Top takeaways from our Virtual Cyber & Risk SummitJune 23, 2020 | By Vicki Hyman
Balancing risk and reward. Identifying emerging threats and discovering new opportunities. Improving the customer experience through frictionless authentication and authorization while maintaining the highest levels of security.
These are the stakes in today’s hyperdigital environment, and Mastercard’s first-ever Virtual Cyber & Risk Summit, on June 17, offered plenty of insights from experts across the ecosystem.
“We’re all experiencing lots of change and uncertainty,” said Ajay Bhalla, president, Cyber & Intelligence Solutions. “But a crisis can spark innovation and creativity, and I truly believe that our collective actions, today and beyond, will have a lasting impact.” Here are some top takeaways from the summit:
It’s the journey, not (just) the destination
Risk assessment is often made at a single point in time — when the consumer hits the buy button. But there are many interactions all along the consumer journey that can help assess risk — and establish trust — in the transaction. That’s the latest market-leading strategy behind CARTA, or Continuous Adaptive Risk and Trust Assessment, a framework developed by Gartner Research. It continuously looks at both negative and positive signals and tailors that customer journey in direct proportion to the risk seen at the key events, according to Akif Khan, senior director, Gartner Research. That emphasis on layered cybersecurity across the entire consumer journey is the insight that powers Mastercard’s Connected Intelligence, which leverages thousands of data points and hundreds of decision points to reduce false declines and fraud rates while enhancing the consumer experience, said Johan Gerber, executive vice president, Cyber & Security Products. “How do we take the transaction and look at what’s happening before the transaction, during the transaction and even after the transaction if something goes wrong? … Or how do we connect the dots across the life cycle of the consumer's interaction?”
Pro Tip: “Try and minimize the number of different vendors that you’re having to send your customer data to, and be critically clear in terms of where those vendors are taking that data, and what they’re doing with that data. Is it being used for your fraud detection purposes or is it being commingled with other clients’ data of theirs for collective consortium fraud screening?"
- Akif Khan, senior director, Gartner Research
Be on the lookout for emerging (or re-emerging) fraud threats
Card-swapping scams at ATMs are not new, but amid COVID-19, fraudsters can use personal protective equipment, extending a cloth or a glove, as part of the ruse, said Carolina Reddy, head, Fraud Risk Management, Personal & Business Banking, Standard Bank of South Africa. Don McNelly, president, Fraud Risk & Payments, Western Union, says the imposed isolation has led to an increase in “romance scams,” where fraudsters initiate online romances to trick their marks into sending them money. “People are sheltering in place, they’re staying home, they’re isolating, they’re quarantined, they’re lonely, and their need for human connection is big,” he said. The patterns for such scams remain the same — demographic mismatches, overactive receivers — so Western Union employees can spot potential victims and intervene.
Pro Tip: “Fraud, fear and doubt are no longer valid ways to communicate threat levels to executives and boards, even though the threat levels continue. Communicating from a standpoint of risk management for the business is a far better method.”
- Bob Carver, Principal Cybersecurity Threat Intelligence and Analytics, Verizon
The internet of everything should be alarming everyone
Remember what Carver just said about not leading with fear? Forget that for a second. There are billions of IoT devices in the world, yet IoT is still in its infancy, with many devices vulnerable to a variety of attacks. These devices can track our movement, our habits and our health information, and that data can be valuable to fraudsters and even extortionists, said Sherri Davidoff, co-founder, LMG Security. “With IoT generating more and more sensitive and valuable information that is not well-secured, criminals are going to realize that and they’re going to start to use that for spying or for collecting information, and not just attacks on availability,” she said. “Sleep tight!” (“I’ll be under my bed if anyone needs me,” one participant shared in the session chatroom.) “The burden of IoT security is placed far too heavily on the end user,” said Jessica Barker, co-founder and co-CEO, Cygenta. “We need to move this further upstream and place it more heavily on the producers of the technology.”
Pro Tip: “Hyperconnectivity, if not managed well, can expose us all to more risk. With an anticipated 50 billion devices making up the Internet of Things by 2025, your security will only be as strong as the weakest link in your network of connections.”
- Ajay Bhalla, president, Cyber & Intelligence Solutions
Taking the pain out of dispute resolution can be an opportunity
Transaction confusion is very real, according to a new consumer survey from Aite Group sponsored by Ethoca, which showed that more than 1 in 7 consumers have mistakenly disputed a legitimate transaction. Combined with the accelerating shift to digital commerce, more consumers will probably be reaching for their phones to help decipher their credit card statements. Solutions like Ethoca’s Digital Receipts service, which gives consumers a much deeper level of transaction detail, can help everyone avoid the costly and often lengthy chargeback process. And that also reduces the pollution of false claims in fraud models, improving approval rates, said Keith Briscoe, Ethoca’s chief marketing and product officer. Smoothing out dispute resolution is also an opportunity to engage the consumer in terms of loyalty, rebuy and purchase offers, and warranty information. “It really is about how we can shape the customer experience and deepen that experience,” Briscoe said. “That can float everyone’s boat in the industry.”
Small businesses need to prioritize cybersecurity — because cybercriminals are prioritizing them
The scramble by small brick-and-mortar businesses to quickly develop an online presence during the COVID-19 lockdown contributes to an increasingly complex ecosystem and can bring additional risk. Small businesses incur $14,000 in financial losses on average in a cyber attack, said Jess Turner, executive vice president, Products & Innovation, North America. That can be make it or break it money, considering that fewer than 40 percent of small businesses reported to The Harris Poll they could survive in COVID-19 conditions for a full year, she said. “Criminals know it can be hard to breach a large merchant and that’s why they look to their easiest targets, the most vulnerable, and those are small businesses,” said Sandy Condellire, senior vice president, Security & Decision Products, Mastercard. Safeguarding this evolving ecosystem goes beyond protecting transactions — solutions need to address the entire canvas of cybercrime, including identity theft, money laundering and account takeovers, Gerber added. (To that end, Mastercard is offering free cyber-vulnerability assessments and identity theft protections to small businesses in the U.S. and Canada.)
Pro tip: “Reduce your sensitive data. We are just data hoarders as a society right now. I often see data breaches where people have 10, 20, 30 years of information, and it’s not even helping the business anymore at that point. Reduce that data and you will reduce your risk.”
— Sherri Davidoff, co-founder, LMG Security
Cyber knowledge can’t be siloed
A recent study showed that organizations that invest in cyber training broadly across the enterprise are 200% better at responding to breaches than those that don’t prioritize training, said David Shrier, the program director of Cyber Futures, the new online program launched by Saïd Business School, University of Oxford and Mastercard that equips senior executives to address cyber risks and opportunities. With cyber reporting increasingly becoming a core board function, nontechnical executives need to learn the vocabulary and principles behind cyber readiness, and tech leaders need to understand the business implications of cyber decision-making.
Pro tip: “Collaboration between the best thinking from academia and the latest intelligence from industry experts provides the best education to drive a more secure ecosystem over time, as we manage risk and drive opportunities in the cyber world.”
— Paul Trueman, senior vice president, Cyber & Intelligence Solutions, Mastercard