “A few years ago, hackers were motivated by political objectives and seen as disruptive influences targeting computer networks to make an ideological point. Most were seen as individuals trying to make a name for themselves. However, with an ability to master Artificial Intelligence, it’s only a matter of time until the fraudsters harness the full power of technology to enrich themselves and criminal organisations. That is unless legitimate businesses take steps to defend themselves.”

He concluded: “A plausible person is no longer needed to present a stolen cheque to a bank teller. All that’s needed is a hacker who can access a protected computer network. Perhaps human features and emotions will no longer be a significant part of the profile. Instead, electronic features, signatures and behaviours may be all that a victim organisation will know of the cyber fraudster.”

Copy of the full report

Leave a comment

Filed under IFSECGlobal.com News