Gone are the days of cloaked hackers in darkened basements launching attacks; instead, cyber-security professionals are now facing organised cartels of digital terrorists determined to make profit off any gaps they can exploit within corporate and government bodies.
For Cayman entities, including those within the financial services sector, these threats are real, and the damage can be catastrophic if they fall victim to any breach.
“In financial institutions we see phishing many times to be the start of what we call business email compromise [BEC],” Alexandra Forssell, Deloitte & Touche LLP risk advisory director explained in a recent interview with the Cayman Compass.
Forssell is one of a team of cyber-security experts charged with fortifying a defence against breaches, monitoring against attacks and guarding core data for many multimillion-dollar entities here and globally.
In Cayman, she said, there have not been many reported major attacks, but there have been instances of cyber incidents.
“We see a number of those [BEC] attacks in financial services which pretty much starts [with] someone clicking on some document or clicking on some link. Their credentials go somewhere, and the attacker inserts themselves in the middle… they compromise the emails, get the details and that could go several ways,” she said.
That can be from either transferring money to somewhere else which becomes a financial crime, or a leak in data which can be pulled and held for ransom, one of the growing types of cyber crimes – extortion.
Cyber attacks on the rise
According to statistics from the Royal Cayman Islands Police Service’s Digital Forensic Hub, six phishing investigations were launched between January and May, which equals last year’s overall total of such probes.
During the same period, the hub investigated 21 fraudulent uses of information-and-communications/broadcast-and-communications technologies, along with three misuse-of-computers investigations.
Cyber forensic operative and hub office manager John Watson, in an interview earlier this year with the Compass, said he had seen an increasing number of attacks that mimic local banks.
He pointed out there has been a specific uptick in a number of SMS messages circulating, directing people to fake websites which often pretend to be from local banks or companies.
Zoom has exploded in popularity the last 24 months or so. Apple is another example [of brands being spoofed]. The attacks are agnostic… they’re going after everyone, every sector. It’s not that they’re favouring any one particular industry over another. The attackers are going after anything that forms some sort of value, intellectual property, commercial information.” – Deloitte & Touche LLP risk advisory director Wayne Green
These messages, he said, are along the lines of: “We’ve received an unexpected payment out of the local supermarket. If this is not you, please go on to here”. He explained that through that process, “what they try to do is what we call ‘credential harvesting’ where they’ll try to get people’s details, including the bank details”.
Deloitte & Touche LLP risk advisory director Wayne Green pointed out that phishing attacks can come in many forms, with some of the top global brands being “spoofed” in scams.
“Zoom has exploded in popularity the last 24 months or so. Apple is another example [of brands being spoofed]. The attacks are agnostic… they’re going after everyone, every sector. It’s not that they’re favouring any one particular industry over another. The attackers are going after anything that forms some sort of value, intellectual property, commercial information,” Green said.
He added that the Federal Bureau of Investigation’s IC3 Internet Crime Report (2020) showed losses from internet crimes increased from US$1.5 billion in 2016 to $4.2 billion in 2020, with phishing seeing the highest growth.
Verizon’s Data Breach Investigations Report 2021 said that BEC breaches cost – on average – between $250 and $984,855.
Green and Forssell both agree cyber criminals now work as organised cartels and team up when attempting takedowns, which is why it’s important that a similar joint approach to cyber security is needed from all stakeholders.
Pandora Papers and protection
The recent news of one of the largest-ever data leaks, the Pandora Papers, made international headlines with 6.4 million documents finding their way into the hands of the International Consortium of Investigative Journalists.
The data leak shone the light on connections between the wealthy and politicians and how transactions to avoid taxes are completed.
The release of the information, as reported by the BBC, revealed hidden wealth and, in some cases, tax avoidance by some of the world’s rich and powerful, but it did not point to any illegal acts.
Jude Scott, CEO of Cayman Finance, in an emailed comment on cyber security, said the Cayman Islands is a leading international financial services centre because it complies with the highest global standards.
“This is also reflected in the industry’s approach to cybersecurity. Industry firms take cybersecurity seriously as they consider best practice guidance from the Cayman Islands Monetary Authority, the SEC (Securities and Exchange Commission), and others that enable firms to use suitable risk-based approaches in the design, development, and oversight of policies and procedures to address known, anticipated, and new cybersecurity threats, including those presented by remote working,” he said.
Forssell said there has been a positive trend locally in investment in, and awareness of, cyber security.
A number of industry players, she said, have contributed to this, from government campaigns for Cayman to be cyber safe to industry organisations like CIMA, the Chamber of Commerce and other professional service entities educating their members on the issue.
Awareness and vigilance
The cyber-security experts both agree, vigilance and employee awareness are key factors that can be the difference between an attack succeeding or being stopped in its tracks.
“We have a lot of threat intelligence that we gather ourselves. Any critical threat intelligence that we gather, we actually share in the local market. We look at it as a plus that organisations can benefit from this information, just as an FYI,” Green said.
He said a typical attack like ransomware can start with a phishing email.
“Once the bad actor gains initial access, they will conduct reconnaissance on the systems and organisation to gain an understanding of how everything works. The bad actors will then elevate their privileges to a ‘super user’ and then begin to exfiltrate data from the system(s). Upon completion of the data exfiltration, the bad actors will then initiate the encryption of the data,” he said.
Having encrypted the data, the attackers will then demand funds, usually cryptocurrency, to return the information or threaten to release it.
Forssell said it is important that companies have a plan to respond to such attacks and regularly conduct risk assessments to prevent any potential threats.
“Part of dealing with the incident response is not to focus just on the technical side. You need to understand what the impact is from a business perspective. You need to understand what you are dealing with… is it a data breach? If it’s a personal data breach, how do you communicate it to the Ombudsman’s Office? How do you need to communicate to the data subjects, if anyone is affected?” she said.
This, she said, is why having a plan in place in advance of any cyber incident helps companies to manage. An emerging trend, Green noted, is zero trust, where multi-layered protection is deployed to guard against any suspicious attacks or data breaches. It also involves limiting exposure of users’ information and access to data.
Cayman, she said, has legislative protections such as the Data Protection Act and other cyber guidelines in place to shape the local cyber landscape, and companies should familiarise themselves with all available information to keep their data safe.