Cybercrime is evolving: is your business keeping up?

*This article was originally published in the Business Insights section of the HSBC website on August 17, 2023. For more business insights, please visit hsbc.ca.

Matt Charette, Director of Cybersecurity and Alex O’Donnell, Director of Operational Resiliency, Payments Canada discuss ways to protect your business and minimize the impact of cyber threats.

Cyberattacks pose a threat to all organisations, with scams becoming increasingly sophisticated and harder to spot. But putting robust risk management processes in place and evolving your approach can help your business stay resilient.

• Cyber fraud through business email compromise is on the rise.
• Awareness of evolving cyber trends can help you build and adjust controls to protect your organization and minimize the potential impact.
• Awareness across the organisation remains key, along with embedding a speak-up culture.

Even the most prepared businesses can fall victim to cyberattacks. “No matter how secure your organization, it's not a matter of if, but when an attack will happen,” warns Matt Charette, Director of Cybersecurity, Payments Canada.

All it takes is one fraudulent email or one person clicking on a fraudulent link to open the door for fraudsters to steal your sensitive and confidential information, explains Regina Rodriguez, HSBC Head of Wholesale Fraud, HSBC Bank Canada. She has seen many businesses invest substantially in protecting themselves from cybercrime still fall victim to it.

That said, there is plenty you can do to help reduce, monitor and mitigate the risks your business faces, as we explain below.

Fraud and cyberattack trends to be aware of

With the increased use in digital banking, Cyber fraud has seen a recent spike and is growing in prevalence, according to Rodriguez. She says business email compromise is the most seen — where customers or suppliers receive fake communications that instruct them to change payment details so that payments are made into fraudsters accounts — is getting very specialized and much harder to spot.

Another example of business email compromise is CEO impersonation, where a scammer poses as the CEO or CFO and though a fraudulent email and asks for an urgent payment to a third party or directly to them. These fraudulent communications are getting more sophisticated and can be practically undetectable, says Rodriguez. Scammers use company details, such as email addresses or phone numbers that are almost identical to legitimate details, with just a slight change.

Charette says scams through texts, emails and links, text messages or voice calls continue to be “probably the biggest initial attack vector for any organization.” Fraudsters impersonating bank staff and telling your customers there's something wrong with a transaction and encouraging them to provide usernames, passwords and PINs are still common.

What’s more, scammers are causing damage with increasing speed, moving from an initial foothold within an environment to a lateral movement that impacts systems much faster. And malicious actors, such as access brokers, who steal people’s credentials and sell them to other attackers are relying less on malware and more on using legitimate credentials illegitimately, which leaves them to operate undetected.

Charette says that understanding these trends and threats is important, so you can build and adjust the appropriate controls to protect your business and minimize the impact, if the worst happens.

Supply chain attacks are hitting all sectors and have been particularly detrimental in recent years, says Charette. “These attacks have the potential to inflict widespread damage because they exploit trust that we have in the software and the services our businesses rely on.” With digital ecosystems so interconnected, it can be easier for attackers to exploit vulnerabilities along the chain, targeting less secure organizations earlier in the supply chain to reach their objectives further down the line, he says.

And these malicious actors are increasingly well funded, with resources to develop sophisticated, widespread breaches across multiple sectors.

Ways you can help mitigate evolving cyber threats

Building resilience within your organization is crucial, says Charette. Prioritize how you would respond to these threats and have systems in place to build and adjust controls to protect yourself and minimize the impact, if they are realized.

Doing your due diligence with third-party suppliers, establishing guardrails and regular touchpoints are all key to mitigating supply chain risk, explains Alex O’Donnell, Director of Operational Resiliency, Payments Canada. For new or renegotiated contracts, assess their security practices and embed your security requirements into the contract. He also advises being proactive through onsite visits to vendors, learning where they host their technology and asking for independent assurances or audits, to understand the different controls they have in place.

Risk management should also be ongoing, so use vendor touchpoints to bring up risks such as fourth and fifth-party relationships. Understand how their vendors are performing and make sure you are “really getting into the weeds and making sure that risks don't evolve or morph over time,” says O’Donnell

Raise awareness across the organization and encourage a speak-up culture

It’s crucial to encourage a risk culture mindset in every employee, O’Donnell explains. Embed common expectations, knowledge, attitudes and understanding of risks and how they could affect your organization. Then give staff the training and awareness they need, such as best practices for passwords and reporting suspicious communications, as well as training on emerging threats.

“At the end of the day, risk management is everyone's responsibility. It's not the risk department. It's not the fraud department. It's everyone across the board, holistically, managing the risks and making sure it's within the organizational risk appetite,” says O’Donnell.

For Rodriguez, staff awareness and embedding a speak-up culture and creating a safe space for colleagues to report and share any concerns or suspicions is fundamental to helping to prevent a fraud attack.

Set up the right tools and carry out regular reviews

Getting the basics right can go a long way towards protecting your business. “My advice would be to invest in threat intelligence,” says Charette, who believes understanding your threats drives everything.

O’Donnell agrees that every organization should have a robust information security management system in place that identifies the operational and technical controls required for the threats it faces. Where vulnerabilities are found, with either the software or systems a business relies on, businesses should use a methodology for mitigating those.

You can then review those controls as regularly as makes sense for your business context. For O’Donnell, it is about never being comfortable, and “always surveying what that external threat environment looks like and understanding all the threats that could impact your organization.”

Charette advises rehearsing scenarios with your organization, such as what you would do if you were to suffer a ransomware attack, “because you don't want to be asking yourself those questions in real time.”

By putting these approaches and tools in place and staying vigilant, your business will be in the best position it can to withstand current and emerging cyber threats.

If you’d like help and guidance or are not sure where to start, your relationship manager can offer you information on security threats.

“There's a lot of framework policies available, and tools on how to actually identify and assess risk and better make those risk-based decisions that each and every one of us make on a day-to-day basis,” says O’Donnell.

Learn more about Canada's payment clearing and settlement infrastructure.

Reach out to your relationship manager and HSBC Cybersecurity & Fraud hub for more information.