OREANDA-NEWS. December 31, 2015. The fight against cyber attacks will win significant victories in 2016 but as existing risks are countered, emerging technologies and criminal techniques will pose new threats.

Based on its work this year in the fields of cyber security and financial crime prevention, BAE Systems has made three predictions for 2016 that could have a material impact on people and businesses.

According to BAE Systems, 2016 will see a significant reduction in in-person US credit card fraud thanks to the implementation of Chip and PIN (known in the US as EMV) - but a consequent rise in other card frauds.

Consumers and businesses should be aware of the increased risk they face from cyber attacks as the Internet of Things (IoT) continues to grow in prominence.  In the coming year, cyber security will complete its transition from being seen as an IT issue to an important consideration for the entire company, including supply chains, contractors and other third parties which may represent weak links or access points for cyber attacks.

Dr Scott McVicar, General Manager, EMEA at BAE Systems Applied Intelligence, said:

“Continued changes to the way we live and work are creating new opportunities for criminals to steal, destroy and disrupt – but industry and governments are fighting back. In 2016 we expect to see a rapid evolution in the field of cybersecurity.  The race to develop new technologies and techniques represents a never-ending struggle between law enforcement, businesses and the security industry on the one hand, and cyber criminals seeking to overcome new means of protection on the other.

“In the United States, the introduction of Chip and PIN will dramatically reduce in-person card fraud, but this is likely to focus fraudsters’ attentions elsewhere.

“With cyber defence escalated to a boardroom agenda item, board members will increasingly focus on robust cyber security strategies that protect businesses effectively against current and future threats. We’re also likely to see an increased appetite amongst criminals for personal data gathered by IoT devices that show our ‘digital shadows’ – the behaviour data that describe the patterns of our everyday lives, as well as more traditional identification and financial data.

“There is strong reason to be optimistic for the coming year when it comes to cyber defence. In many cases, concerted efforts and improved collaboration are making life more difficult for criminals forcing them to adopt new criminal practices and tactics. ”

1. The long-awaited arrival of Chip and PIN / EMV in the US will see card fraudsters move to alternative techniques

Lagging behind much of Europe and Asia, the US has been slow to adopt EMV. Fraud levels suggest that this has made the States a haven for card skimmers. In 2013, total European card fraud equalled €1,330 million (?96.6 million / \\$1463 million), compared to €4,148.5 million (?3,013 million / \\$4,563 million) in the US, amongst a smaller population.

As Chip and PIN continues to become the norm in the US in 2016, in-person fraud (involving the use of cards with data cloned by skimming a user’s legitimate card details) will become a tougher option for fraudsters. But it won’t stop people using stolen card details; they’ll simply start to migrate to other methods.

In the UK, counterfeit card fraud fell from 26% of total card fraud losses to 10% between 2004 and 2014 – but remote purchase fraud (also known as Card Not Present, or CNP, fraud) went from 30% to 69% of total card fraud in the same period.

Businesses taking payment where the card is not present – for example, over the internet or by telephone, will need to look to bolster their defences in the form of adopting two or three factor authentication from purchasers, and by looking for patterns of known fraud techniques – as well as using data analytics to identify potentially suspicious patterns of buyer behaviour.

2. A cyber attack on an Internet of Things (IoT) network is likely to result in mass ‘pattern data’ theft or the creation of an IoT botnet
The Internet of Things brings with it huge benefits, however, as networks increase in scale and reach, so too does their value to cybercriminals. IoT vendors, especially those selling to consumers, operate large, powerful networks of smart devices which are often in consumers’ homes. They manage large amounts of personal data that can show the patterns of people’s everyday behaviours, as well as their identity.

Recent attacks have seen the theft of large amounts of personal data. In the case of an attack on children’s connected device maker VTech, the birth dates of 6.5 million children and 4.9 million adults, as well as photographs and messages was stolen.

But BAE Systems expects attacks on IoT networks to steal more than personal identification data. Successful attacks could be manifested in two ways - the takeover of consumer or commercial IoT devices to harness their connectivity and processing power, or the theft of large volumes of critical data. 
The latter represents a new problem, as volumes of customer data – not just traditional customer identity information, but also device data - demonstrate the patterns of peoples’ lives. This new class of ‘Pattern Data’ could reach a black market for those with the means to exploit it. This might include burglars who might want to identify high net worth households or understand the routines of target properties. By looking at the correlation of large volumes of IoT data, they can understand and profile the people and properties they target.

Securing and protecting the large volumes of data created by the Internet of Things, both at the point of collection, and at places where the data is at rest or being processed, is vital. For IoT providers, a strong business defence covers not only the data, but the devices and networks they use to collect, deploy and move that data. The use of strong encryption, hardened IoT devices and security by design will become a higher priority for brands in 2016 – as will the enforcement of strong security practices at contract manufacturers and third party suppliers and providers.

3. Cyber risk – and attempts to mitigate it affordably - will continue to evolve from an IT problem into a key risk issue for company leaders
Cyber defence will continue to make the transition from an IT problem to a board room issue. In the modern world, use of cyber space is a critical business enabler, yet also carries with it an inherent risk. One of the main functions of company boards has always been to balance risk against the ability to generate revenue and profit. In this respect, cyber threats are just a new factor to be taken into account.

Yet, to many, cyber risk is a new territory in this balancing act. The rapid pace of development both in the business strategy and evolution of the threat is driving prohibitive and unpredictable costs to mitigate the risk and unlock the benefit. Companies that are able to affordably balance risk against profitability in this new environment will move ahead of competitors that cannot.

Board directors need to ensure they have a flexible, responsive cyber security strategy in place that successfully provides the best possible defence for their business strategy. This includes making use of industry expertise to ensure the company strikes the right balance between managing risk and pursuing profit.

Evolving cyber risks call for a robust Business Defence
BAE Systems advocates a three step approach to building a robust business defence against cyber threats, beginning by gathering the best threat intelligence available from governments and businesses about the threats they face. After hard coding that intelligence into real-time protection against known attacks, the final layer of protection is added via data analytics to identify unknown threats – the proverbial needle in a haystack. BAE Systems calls this Business Defence.