Event Recording

R.O.N. - Return on Negligence – The Impact of Cybercrime


Log in and watch the full video!

The cost of doing nothing is something that today we have to factor into many aspects of our lives.  Inaction hurts and we’ll briefly talk about the 6 degrees of separation for the connected areas that are impacted by Cybercrime.  There is more at risk than what can be solved by technology.

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Register  
Subscribe to become a client
Choose a package  
Very much. And, and I do have to say that I love the panelists. That said, dealing with money is cool because I am in the finance industry. So that, that was a nice lead in. It was great to see the, the interaction so that when we look at the investments that we're making, and I know that all of us that we were in, in any sort of business or any sort of enterprise, we always look on our return on investment. I wanted to give you something different to think about. And I know I use return on negligence and of course everyone thinks negligence is, is a strong word. And, and it is. But in, in the, the big scheme of things, let, let's simplify it and we'll call it, you know, doing nothing. So basically what's the cost of doing nothing? And, and everyone who thinks cost right away, you immediately think financial.
You think some sort of remuneration. There's money involved, but we should consider what is nothing. And, and this actually happened on, on the way into the office this morning. I'm sure a number of you can see these. I'm sure you have badges to get into your buildings or into secure data centers or whatnot. I left, came in, I was all excited to attend the, the, the Cooper conference and I forgot my badge. So, and now traditionally when I get home, I throw my badge in my laptop bag and it, it's not a big deal this time. I, I actually did put it in there, which is the positive side of the story. The not positive side is if I would've come into the office without it, the, the cost of doing nothing was I wouldn't be able to get a coffee in the morning because it's not on my floor.
I would not be able to use the restrooms, I could not use the elevator, I could not get in the parking garage. Only a few of those things actually cost me money. The rest of those things are downstream effects. And what I'm gonna give you here and what we're going to talk about is not the negative impact that's going to cost you money, but the downstream impacts. And I'm sure a number of these reasons come across your minds. So when you don't do anything and when we think, think about how we're protecting our enterprises, a number of these terms, and, and this presentation is available for you afterwards as well. When you look at these terms, I'm sure some of them may have applied to a few of you at least, you know, it's not something I need to do, it's out of my budget.
I plainly forgot to do it. I didn't upgrade these systems. My favorite are the middle ones where there was no compelling event. It's not gonna happen to me. And yes, some of these things may be true, but, but there is a downstream effect. So if I didn't upgrade a system, what's going to happen? So we need to take a look at, at cyber crime. Cyber crime is such a huge area and, and I picked six of them, seem to be a common number to work with. Now we each know that each topic breaks down into smaller categories and all of them could affect our enterprises. I'm in the financial space, but I'll talk about manufacturing, talk about a few other areas. I'm sure when we look through different Analyst studies, different reviews, these seem to be the six most common forms of, of cyber crime. And, and each one of them, like I said, has separate subcategories. So I'll touch on a few of them to give you some ideas, but if some other ones come to mind, feel free to reach out. And my email and contact information is part of the, the agenda. And you are welcome to reach out at any time.
You know, when I think about this again in the bank, you know, I think is it all about money? So if I don't do something, am I going to pay a fine or, or what's the actual cost? And, and there's, I want you to think about some different avenues. And this the reason I mention my badge scenario because I will be quite honest, I really need that coffee in the morning. And that downstream effect is I wouldn't be able to get it if I did them in my badge to get into the building. So let's talk about a few of them really quickly to give you some ideas. So we'll talk about identity theft. And this, this, this turned a little bit, so you have to excuse some of my artwork. I'm a cartoonist by nature. So my son came in and said, Dad, let's talk about, about different criminals.
So we quickly sketch something, and this is my little guy that I came up with, but he's a whole family. So you'll see him throughout the presentation. So if we look at identity theft and we look at what happens, identity theft is actually here and they're going to take something of you, your credential, your biometric, your information. If they steal your identity, they are taking, they can take money from you. As an enterprise, if someone steals my customer's identity, they've hacked into my systems, now it costs the bank money because now I have to reimburse the customer that's coming back. I have to repair systems, I have to upgrade systems, I may have to reissue credit cards, I may have to reissue things for the user. Things like insurance papers. So yes, you're right, if if identity theft happens, it's all about money. So let's look at maybe a manufacturing scenario.
So in a manufacturing scenario, there's process disruption, there's systems that may go down, there's a breach of some sort. So now my earlier criminal, he has a brother, you know, he's gonna come in and he's gonna take a look at my organization. He may breach infrastructure and stop a PLC from working or stop a machine from producing, We'll pick our automotive manufacturing. If I were to take an automotive manufacturer offline for the period of one day, the downstream effects are quite large. So yes, it will cost money that that money is going to be that they can't produce any cars, they can't sell any cars. They have people that are off the line working. Now of course there are people investigating the breach. All in all, again, it, it goes back to money, but the downstream impact is of systems, people, processes, and probably technology.
So again, back to money, denial of service. Anyone that's been around a computer since, since we became, since we came online with our windows desktops years and years ago have been subject to some sort of denial of service, I'm sure. So our threat actor comes in, threat actor is going to take your system down through a virus, through a breach, through unwanted emails. I'm sure you've all seen the TV shows where numerous popups have come up on laptops and have stopped people from working. So the downstream effects again, are people offline. Now, to me as a bank, if my systems are offline, my customers can't do banking transactions, which doesn't just impact me, but it impacts all of their retailers. So if my visa system goes offline for any, any period of time, they can't use their credit cards to purchase fuel, to buy food, to buy entertainment.
So that impacts a number of downstream people. So I guess what I'm trying to get at is, is the downstream impact is what I'm asking you all to think about. So again, we're back to money. Now there there's ways that that money impacts a number of people. So social engineering is probably our next one. And I'm sure any one of you has come across social engineering content where you've looked at a threat actor that has done some impersonation. Now think about social engineering where they've breached and come into a building, they've gained access to systems. Now they can do malicious things while they're there. We'll say social engineering assumes your identity kind of bordering on identity theft. Now that person can do things like do some banking, do some shopping. Basically Craig create havoc. Me as a bank, I may never know that that has happened because the person still using their credit cards, still purchasing things.
But there are downstream impacts because out of all that money, someone has realized that there has been some sort of identity theft. There has been some sort of social engineering. So income, our police officers, yes, a contribution from my, my younger son and Heath wants his money back. So basically you notice the money's disappeared. I've had to reimburse my retailers, I've had to credit the person that's been violated. The biggest concern I have for all of you to think about if you don't do things to protect your enterprises is trust. Trust is a big thing regardless of industry. Mr. Mueller from Siemens was up earlier and I watched him and he, you know, out of 1100 locations that, that he has to protect it. It's not one industry, it's numerous industries, it's multiple types of infrastructure. It it impacts a number of things. So when I look at, when you break someone's trust, these are the things that I want you to think about.
So a tarnished brand, I I mentioned Siemens only cuz I watched him earlier and 300,000 employees around the world. Will you trust Siemens if they had a breach? Perhaps you will if there's no other alternative, but there's a number of things. What about reputation? So if myself being at the Royal Bank of Canada, where Canada's largest bank, if there's a breach of any sort, we'll say there's a a, a consumer banking breach, not happening currently, but I'm just picking one as an example that will impact all of my services that I offer. Will people come to me for insurance? Will people choose to do investments with myself? Will it impact my reputation in the industry? There are top tier banks, second tier banks and global banks. RBC is in a number of countries around the world in a number of different areas. It's going to impact how people look at the bank.
A breach could also do things, and I don't wanna say impact information, but it could release information. So we all know about theft of client data, research data. Well that information, think about if if someone like an Amazon or a Netflix was breached, they know buying patterns, shopping patterns, location trends, that information, maybe they, they're not interested that you bought a tie online or that you watched a specific movie. But they do wanna know things like your location. They wanna know what you did, how much money you spend. And a lot of that goes into proprietary knowledge. So there's data. Before joining the bank, I was in a vendor space and this was a huge concern for us. There's a considerable amount of proprietary knowledge, patents, design information. So if that leaks out, you no longer have your competitive edge status is one that I was thinking about and, and status is, is unique because it impacts twofold.
So myself, coming from the vendor space, I used to do a lot of travel and I had very high status with a number of hotel chains and airlines. Now, if an airline is breached, do I still trust them? Do I trust them with my data? So yes, the airline loses its status, but I might as well, I may not choose to fly with that airline. So now I lose my points. I use my la I lose my lounge access. I may not stay with certain hotels anymore. Maybe my favorite location, favorite property. But if that brand feels that or if I feel I've lost that trust in that brand, it's, it's a big thing. So disruption of operations we've talked about, there's a number of downstream processes and that's what I'm gonna focus on to give you something to think about as we go. So we've gotta look at what you're gonna do and yesterday's technical session, I talked to a number of gentlemen over at wallock and they had a great example and, and I thought, I thought I'd bring it forward again.
So a business impact assessment is something that you may wanna consider an impact assessment of what happens if you have a breach from a cyber crime. Any one of those options, a business impact assessment will look at business processes and they're all the downstream ones. Take a look at your enterprise and your industry. Do some categorizations. I know there is the new German BSI standard that has come out that does some of this classification for you. But if you take a look at your process, pick a channel or, or a, or a domain or a delivery lane. I I pick manufacturing. Do your classifications green. Yeah, fairly low relative risk. Yellow, yeah, there should be concerns. And red, yes, my hair will be on fire if something happens, If there is a breach, those risks now will impact downstream things like manufacturing, like systems. Those systems will impact my staff, will impact delivery, will impact my consumers that I buy things from.
So one of the things that I ask each of you to do is if you're thinking about why should I do this? Take a look at your enterprise, take a look at all of your business processes and not the how you fulfill an order, but, but start to finish what are the major capabilities that you offer and how you break them down. And this will give you a better idea of where to start. But more importantly is when do you start? And, and I hate to say it, but, but you really wanna start now, Take a look at your systems and, and this sounds, I don't wanna sound big brotherish, but something to consider is when you look at your environment and you've done your assessments, where should I target? Do I upgrade my systems for virus scanners? Do I protect my users? Do I protect my consumers?
I wish I could offer you a silver bullet that'll say this will protect your enterprise from cyber crime. I also wish I could say that these are the areas you need to watch for, but in the last panel you watched, risk is something that, that you can, you can track, but security you can't measure because it's, it's a dynamic thing. Risk you can take a look at and and identify it and quantify it. But your security protocols, that's gonna be up to yourselves. There's lots of great people out there in the industries that can help out. And you're also welcome to reach out to me anytime. I thank you for your time this morning and if you have any questions, please feel free to reach out at any time and I will open it up to the floor for questions.
Thank you very much.
So I don't have any questions from the online auditorium. Other questions in the room when it comes to what Danny just explained, when it comes to identifying what to do and why to do it, Are there any questions? Yep. Just a second.
Hello. My question is about enterprises that the core business is not related to it say a manufacturing organization without high dependency on technology in the manufacturing itself. So normally the budget always goes to the mainstream of the business, to the commercial part, to the manufacturing operations part. But for the IT and the security, it comes in the, the far end of the list. What is the best thing to start with if it's a new green field for this organization about security, What's your recommendation? What should I start looking for?
Thanks,
You, You know, it's interesting you pick manufacturing, but I, I can tell you in the banking space we're the same way. The people that get the most attention are the ones that make the money for us. Our consumer banking brings in the most revenue because we have live interactions. So those systems will get the most attention if it were insurance, again, producing the documents or bringing them on board. We have a large IT infrastructure, but the focus is put on the critical systems in manufacturing. Again, similarly, if one component were to go down, whether it was a system or a supply chain, an interaction with a vendor, if you're, I'm not sure if you're a specific industry, but we'll say outgoing, those are, and that will impact all the processes downstream. Definitely an area to target. If you are highly guled, I think of oil and gas, I think of electricity. If you're in that type of area and the regulations dictate where you must be online and there's penalties. If you're not, if you're delivering aerospace components, I would focus on those, basically the things that would keep you up at night if you were breached. That that needs to be your first target. And if, if you drop me a line from my vendor, vendor days like and just, I don't need to know your specific business, but if you let me know which industry, I'm happy to give you some examples.
Great. Thank you very much again, raise your hands for Danny Peru. That was a great presentation.
Thank you very much.

Stay Connected

KuppingerCole on social media

Related Videos

Video

Recap Cybersecurity Leadership Summit 2022

Interview

Key Findings on Malign Information, Misinformation, and Cyberattacks

Ksenia Iliuk, Head of Research at Detector Media, Ukraine tells us about some key findings of their research in the media landscape of Ukraine. Find out what she has to say about Telegram and what it has to do with #cybersecurity .

Webinar Recording

Effective IAM in the World of Modern Business IT

Digital Transformation promises lower costs, and increased speed and efficiency. But it also leads to a mix of on-prem and cloud-based IT infrastructure, and a proliferation of identities that need to be managed in a complex environment. Organizations adopting a Zero Trust approach to…

Analyst Chat

Analyst Chat #149: The Top 5 Cybersecurity Trends - Looking Back at CSLS 2022

Deep Fakes, AI as friend and foe, Business Resilience, Mis-, Dis- and Malinformation: The Cybersecurity Leadership Summit has taken place in Berlin and covered all of this and much more. Martin Kuppinger and Matthias look back on the event and identify their Top 5 Trends from CSLS2022 in…

Event Recording

Assessing your Cybersecurity Tools Portfolio: Optimize Cost, Increase Security

Most organizations don’t suffer from a lack of cybersecurity tools. They suffer from the cost and administrative burden of running too many of these. They suffer from the lack of integration. They suffer from the lack of skills in optimally configuring the tools and analyzing the…

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00