IT Security Risks Survey cyberfraud report: mitigation vs prevention

August 31, 2015

The results of the recent IT Security Risks Survey 2015, conducted by Kaspersky Lab and B2B International, show that half of banks and payment systems prefer to handle cyberincidents when they happen, rather than invest in tools with which to prevent them – despite the costs difference. The survey involved more than 5,000 company representatives, including 131 banks’ and payment services’ representatives, from 26 countries.

A multifaceted question?

Mitigation vs. prevention, reactive vs. proactive is an old, semi-philosophical question of different approaches. Do they have equal merit? Is it better to clean up or to disallow the problem? The answer, as the survey mentioned above shows, isn’t immediately obvious for the decision makers.

It’s a common wisdom that it costs more to repair the damage from an incident than to take preventive measures. Recovery sums tend to skyrocket, since aside from direct damages caused by an attack – be that an indiscreet malware incident, a targeted attack, a fraud incident or DDoS attack – there are extra costs of external expertise, reputational losses and, in some cases, fines and class action suits from disgruntled clients.

Fraud is a particular problem for banks and payment services: It literally costs billions to the financial world, possibly hundreds of billions annually.

Single successful operations such as Carbanak may cost billions alone, even though operation of that scope are few and far between. But altogether, cyberfraudsters are extremely active and it doesn’t look like they are going to calm down any time soon.

At the same time, banks and payment services tend to think that addressing particular cases is more cost effective than preventing them altogether.

1000

Survey figures

During the survey, 48% of financial organizations said they take measures to protect their clients from online fraud, aiming at mitigating the consequences rather than preventing incidents entirely. Moreover, 29% of companies believe it is cheaper and more effective to address cases of fraud as they occur, rather than to attempt to prevent them.

According to the responses given by the surveyed bank representatives and payment service operators, whenever a cyberfraud incident involving a client’s account occurs, only 41% of organizations take measures to prevent such an incident from re-occurring in the future. 36% of companies conduct an analysis of the vulnerability exploited in the attack, and 38% compensate the losses – something that users in most cases expect them to do while doing little to protect themselves.

The most popular policy among companies is to try to find out who was behind the attack: two thirds (66%) of financial organizations do this. The success rate isn’t specified, but it’s unlikely to be very high.

The reactive approach, according to Ross Hogan, Global Head of the Fraud Prevention Division at Kaspersky Lab, is like “trying to treat the symptoms of an illness rather than its root cause. The symptoms will recur, and the illness will progress.”

Kaspersky Fraud Prevention platform

Our Fraud Prevention platform is a comprehensive online fraud protection solution offered to banks in order to protect their clients at several levels. Presented last year, it includes threat control tools installed on client devices, as well as the server component located within the bank’s information infrastructure. Through the special code embedded into the bank’s web-page, this component can remotely detect a client device infection. In this document, you can find a detailed description of the systems’ operation principles, and in a short while we plan to take a closer look on the Kaspersky Fraud Prevention platform and its capabilities.