Murray Bender: RBC Investor & Treasury Services is pleased to present insights on the future of asset and payment services across the globe. Today’s podcast features Adam Evans, Chief Information Security Officer at RBC, discussing the growing threat of cybercrime.
Thanks for joining us, Adam.
Adam Evans: Thanks for having me on the podcast today, Murray. It’s been a couple of years since I’ve been sort of out talking about the evolution of cybercrime and how that translates to financial institutions and the kinds of things that we now have to deal with in this new digital business landscape. So I very much appreciate the time and having me on your show.
Murray Bender: From your vantage point, Adam, how have cyber threats changed in recent years?
Adam Evans: So when I’m out talking about cybercrime, Murray, it’s this evolution of an underground economy. And when I talk about the underground economy, there’s a few things that have really changed in the last few years. And maybe the first one that I’ll mention is the commoditization of crime.
And essentially, what’s happening in this underground economy is they are franchising out criminal elements like money laundering, extortion tactics, malware development, selling off access to organizations that have been compromised. So it’s really become about Crime-as-a-Service.
At the same time that this sort of evolution in the underground economy has started, they have started to attract skills into this underground economy that are highly specialized. So not only are they figuring out how to create criminal platforms and this notion of Crime-as-a-Service, but they’re bringing in highly skilled individuals that can provide advisory services or specialized services to criminals.
The result is that you’re breaking down barriers of entry into crime. You don’t need the skills. You don’t need money anymore. You just need to be able to locate somebody that will sell you a platform. They will provide you with 24/7 support; they will provide you with development resources if you need them. And that helps you sort of organize your own criminal infrastructure.
The second part is that they are figuring out how to drive secondary and tertiary value off the original cybercrime activity. So a criminal goes out, he breaks into an organization, steals a bunch of data. They bring that data back to the underground and they enrich that data, and they package it and they sell it to other criminals for their own purposes.
Those criminals go out. They use that data to compromise individuals. They bring the compromised individuals back to the underground economy, and they will sell those off to other criminals that are interested in targeting people within certain regions, countries, or demographics. So they perpetuate the revenue streams of this underground economy.
That allows them to drive activity at scale. And it’s an important piece to understand is that they are leveraging everything that we are leveraging in the legitimate world, whether it be machine learning, artificial intelligence, automation; they are developing capabilities leveraging those same technologies so they can scale up their attacks, their cybercrime activity, or their attacks across the globe.
And maybe the last thing I’ll mention is the collaboration now that exists between nation-state governments and organized crime. So places like Russia, you are starting to see intelligence services within the Russian Nexus starting to leverage the underground economy and cybercrime organizations to facilitate their espionage activities, their intelligence gathering, or their ability to compromise organizations or institutions to further either the economic agenda of the government or the espionage outcome that the government is looking for.
Murray Bender: So taking this a bit further, what do you consider to be the biggest threat from cybercrime?
Adam Evans: So I think that the scalability of cybercrime is one part of it. So five to seven years ago, we could deal with the cyber threats that were targeting institutions. We have invested very heavily in our ability to not only deal with this evolution of this underground economy and the scale that they’re attacking organizations, but for me, it’s about our clients, and that’s small- and medium-sized businesses, retail banking clients, high-net-worth clients, investor and treasury services clients. They are not necessarily equipped to deal with this new digital business landscape that has emerged. And you can imagine in the last couple of years the acceleration that we’ve gone through during the pandemic.
So we are now sort of shifting our focus into the client communities and trying to educate the clients and provide services to them that allow them, not only to start their cybersecurity journey, but to leverage the intellectual property and the expertise that we’ve built at RBC to help secure their organizations, their businesses, and make sure that they can remain successful in this new digital world that they’re having to operate their business in.
Murray Bender: When you boil all this down, what’s driving the increased incidence of cybercrime, in your view?
Adam Evans: I think you have, really, four or five different things that are driving the proliferation of cybercrime.
So the first one I would mention is economic agendas or government agendas. So you have countries like China, Russia, North Korea that all have their economic agendas. Obviously, Russia’s has changed significantly in the last six months, given that they are now a highly sanctioned country; they need to prop up their economy. So very, very active. But the type of things that you see from Russia will more than likely be organized crime outcome focused, meaning that they’re going to use ransomware and things like that to drive revenue.
North Korea would be in the same boat. They’re a highly sanctioned country. So they’ve been targeting the financial system since about 2016, and they’ve been trying to generate revenue, and they have generated significant revenues for themselves, to either invest in more military capabilities, more cyber warfare capabilities, or to prop up their economy.
China has what’s called a Belt and Road Initiative. Their Belt and Road Initiative is all about economic expansion. The way that China is doing it is through the theft of intellectual property and espionage activities. So they are trying to—or they’re targeting organizations that are involved in research and development—academic institutions, obviously, during the pandemic, trying to come up with new vaccines.
They’re also targeting manufacturing so they can gain a foothold in a marketplace that would otherwise take them years to be able to build capabilities and enter into those marketplaces.
You also have political activism. So what we saw in 2016 in the United States was Russia trying to destabilize the political landscape in the United States by influencing the outcomes of the democratic process there in 2016.
So you have these nation-states that are operating their espionage activities, economic expansion, or propping up their economy.
In the underground economy itself, it’s about revenue. And they’re doing that through data. Data is the new oil for this underground economy. And it’s about collecting that data at scale. Whether it’s collecting information from people, social media platforms, compromising institutions and stealing data, intellectual property theft, all of those things are obviously what’s driving revenue in this underground economy.
So with that, it becomes over the last—or sorry, over the next couple of years, I think by 2025, the number that they’re talking about is the underground economy will generate a $10 trillion revenue stream for criminals. It is going to outpace every other traditional form of crime combined.
And I think the reason for that is how fragmented that underground economy can become, making it very difficult for law enforcement to be able to gather up people in an organized crime ring because they are distributed all over the globe. There are no geographical boundaries that you wrap around these organized crime groups.
So it makes it very, very difficult, one, to find them, and two, to prosecute them. It requires multi-jurisdiction law enforcement groups to get together and try to go after these organized crime teams or groups and prosecute them.
Murray Bender: We’ve all been through a lot over the past couple of years. What have you and what has RBC learned about cybercrime during this period of the pandemic?
Adam Evans: Yeah. It’s a great question. So I would say that, one, the cybercrime economy is very responsive. And what I mean by that is they recognized very early that we were going to be going through a pandemic—or that we were going through a pandemic, I should say.
And what we saw in the first couple of weeks of the pandemic was the cybercrime economy shifting and recognizing that people were going to need things like medical supplies. So we started to see fraudulent websites being set up and them cashing in on the anxiety that COVID was really creating for communities and that people were trying to get these supplies to protect their families.
That lasted, I would say, for three, four weeks, and then we started seeing a shift into malicious software development. So while the first fraudulent activities were happening, they were retooling themselves. And they started creating software that purported to provide victims or communities with insight into where COVID cases existed in their communities; download a piece of software to your phone and we will show you your COVID cases in your community. When people downloaded that application onto their phones, that application was actually ransomware, and they held their phones or their tablets or their computers hostage, again, driving revenue.
Then we shifted into government programs that were providing relief to small- and medium-sized businesses, individuals that were out of work because of COVID. That’s when we started to see fraud from government cheque point of view and the proceeds of cybercrime going through different sorts of government programs and trying to steal money or create fraud opportunities in those new programs that were, essentially, having to have been delivered in a very, very short period of time and not necessarily secured properly before they were launched.
And then the longer tale was, as organizations moved people into remote locations like we did—in two weeks we moved 85,000 people home—they started to recognize that people were going online more, so clients were moving to mobile channels faster. We knew that we had 85,000 people using remote infrastructure to gain access to the corporate environment, and they shifted again, and they started attacking people on their mobile devices. And they started looking at compromising remote access infrastructure because, essentially, it would grind organizations to a halt; organizations that were already experiencing economic impact from COVID and they couldn’t sustain more business disruption, so the likelihood of them paying a ransom demand started to go up.
So we really saw that business disruption and ransomware threat take off during the pandemic.
Murray Bender: Talk about pivoting, that’s for sure. What advice would you provide to those who are looking to build a cyber-resilient organization?
Adam Evans: So the first thing, I think people tend to overcomplicate what needs to be done. And don’t get me wrong, it can be very complicated depending on the level of maturity that you’re trying to reach and the regulatory environment that you are part of, like we are. We’re a globally significant bank; obviously, a lot of regulatory scrutiny comes along with that.
But for small- and medium-sized businesses, for individuals, it’s really about understanding what you’re trying to protect.
So, me as an individual, I think about my most sensitive information assets—my online banking account, my Gmail account. And if somebody gained access to those information assets, what would they understand about me as an individual? And how could they take that information and use it against me and the community that I am part of? So it starts there, it’s understanding what you’re trying to protect.
The next piece of it is, okay, so now I understand the information assets I’m trying to protect, how am I going to protect them? Who has access to my Gmail account? Who has access to my online banking?
And then I can make sure that I have awareness of how that access is being used. If it’s my wife logging into online banking, making sure that I recognize when she’s going in there. And if I start to see transactions that don’t really fit with her profile, then we can sit down, and maybe her credit card’s been compromised somewhere along the way or one of her credentials has been compromised in some way, shape or form.
I also use things like multifactor authentication. It’s free. You can download Google Authenticator or Microsoft Authenticator apps and set up stronger authentication for yourself into those really sensitive information assets.
And then the last thing I would mention is preparing for the “when” event. It’s not about if you get compromised, it’s about when. These guys are really, really good at targeting individuals. And the more data that we create around ourselves in social media, browsing the internet, things like that, as I said, they are collecting that information at scale. They’re using that information to tailor campaigns that increase the likelihood of you clicking on something. It’s called social engineering.
So, it’s making sure that you are prepared for when the compromise comes, how are you going to respond. Do you know how to reset your online account? Potentially using something like a password manager that allows you to reset credentials across all your information assets in one shot.
But there are some very simple steps that don’t cost any money that you can take to start to prepare yourself and increase your own security posture or profile. And that goes a long way. These guys, as I said, are doing things at scale. So they aren’t just looking for the soft targets that they can compromise and move on; they’re trying to collect as many compromised individuals’ accounts, computers, whatever it may be, as they possibly can.
Murray Bender: To conclude, Adam, and I’m not sure I really want to know your answer here, but how will cyber threats continue to evolve as we move forward?
Adam Evans: So I think they will become more synthetic in nature. And what I mean by that is they will run autonomously. They will leverage AI, machine learning, automation.
And the only way I think that they can continue to grow their cybercrime activities is by this sort of artificial intelligence capability starting to interact with individuals in a more authentic way. So as that technology continues to grow, as more data gets put out there for them to consume, these bots, these automated entities are going to get smarter and more accurate.
At the same time, we, RBC, have to do the same thing. Synthetic security is where we’re headed. So this now becomes an arms race. We have to make sure that the tools and solutions that we are deploying are just as scalable and can look for changes in the behaviour of an individual and spot these synthetic interactions or transactions before they can defraud our customers.
Murray Bender: Thanks very much for sharing your insights on cybercrime, Adam. We really appreciate your time.
Adam Evans: All right. Thanks for having me on the show. As I said, I’ve been out for a couple of years, and I very much enjoy these conversations with groups within the organization, our clients, the boards. It’s always fun for me to come out and have these sorts of dialogues. So thank you very much for having me on your show.
Murray Bender: Thanks again.
Today’s podcast has been brought to you by RBC Investor & Treasury Services, and we hope you found it useful. For additional insights on the future of asset and payment services, including our previous podcasts, visit rbcits.com/insights.
I’m Murray Bender. Thanks for listening.
This content is provided for general information and does not constitute financial, tax, legal or accounting advice, and should not be relied upon in that regard. Neither RBC Investor & Treasury Services nor its affiliates accepts any liability for loss or damage arising from use of the information in this podcast.