Online retail crime needs to be addressed

Over the last six months it has rained so much that even a mere glimpse of blue skies or the feeling of sunshine upon our skin has left us elated but nervous. It’s as if we’ve forgotten what that used to feel like, so grey and wet has this year been.

While it may have dampened – literally – our domestic holiday plans, our want to sort the garden shed out, to dine alfresco or spend time watching the world go by in the great outdoors, thankfully, other aspects of our daily lives, have pretty much continued as normal. The digital age has brought everything to our fingertips.

We might have desired to go to the cinema, but streaming videos lets us link up our PCs to our gigantic TVs; a gig might have been called off, but with YouTube, we can watch the band’s music videos; and where we’ve needed to fill up our fridge and not wanted to get blasted with torrential rain, well, with a few clicks, we’ve navigated a virtual supermarket without stepping out of the door.

Everything is possible with the digital life, but while it comes with benefits, there are always downsides. A new report from the British Retail Consortium (BRC) has found that cyber crime, or e-crime as it describes it, represents one of the biggest challenges facing retailers in the 21^st century.

In 2011-12 for example, British retailers were hit hard, with breaches to network security costing, in total, £205.4 million. Of this figure, £77.3 million was lost as a direct consequence of fraudulent activity, while the remainder was calculated as projections of business lost as a result of being a victim.

The most popular type of crime was personal identity fraud, followed by card fraud in general, after which came refund fraud. Though this was the bulk of criminal activity, it was by no means exclusive, with phishing also proving to be a growing problem for retailers.

While this in itself is problematic, it doesn’t help that retailers are not approaching such crimes in the same way as they would for non-digital crimes. The study noted that 60 per cent of businesses in this industry were unlikely to report any more than ten per cent of crimes to the authorities.

This indicates that somewhere, along the usual lines of communication, something has gone amiss. Considering that the UK is a leader in online retailing, such losses are harmful to finances and reputation.

“Online retailing has the potential for huge future commercial expansion but government and police need to take e-crime more seriously if the sector is to maximise its contribution to national economic growth,” advised Stephen Robertson, director of the BRC.

“Retailers are investing significantly to protect customers and reduce the costs of e-crime but law makers and enforcers need to show a similarly strong commitment.”

According to the expert, the study shows where efforts need to be directed. Mr Robertson said that the government, along with law enforcement agencies, need to work to develop a “consistent, centralised method for reporting and investigating e-crime”.

We welcome this. If there is, as the BRC calls for, a better, more organised system for getting businesses to consistently report, record and investigate crime, backed up with more support from the authorities, we can get a better, more detailed picture of trends in cyber crime. Knowing this allows us to build up better security measures.

After all, the last thing we want on a rainy day, cooped up in the home, is to lack the confidence to shop online for clothes, food or treats. Technology is about moving forward, it’s about high time retailers stepped up.

Taking on the high-rollers

The European Network and Information Security Agency (ENISA), which exists to improve network security within the EU, has stated that all banks should “presume” that all of its customer’s have PCs that are “infected”.

This fascinating suggestion by the security agency is predicated on the idea that it makes sense to go with the default position that computers – the definition here inclusive of devices like tablets and smartphones – are, to a degree, compromised.

ENISA believes that banks and financial institutions at present operate under the assumption that their online banking systems are secure, but this is a mistake that can and does lead to serious trouble.

The security agency felt compelled to make such an assertion in light of recent reports about “high roller” cyber attacks, which have been directed at wealthy corporate bank accounts.

In particular, ENISA draws its conclusions from a detailed report into the matter, produced by McAfee and Guardian Analytics, which discussed its discovery of a “highly sophisticated, global financial services fraud”.

“Unlike standard SpyEye and Zeus attacks that typically feature live (manual) interventions, we have discovered at least a dozen groups now using server-side components and heavy automation,” the authors of the report stated.

“The fraudsters’ objective in these attacks is to siphon large amounts from high balance accounts, hence the name chosen for this research: Operation High Roller.”

The intriguing thing about this is that no human participation is needed, with each assault moving at a swift speed. Combine insider knowledge of banking transaction systems with “custom and off the shelf malicious code” and you’re charting into organised crime territory, the research noted.

What can be derived from this is the notion that today’s bank robbers have migrated online because this is where the money is, another sign that the digital world is increasingly becoming the default habitat in which to do everything…literally.

The attacks occur in three distinct phases. First of all the targets are recognised using spear phishing. Those with large capital are then identified. Follow on from that, malware is then directed into their computers – and it’s bespoke to the victim’s online banking websites. It kicks into action soon as a person accesses their account. This then allows the fraudsters carte blanche to carry out deceitful transactions.

ENISA has some suggestions about how to beat the criminals at this. One, as mentioned above, adopt the attitude that all PCS are compromised and adopt security measures that protect against, for example, viruses like Zeus. Two, make online banking even more secure. Finally, there needs to be strong global cooperation (here the attacks were coordinated across the globe), otherwise there will always be shortfalls in knowledge.

Other things that can work, even against highly sophisticated attacks, includes anomaly detection strategies – criminal behaviour is fallible – developing solutions to more automated, obfuscated and creative forms of fraud, and providing equally diverse and multilayered forms of protection. The house always wins in the end.

Get Tweeting for Recruitment

It seems like there was never a time when Twitter wasn’t around, such is its ubiquity in contemporary society. From the general public posting ramblings to celebrities waxing lyrical about their lifestyles to the government keeping the public updated about its various endeavours (many of which no doubt centre on the economy!), this social media site has grown exponentially in the last few years.

Twitter has, in short, transformed the way we interact with one another, how we communicate news and information in general and how businesses and organisations conduct their operations. Its success is owed to its simplicity and unmediated real-time nature, USPs that manage to appeal to a wide demographic of people.

The IT security market is no stranger to this medium, which is ideally suited to recruitment. Whether it’s used to source or post job vacancies in, for example, the information security, technical risk or IT forensics professions, or as a means of networking with industry specialists, Twitter is the perfect tool for businesses and prospective employees to connect.

When using Twitter as a recruitment service helpful tips might include utilising hashtags so that tech-savvy professionals looking for work can easily find a job in their given field. For example, let’s say someone is looking for positions in information security – Acumin would post the following “#infosecjobs” in a tweet with an appropriate link to a specific job. This creates an easily searchable trend,  which simply cuts out all the clutter and connects agencies to professionals in a simple and efficient way.

Organisations wanting to headhunt professionals in their sector can take advantage of the many Twitter offshoots, which offer unique ways of engaging with the medium. Take for example http://www.wefollow.com, a user-generated Twitter directory which like the service itself, operates on a simple interface.

Equally, there are ample aggregators out there specifically aimed at bringing together jobs in the information security and risk management sector, which can be discovered by conducting a simple search. Check out, http://www.twitjobsearch.com as just one example of this.

Professionals and agencies working in any given sector can keep a real-time conversation going through their own tweets, @ replies, and retweets. It can be a great tool for keeping abreast of industry developments by following businesses and specialists within the sector. There is a lot of following on Twitter and features such as suggested follows and browsing others’ connections make targeting appropriate sources easier.  To this effect a budding IRM professional might demonstrate gravitas and expertise through posting comments and links about relevant developments in their sector, content an employer might chance upon which also enhances the poster’s own brand.

It’s about the two-way conversation – are you tweeting today?

Follow us on Twitter: @Acumin

How easy is it for us to find your CV?

Search for advice on writing a CV and one of the first things you will read is that it should be no more than two pages long.  The last thing a hiring manager wants to do is read through reams of paper detailing your every project and anything else you’ve ever done or thought about doing in your life; brevity is encouraged, you must engage your reader to keep their attention.

Much of this advice is good. CVs should be succinct, on-topic, and objective. Follow the old mantras about CV writing down to the line though and you are left with a document that will look pretty uploaded on your favourite job boards, but will often see you overlooked for roles for which you are perfectly suitable. A CV is no longer a record of your most worthwhile achievements; it is now a digital resource, a way of indexing your experience.

Ask most jobseekers what they do with their CV once they have finished writing it, and I doubt many will tell you that they print it off, read the advertising section of the newspaper, and then start sending out copies in the post. Typically you will upload it to your favourite job board or send it across to a trusted recruiter. That’s the hard part done, you’ve ‘got yourself out there’, now it’s just a waiting game until the right role comes along, right?

Wrong. Too many candidates fail to consider how life is on the other side of the fence, how we engage with their CVs. This is particularly true when recruiting information security and risk management professionals, who can have very niche skills and responsibilities. So here it is…

Whether it be sat on Monster.co.uk or a recruitment database, it is important to consider how it is accessed. I can tell you that if I know you as a information security candidate, I might search for you by name, but otherwise your suitability for the roles I am working on depends completely on your CV’s ability to match my search. Any recruiter with a little training will understand Boolean search strings, and now in order to ensure you are considered for the most relevant jobs, candidates must too.

CV writing should now be seen as SEO. Consider the meta keywords that will bring you up in the searches for the roles you’re interested in and consider the search hits that will display your profile above your competition. It’s also important to understand the value of your skills, too often I learn about a candidate’s experience with an in-demand technology only when I have invested the time to speak to them.  All recruiters know those calls when a candidate will phone in and enquire as to why they haven’t been contacted about a role for which they believe they are perfect, considering the above, the reason for this becomes quickly apparent.

CVs aren’t telling us enough.  For example, a candidate might simply mention ‘security monitoring’ in one of their roles, when actually they have good knowledge of IDS, IPS, and SIEM systems – which are highly sought at the moment as they tick a few of the required boxes for PCI compliance. Or what about the information risk hot topic of the day, application security, expertise in this area can see some candidates command impressive increases in their salary. Whilst ‘application security expert A’ gets his pay rise, ‘expert B’ is failing to get interviews. I bet you know by now which candidate has written their CV with search terms in mind, who has discussed their experience in a way that makes it clear what they have been doing, and who details their specialisation most effectively.

Ultimately, your hiring manager or recruiter only knows what you tell them, and your CV is your primary form of communication. Your job search may end up a success but think about the exciting opportunities you might have missed out on due to an inability to consider what happens to your CV once it leaves your hard drive. Whilst a strong understanding of the market is going to help, overcoming this is relatively easy – technical skill profiles or project overviews are certainly one way to progress yourself up the search results, particularly in product heavy roles such as IT security engineering. For some, particularly technical security contractors, you might consider writing a version of your CV that is considerably longer than you would normally like, with a simple disclaimer that it is a keyword-optimised document. Another useful measure to take when uploading your CV to a job board is to utilise ‘personal summary’ or ‘about me’ sections to search optimise your profile.

It’s time to stop thinking about how your CV looks, but rather how people will find it.

– Ryan Farmer

rfarmer@acumin.co.uk