In the 10 years since the Association of Anti-Money Laundering Specialists' (ACAMS) birth, digital technology has grown exponentially. This technology has given the AML professional access to a wide array of research, analysis and reporting capabilities that are critical to operations and compliance with AML laws and regulations. Yet, the negative side of this powerful resource is the constant risk of cyber crime on both a professional and personal level. Money launderers use the Internet to create or steal personal and business identities, compromise data to hide their activities and attack those that pose the risk of doing them the most harm.
Is this a problem that will remain with us as long as there is an Internet? Yes. Is there anyone who can consistently recognize and prevent or mitigate these risks? Absolutely! You most likely saw that person this morning gazing back at you from the bathroom mirror. The greatest defense against cyber crime is you and your greatest weapons in this conflict are awareness and personal initiative.
Bottom line is that any kind of technology requires human intervention
There are those who say that if you throw enough security technology at a cyber security problem you will eliminate the threat. These are the same people that promise that you can remove the human element or weakness from the security process. For the average person, confidence that technology will solve everything usually dissipates quickly when a cell phone call is dropped, a computer crashes, access to the Internet is disrupted or a PDA falls in a puddle. There is always the question of resources. Few can afford the money and effort to employ the latest, greatest and most comprehensive cyber security technology, especially in an uncertain economy. Also, as many know from personal experience, the minute one buys the bleeding-edge of technology a newer, faster, better alternative will be announced. With technology's exponential growth, acquiring and implementing defensive technology can be a frustrating and budget-busting exercise.
The bottom line is that any kind of technology requires human intervention, even if it is not at the end user level. Flaws in development, implementation and maintenance will create vulnerabilities. When a cyber criminal goes to work, his only job is to find and exploit these vulnerabilities.
Reaction to the reality of cyber threats and risks usually take one of three paths. The first is taking the anti-technology approach and never turning on a digital device. This is impractical and certainly becoming more and more impossible in today's digital world. The second is to express disdain for all the warnings and play the statistical odds that of the millions, perhaps billions of digital devices, yours will never be attacked. There is a name for this group of people: cyber crime victims. The third approach is to understand and accept the risks, ensure that defensive technologies, policies and procedures are correctly and effectively employed, stay current on the latest threats and on how to defeat or mitigate them and finally, accept personal responsibility for one's own cyber safety.
For those in the AML arena who fall into that third category or wish to join the small, elite cadre of the cyber-secure, here is a top 10 list of tips for recognizing or understanding cyber threats in a compliance environment. Before we dive into the list, understand that creating a top 10 list of anything, from best NFL quarterbacks of all time to most effective ways of landing a job interview, is always subjective. This is especially true when it comes to cyber security and information assurance. The frames of reference for this topic vary greatly. A top private sector information technology security professional will have a different take on the subject from a military cyber security specialist. While there will be many common elements in the two lists, the approach to risk/threat assessment, mitigation and defense will likely diverge, sometimes dramatically. That is why a search engine query of top 10 cyber security tips will link you to terabytes of data. The question is what is applicable to you and your job?
Protecting yourself online is critical not only for your personal life, but also for your effectiveness as an AML professional. As explained in the article, there are plenty of top ten lists concerning online safety. Here are the author's personal favorites. (Please note the individual responsibility element that runs throughout.)
- Password protect every device and network that stores or allows access to personal data.
- Encrypt your personal and sensitive data on mobile devices like flash drives, external hard drives and discs.
- Create strong passwords (14-16 characters that include upper and lower case letters, numbers and special characters like % or #) and change them frequently.
- Turn off geo tagging functions that can identify where
you are or where a picture was taken.
- Don't leave your passwords and PINs exposed
to prying eyes.
- Use a proven cyber security software suite (including virus and other malware protection and a strong
firewall) and keep it turned on and updated.
- Hold family meetings to discuss personal cyber
security issues. Keep your friends and co-workers informed as well.
- Conduct regular cyber security audits of your family's digital devices.
- Never divulge travel plans on a social networking
site until you have returned from the trip.
- Learn how to wipe data remotely from lost devices
that have that capability.
Some may say that many of the tips on this list are just common sense. Remember, it's only common sense when the sense is common. Spread the word about cyber security.
Looking at cyber security issues through the eyes of an AML professional, whether they are in compliance, regulation or law enforcement, provides yet another take on the subject. The AML environment carries its own set of risks and defenses. This list attempts to take that into consideration. Some items on this list are strategic, others tactical. Yet, all of them will be useful to you in your job and likely in your personal Internet activities.
- Be aware that the bad guys will always have more resources than you do. The greatest asset you have is you. Sound cyber security comes down to the training, vigilance, dedication and personal responsibility of the individual. Taking cyber security seriously is the best defense.
- Be aware that cyber security vendors can only help so much. They can't protect you from everything and if they could, would they? In whose interest is it to have a completely safe Internet? Technology is an integral aspect of your cyber defense, but it can never cover all threats and risks. Don't let technology make you complacent in your interactions in cyber space. Personal awareness and safe cyber practices will always be required.
- Be aware of new threats like the risks of real money transactions in virtual worlds. Don't get "nickeled and dimed" to death. Watch out for the flood of small transactions, especially in entertainment businesses. While you are looking for the big threat, the small threat may go unnoticed. Remember, this threat wasn't there just a few years ago. Keep up with the latest scams. Every AML professional is flooded with work, but ignoring what the bad guys are up to today could have serious consequences.
- Be aware that cyber security procedures need to be taken as seriously as compliance procedures. Breaking organizational cyber security rules should be a critical personnel policy infraction deserving of severe penalties. Allowing access to data or networks is not the same as picking up a few extra pens from the supply closet or showing up late for work. The consequences of such actions are too important and potentially devastating. Be a proponent of sound and manageable cyber security policies and procedures. Be prepared to take the remedial or punitive actions necessary to enforce those policies.
- Be aware that cyber security rules need to apply to everyone in the organization no matter what their position. Preventing your network from being compromised so as to allow access to your data or operation capabilities is everyone's responsibility. Having a simple administrative job or sitting in the corner office does not absolve cyber security responsibility. It only takes one weak link to bring down a system.
Research has shown that the most significant threat to networks and data involved someone with inside access
- Be aware that the insider threat is greater than you think. Research has shown that the most significant threat to networks and data involved someone with inside access. No one likes to think that the person in the next office could be a cyber liability. Anger, illness, frustration and disenchantment can lead a person to expose a system or network. So can blackmail or the theft of cyber identity. This doesn't mean that all your co-workers are to be eyed with suspicion, but it does mean that warning signs should not be ignored.
- Be aware that due diligence and risk assessment can know no bounds in cyber space. Usually criminals will look for the path of least resistance. However, the greater the reward the greater the ends they will be willing to go to. If creating an elaborate multi-faceted online identity will allow them to launder millions of dollars, they will take the time and resources. Part of your risk assessment obviously is deciding how far you need to dig. Hone this skill. Recognize that the criminals may be willing to create one more layer of digital deception than you have the inclination or resources to investigate.
- Be aware that when conducting risk assessments, you need to think like a bad guy at a keyboard with limitless time, money and computing power. In building your cyber defenses and assessing your online activities thinking that "no one would ever do that" could open you to attack. Never underestimate the enemy.
- Be aware that it is very important as an AML professional to not get personally compromised online. Personal cyber security lapses can be used against you and your organization. Protect your personal identifying information, be aware of phishing schemes and learn how to recognize false web sites. Don't give the bad guys what they need to compromise your work as an AML professional.
- Finally, simply be aware. The acronym SAR is often defined as "Something Ain't Right." Many money-laundering schemes are discovered because of a "gut feeling" or a hole in the logic of the transaction. The same is true online. If it is too good to be true, it is. If it seems too easy, it is. If the identity of an identified risk seems too innocent, there is likely a problem. Trust the same senses you use in your AML work when you navigate cyber space. It will likely keep you from falling for the deception of a cyber trap.
Which link is likely part of a phishing scam?
The answer will appear in the October 12, 2011 issue of ACAMS Connection.
There are many other words of cyber security wisdom out there that might have a more direct bearing on your particular situation. There is advice available that might cover things that you have seen negatively affect you or your organization. Yet, whatever your personal experience with cyber-space might be, it will always be true that the best person to keep you safe is the person in the mirror, and the best advice in this top 10 list is number 1: Always Be Aware.