BEYOND THE BUZZ
Today’s trending topics. All in one place.

EDITION 14 / JULY 2016

CONTROL AND SECURE YOUR ASSETS

Welcome to our next edition of BTB. This month we’re reaching into the critical arena of digitally enhanced cybersecurity. The news is full of examples of severely compromised companies, exposed to financial losses and damaged reputations.

Cybersecurity is a topic that deserves your immediate attention and action, for which we have developed a strong set of scalable solutions and processes. We hope you find and explore new ways of identifying and coping with these modern challenges inside. Thanks for reading.
Lanny Cohen, Chief Technology Officer, Capgemini

Cybersecurity talent: Look in the right places

Jérôme Desbonnet, Global Cybersecurity Chief Technology Officer (CTO)
Mike Turner Capgemini Group and Cybersecurity Chief Operating Officer (COO), Capgemini Group
The cybersecurity skills gap is growing exponentially. Where will the next wave of cybersecurity talent emerge from?
The cybersecurity skills gap is growing exponentially. Businesses are constantly finding new points of vulnerability as they digitize their processes. Where will the next wave of cybersecurity talent emerge from? And how do we nurture these resources to effectively respond to the evolving nature of cybercrime?

The cybersecurity skills gap is growing. Here’s where to find the talent to fill it.

In the last couple of years there has been much said—and just as much written—about the skills shortage in cybersecurity. This quickly widening gap can be attributed to two influences. On one hand, businesses across all industries are beginning to recognize the need for more robust security measures in all of their increasingly digital processes. At the same time, the skills needed to address these issues are becoming increasingly diverse. There is less information available, however, as to practical ways in which this gap can be addressed at an organizational level.

“It’s easy to find a company that can sell an off-the-shelf cybersecurity solution that addresses one area. But you need corporate knowledge—of the industry, of the business, of the people, and of the culture—to start understanding the total nature of potential threats to an organization. It’s a multifaceted issue.”

Cybersecurity is a big business, and the sizable paycheck associated with the field is a major attraction for many young programmers. But high staff churn and siloed, incomplete solutions mean that many aspiring security experts are disillusioned early in their careers, or they have fallen into the trap of selling Band-Aids for bullet holes.

Read the full article by Jérôme Desbonnet and Mike Turner to understand how cybersecurity threats have evolved, and what they’re doing to defend them.

Cyberattacks: big risks for business
In 2015, 300 million records were leaked and over $1 billion was stolen in cybercrimes in the United States. Due to pervasiveness of cybersecurity threats, many businesses still feel unprepared.

According to the 2015 Global Cybersecurity Status Report from ISACA:

  • 83% of organizations agreed that cyberattacks were a top-3 concern for them, but only 38% of organizations felt they were prepared for a sophisticated cybersecurity attack
  • 86% of organizations believed that there was a shortage of skilled cybersecurity professionals, but 54% of them acknowledged that it’s difficult to identify who has an adequate level of skill and knowledge when hiring graduates for entry-level cybersecurity positions
Read the full article
Share this article

Financial crime: How exposed are you to fraudsters?

Greger Wikstrand, CTO at Capgemini Sweden
Fraudsters prevail in all eras. How safe are your daily e-commerce transactions?
“Fraudulent transaction” is not a new term. Financial crimes or frauds have been an ongoing challenge since the era of traditional commerce. We are more vulnerable to these frauds when electronic money is involved. Let’s look at how these frauds happen and some interesting ways to curb them while engaging in traditional commerce, e-commerce, and invoicing.

In April, hundreds of people reported to the local police in Örebro, Sweden that they had received fraudulent invoices for Pizzas and other fast food that they had not ordered. It was a mystery with wide scale identity theft, intercepted pizzas, and bad payments. Let’s look at how an insecure e-commerce solution invited invoice fraud.
VIDEO In this video, Casimir Artmann and I talk about the Pizza invoice fraud.

Traditional commerce

In the early days of traditional commerce two persons would meet and decide on a fair swap. Money has eliminated the need for barter. Not so long ago, a consumer would enter a store with money and leave with products. There was by and large a unity of time and place that led to monetary transactions. Nonetheless, there were plenty of opportunities for fraud. A merchant could practice bait-and-switch: fake goods or advance payments for goods never delivered. Consumer fraud came in many varieties. He or she could buy things on credit without intention to pay, engage in shoplifting, or return goods that were never bought from the merchant in the first place, for cash back.

Before credit card fraud and invoice fraud there was checking fraud. The idea is the same, to have someone else pay.

E-commerce

In e-commerce, the unity of time and place for the transaction is inevitably broken. There are many versions of the flow but in general there are three main events in e-commerce:

  • A client places an order with the merchant
  • The client pays for the order via a payment provider to the merchant
  • The merchant sends the goods to the client via a logistics provider

I used an unordered list. This was on purpose. Sometimes the payment is the order; sometimes the client will pay before the goods are shipped. Sometimes the client will receive the goods first and pay later.

The more open the loop between payment and delivery is, the bigger the opportunity for fraud. If the customer pays well in advance, the fraudulent supplier might not deliver. If the customer pays in arrears, the merchant might never get paid.

VIDEO Watch this video to see me explain the problems with fraud in e-commerce in a bit more detail

Game theory and invoice fraud

Game theory has an answer to the problem of invoice fraud in e-commerce: tit-for-tat and reputation building. We don’t know how the fraud happened. Either the fraud was committed by malicious consumers intercepting pizzas before they were delivered, or malicious merchants sent invoices for non-existent pizzas. Probably it does not matter. Rather, we must look at how to prevent the problem.

What we do know is that the payment provider used game theory to stop the fraud. The only allowed existing customers of good standing to pay their online pizzas via invoices. As soon as there is something of value involved, there will be fraud, theft and crime. This example shows how small changes in the solution can have a big impact on its security.

The solution architect carries a heavy burden to design a solution that does not invite fraud. Sometimes the solution is there and proven, but we do not implement it; innovation is blocked. In conclusion, we have a duty to prevent and discourage crime when we develop a solution and we need to take this seriously.

Share this article

Held for ransom: your money or your valuable data

Jérôme Desbonnet, Global Cybersecurity Chief Technology Officer (CTO), Capgemini Group
Ransomware is the fastest growing type of malware. Learn how to avoid the nightmare scenario.
Ransomware is the fastest growing type of malware: 2015 saw the number of cryptolocker attacks double. The malware programs encrypt parts of a computer system and the user is asked to pay a fee (ransom) before files on the computer can be decrypted and made accessible again.

The nightmare scenario

It’s difficult to imagine the sense of shock and horror that people experience when they have been targeted with ransomware, but every one of us is at risk of attack.

You sit down to start work one morning. You switch on you computer and find that you can’t open any of your files – they have been encrypted and can’t be opened. Suddenly a polite message appears, demanding money for the files to be unlocked. A deadline is indicated, after which the files will be destroyed, and every day you delay in paying, the price will go up.

Is this really happening? How can it be happening to you? What did you do wrong?

Every type of business, from sole traders to global corporations, are at risk. The attacks are usually well planned, with time taken to find the right channels and vulnerabilities in order to attack at the weakest point. Computers often become infected when unsuspecting users are prompted to open a malicious email attachment.

In June this year, the University of Calgary became the latest organization to succumb to this crime and pay out to hackers: “The University of Calgary transferred 20,000 Canadian dollars-worth of bitcoins ($15,780) after it was unable to unwind damage caused by a type of attack known as ransomware.”

There are two main types of ransomware:

  • Locker ransomware – access is denied to certain drives, but data is not encrypted. Therefore, upon removal, there is less chance of damage or destruction of the data itself.
  • Crypto ransomware – data such as emails, documents, and pictures are encrypted and can’t be opened by the victim.

Government organizations are equally at risk from attack, with hospitals, schools, police departments, and local government organizations all being hit. Unfortunately, because encryptions are almost impossible to break (without the key), the ransom money is often paid, thus proliferating the problem by providing the hacker with funding and motivation to find the next victim.

The most successful hackers use principles of good customer service to make the payment process smoother for the victim, including an FAQ section, a guide to making bitcoin payments, and even helplines in the ransom note. This illustrates how confident the hackers have become and how well-developed their systems of extortion are.

A lack of planning is a lack of defense

Due to the constantly evolving nature of this crime, and the sophistication of the malicious applications, decrypting data is not normally feasible. In this case the most effective action is prevention rather than treatment. In some cases decryption is possible, but this should not be relied upon as a strategy.

Awareness and planning are areas that companies will be investing more money in the coming years. Awareness affects every end user and planning involves the backing up of data on unconnected drives.

Endpoint malware has become increasingly sophisticated, ranging from mass malware loaded with ransomware (as in the case of the Trojan “CryptoLocker”) to targeted in-memory attacks used in conjunction with zero-day application and OS exploits. With these threats in mind, 32% of North American and European security decision-makers are expecting to increase their endpoint security spending in 2016 by at least 5%.

This extra investment shows just how seriously companies are taking this risk. Hackers recognize that they can charge higher ransoms to companies, and companies are more likely to pay because the encrypted data might be crucial to the functioning of the business.

The role of the IT partner

To combat the threat from ransomware, companies need to take proactive, preventative steps to reduce risk and to increase their defense of the latest threats. The basic principles of security in IT networks are: training, establishing robust security processes, and making use of new layers of protection to reduce the risk of your network being compromised.

To reduce the threat of ransomware, companies should use protection against exploits and ensure that their security solutions include behavioral detection methods. These are all things that an IT service provider should have built into the cybersecurity strategy of their services. Effective disaster recovery plans and business continuity plans must also be in place in case the worse does happen, however.

Four practical steps to reducing the risk posed by ransomware

Below, there are four practical steps to reduce your exposure to ransomware:

  • Improve awareness:
    The first step in preventing infection with ransomware is to make users aware of the risks when opening attachments and hyperlinks to web pages. Increase awareness of online safety for both consumers and businesses
  • Set up governance:
    For companies it is important that users can only access the files they need for their jobs. This can help prevent contamination of data from other departments. Both the risk of contamination and their effects should be limited in this way. It is therefore important to achieve governance compliance in respect to the access and processing of data.
  • Drafting procedures:
    To minimize the damage from infection, it is also important to establish policies and procedures to maintain up-to-date computers and software, and to make regular backups of information for restoring data in the event of an incident.
  • Backup:
    To prevent data loss, you should, of course, ensure regular backups of valuable files are made and store these in an isolated, safe place. This type of storage policy also ensures that the backups are safe from a fire or burglary. Restore on a safe, clean system with no CryptoLocker to avoid an infinite loop of backup and restore. When an infection is detected, systems (either automatic or manual) should be in place to turn off the computer and disconnect network cables as well as peripherals to prevent further spread. Good antivirus software must be installed and kept up-to-date. Finally, learn from any CryptoLocker incident and apply an appropriate defense.

In an ideal world, nobody would pay the ransom. You should always, however, report the crime to the police. This provides more insight into the extent of the problem and helps in the fight against it.

The best form defense is to avoid being the weakest target. By using the advice above and an expert IT partner, I sincerely hope that you do not become a victim of ransomware.

Share this article

Tomorrow’s manufacturing plant: make it resilient and secure

Thierry Cornu, Manager, Industrial - Cybersecurity Offering, Capgemini
Digital manufacturing is the wave of the future, but are you exposed to hacking, espionage, or malware?
Achieving competitive advantage through the digitization of plant and processes is a given for today’s manufacturer. But what if that digitization comes at the risk of damaging competitiveness by opening the gate to cyber-attack? Should it stop your digital transformation journey, or does it simply require a new, more rigorous approach to security?

Calling a halt to the journey clearly isn’t the answer. After all, digital is already embedded in our day-to-day lives and digital manufacturers have the potential to deliver a great customer experience with the right digital capability, correctly used. Smart, connected products, assets, and operations are already yielding productivity gains, cost savings, and improved revenue for many digital leaders. At the same time, those leaders and others now following suit are quickly realizing that the digitization of enterprise business and industrial processes demands a new approach to protecting critical assets.

As a matter of fact, the plant networks, which used to operate in isolation, are rapidly opening to the outside world. On the one hand, manufacturers’ ERP applications are increasingly being interconnected with the shop floor through manufacturing execution systems and various other operational systems. On the other hand, data from machines, industrial robots, and all other kinds of industrial control systems (ICSs), including smart sensors and embedded systems, are now getting pushed to the cloud to be leveraged for predictive maintenance and data-analytics applications. More and more frequently, part of the production data is even made accessible from public networks, through social, mobility, analytics, cloud, and the Internet of Things (SMACT) technologies.

New vulnerabilities

The new layer of complexity that this brings results in numerous potential vulnerabilities. It also vastly enlarges the attack perimeter attainable by hackers. Indeed, industry leaders undertaking their digital transformation have to ponder two new kinds of risks: those linked to entrusting their sensitive production data to an external cloud environment, as well as those related to exposing their sensitive shop floor machines and automation-systems to hacking, industrial espionage, or ordinary malware. In the latter case consequences can range from loss of production to damaging production machines, or even to environmental, regulatory, or safety impacts in some industries.

So what’s the answer? Capgemini advocates a digital transformation strategy with a holistic approach of security at its core, encompassing not only technology, but also processes, people, and contracts. It is how the manufacturing industry can make the jump to greater mobility, big data, cloud and the Internet of Things, while safeguarding operations against cyber-attack and malicious internal behavior.

Key steps for safeguarding the digital enterprise

In this context, the first steps of the answer are often organizational: identify the business risks on the shop floor, inventory the sensitive data and the business-critical industrial control systems, and define the risk-management processes from the operations in the plant up to the executive board.

Protection comes next: define the overall security architecture of computer and industrial networks, by identifying security zones of various criticalities, and by defining the protection technologies to be used inside each zone as well as at the zone boundaries. Methods and technologies will somewhat differ from those used for the protection of corporate IT systems. As an example, automatic security patching is often impractical more often than not on mission-critical industrial systems.

Detection of, and reaction to incidents and abnormal events is the indispensable last step of an all-around cybersecurity approach. Once again, methods and technologies dedicated to industrial systems have to be used, for instance intrusion detection probes with a capability to dissect and analyze standard industrial control protocols.

So while your digital transformation has the potential to bring big rewards, it has to be with this focus on security.

Making cybersecurity a business enabler

Our industrial cybersecurity solution for the digital manufacturer delivers this sharp focus. As an example, we helped an industry leader to build its cybersecurity and information protection strategy and transformation program. This engagement spanned group infrastructure security, data protection in R&D activities, a SAP-based identity and access management (IAM) model, and industrial systems security.

Less than a decade ago, this level of security was largely unheard of. But as industry continues to rely on digital for productivity gains and to drive new business models, the only way to safeguard your business assets, intellectual property, and the end-to-end product lifecycle, is by turning the spotlight on cybersecurity as a key business enabler. Getting this right today will ensure the digital manufacturer of tomorrow is both resilient and competitive.

Co-authored with: Markus Rossmann

Share this article

Customer experience: Is your bank frozen in time?

Ramana Bhandaru, Vice President, Capgemini Financial Services
The winners in banking will be the ones who take advantage of digital transformation.
As a consumer I have increasingly high expectations from my bank. Digital is changing the way we use banking services. But are banks taking full advantage of opportunities? Are they even keeping up?

It’s easy to see how technology could enhance personal banking:

Charlotte uses mobile banking. She is in a store and she needs a higher credit limit on her credit card in order to make the purchase she wants. She logs into her mobile banking application through biometric facial recognition. She then requests a temporary increase of the credit limit on her card. This request is immediately screened by the anti-fraud system and the request is quickly verified through real time validation of business rules and predictive analytics on Charlotte’s customer data. Once validated, she receives an immediate approval of increased limit in her mobile banking account. She uses mobile payment to make the purchase she wanted. This all happens in a moment. There’s no waiting, no calls to her bank, no hassle.

Should banks be doing more?

How close is your bank to providing you with an experience like this? Are banks embracing digital fast enough to enable this type of experience for their customers in the near future? And, perhaps more importantly, are they increasing security measures in parallel with this flexibility and convenience? I would argue, no, at least not in many cases. And according to the findings from the 2015 US Online Banking Functionality Benchmark report, Forrester Research agrees. In their corresponding report on the channels representing what are currently the biggest growth areas – mobile and tablet banking apps, they go further to point out shortfalls such as:

  • The lack of an option to add an unregistered payee and a lack of an app-wide search
  • Limited ability to set up, receive and manage alerts
  • Limited ability to view, store and upload important documents
  • The lack of self-service features from within apps, such as fraud reporting and new card ordering

Are Convenience and security mutually exclusive qualities?

In the digital age, the implications of financial crime against banks and capital markets institutions are accelerating rapidly. While the complexity of fraud is increasing, banks continuously face the challenge of balancing customer experience with added security. Customers, naturally, seek faster and easier processing of transactions. But they no longer believe that there should be a trade-off between security and convenience when it comes to accessing personal information. They now expect and demand both.

A hybrid approach to stay ahead of fraud

The answer to achieving both objectives, security and convenience, uses an integrated fraud management solution, based on a hybrid approach to analytics that utilizes business rules, anomaly detection, predictive analytics, text mining, and social network analysis.

This hybrid approach is more effective in revealing hidden relationships and suspicious associations among customers, accounts or other entities.

The solution:

  • Offers on-demand scoring with real-time detection for transaction fraud including cards, mobile, and online banking
  • Integrates disparate data sources both external and internal to enhance information credibility and implement omni-channel fraud rules providing visibility to a bank’s overall exposure across all channels
  • Enables next generation authentication methods like device identification, biometrics, and automated transaction scoring to make sure transactions are both simple and secure
  • Incorporates a hybrid approach to analytics and machine learning in order to continuously update profiles with upcoming data
  • Enables workflow trigger based on business rules and sends suspicious transaction to a case manager
  • Empowers customers to set limits as per usages or country-based or regional-based limits

Meeting expectations

Digital innovation enables every customer interaction and transaction with banks to be highly secure, without any trade-off with customer experience. Embracing digital will enable banks to achieve highly efficient fraud detection while greatly reducing overall alerts, false positives, and the time required for overall validation and approval process.

Today’s consumers expect:

  • To manage every aspect of their banking experience from anywhere, at anytime, and on any device
  • To have intuitive tools that provide service through the right channel for them
  • Fraud to be detected through intelligent use of big data, and dealt with before they notice it themselves
  • Information and documents to be available at their fingertips and to be easily searchable and filterable
  • Tools to help predict future transactions and to help with budgeting
  • Linked, personalized offers and services, such an insurance and savings products, which are pre-tailored to the individual and are ready-to-go

Banks can only offer such flexibility and convenience and the accompanying increased intelligence and security by fulfilling the potential of what digital can offer.

Within today’s revolution of consumer demand, can banks lead their own revolution in their approach to doing business, while at the same time harnessing the potential of digital?

Share this article

A smooth cross channel experience: are your defenses adequate?

Mike Turner, Global Cybersecurity Business Leader, COO, CSO and CISO
Andrew Critchley, Expert in Security Architecture, Identity and Access Management
Bert Van Middelkoop, Principal Consultant at Capgemini
Seamless identity management requires resilience, control, and governance
In pursuit of a seamless user experience, the landscape of managing identities needs resilient and unified backend controls to both govern and implement access to services. How is this evolving?

The way identities are managed will dramatically change in the future.

More and more companies realize they need new ways of managing identities because of the business challenges they face. From delivering a seamless experience for up to millions of users in order to be competitive to providing easy but secure access to cloud services for their employees, business partners, and customers alike.

Yet, to make this a reality with traditional identity and access management (IAM) projects is not easy. They can be expensive, complex and difficult to kick-start.

Business enablement

To stay competitive in their markets, modern businesses need to find ways to better manage the complex connections and access between different parties and cloud-based services.

VIDEO How can enterprises create a simplified user experience across multiple channels for consumers and employees a like? Watch this video.

Control

With traditional security boundaries being eroded, ensuring the right person has the right access to the right resource at the right time is critical for the business.

VIDEO Find out how a unified IAM approach allows higher levels of security. Watch this video.

Cost

Managing user access is often executed in a decentralized manner by different business functions or even at the application level. This results in significant cost overhead to run and maintain separate processes and support functions.

VIDEO Watch this video to learn how to reduce costs associated with the governance and management of user access.
Read the full report and watch our short videos on identity management
Share this article
Share this edition

Meet the Authors

  • Jérôme Desbonnet
    Global Cybersecurity Chief Technology Officer (CTO)
  • Mike Turner
    Capgemini Group and Cybersecurity Chief Operating Officer (COO), Capgemini Group
  • Greger Wikstrand
    CTO at Capgemini Sweden
  • Thierry Cornu
    Manager, Industrial - Cybersecurity Offering, Capgemini
  • Ramana Bhandaru
    Vice President, Capgemini Financial Services
  • Andrew Critchley
    Expert in Security Architecture, Identity and Access Management
  • Bert Van Middelkoop
    Principal Consultant at Capgemini

Previous Editions