rsa quarterly fraud report€¦ · and organizations more aware of the current state of cybercrime...

RSA QUARTERLYFRAUD REPORTVolume 2, Issue 4Q4 2019

RSA QUARTERLY FRAUD REPORT Q4 2019 | 2

CONTENTSExecutive Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Fraud Attack Trends: Q4 2019 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Fraud Attack Type Distribution 5

Top Phishing Target Countries 6

Top Phishing Hosting Countries 7

Consumer Fraud Trends: Q4 2019 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Transaction and Fraud Transaction Distribution by Channel 9

Average Credit Card Transaction and Fraud Transaction Values 10

Device Age vs. Account Age 11

Compromised Credit Cards Discovered/Recovered by RSA 12

Feature Article . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Cyber Attack Risk Tops Risk Management Priorities for Global Organizations 13


EXECUTIVE SUMMARY

FEATURE ARTICLE

Cyber Attack Risk Tops Risk Management Priorities for Global Organizations2020 is widely expected to mark an inflection point for digital transformation, when long-hyped technologies like cloud, AI and IoT begin to produce meaningful outcomes for organizations that have been bold enough to invest in them. Along with the prospect of boundless opportunity, digital transformation is also creating unique risks and evolutionary changes to traditional risk management. In this article, featuring excerpts from the recently published RSA Digital Risk Report, we explore the digital initiatives organizations are investing in, their impact on risk management priorities and the role of security, risk and business leaders in managing digital risk.

The RSA® Quarterly Fraud Report contains fraud attack and consumer fraud data and analysis from the RSA Fraud and Risk Intelligence team. It represents a snapshot of the cyber-fraud environment, providing actionable intelligence to consumer-facing organizations of all sizes and types to enable more effective digital risk management.

RSA-OBSERVED FRAUD ATTACK AND CONSUMER TRENDSFor the period starting October 1, 2019, and ending December 31, 2019, RSA observed several global fraud trends across attack vectors and digital channels. The highlights include:

In 2019, RSA identified a total of 255,095 global fraud attacks, or approximately 30 per hour.

Phishing remains the predominant attack vector used by fraudsters, accounting for 60 percent of all fraud attacks observed by RSA in Q4. Overall, phishing volume increased 54 percent year over year.

RSA saw a year-over-year increase in all other fraud attack vectors. Specifically, financial malware attacks increased 41 percent, fraud and brand abuse attacks on social media increased 62 percent, and the number of rogue mobile apps uncovered across popular app stores increased 175 percent.

Three out of every five fraud transactions identified in Q4 originated from a mobile browser.

RSA recovered over 32.5 million unique compromised cards and card previews in 2019. The top five countries that compromised cards for sale can be attributed to the United States, India, Spain, Brazil and the United Kingdom.


FRAUD ATTACK TRENDS: Q4 2019Phishing and malware-based attacks are the most prolific online fraud tactics developed over the past decade. Phishing attacks not only enable online financial fraud, but these sneaky threats also chip away at our sense of security as they get better at mimicking legitimate links, messages, accounts, individuals and sites. Automated fraud comes in the form of the various active banking Trojan horse malware families in the wild today; these malicious programs do their work quietly and often without detection until it is too late.

By tracking and reporting the volume and regional distribution of these fraud threats, RSA hopes to contribute to the ongoing work of making consumers and organizations more aware of the current state of cybercrime and fueling the conversation about combating it more effectively.


13%Rogue Mobile Apps

17%Brand Abuse

10%Trojan Horse

60%Phishing

Fraud Attack Trends: Q4 2019

Fraud Attack Type DistributionIn the fourth quarter of 2019, RSA identified 59,267 total fraud attacks worldwide, marking a 7 percent increase from the previous quarter. Among the attack vectors, phishing saw the largest increase in Q4, spiking 47 percent with 35,095 attacks detected worldwide. Fraud and brand abuse attacks on social media accounted for 17 percent of all fraud attacks in Q4, only a 2 percent increase from Q3, while Trojans and financial malware attacks increased 24 percent.

Year over year, fraud attacks by type saw the following changes:

FRAUD ATTACK GLOSSARYPhishing Cyber attacks attempting to steal personal information from unwitting end-users under false pretenses either by email, phone call (vishing) or SMS text (smishing).

Trojan Horse Stealthy malware installed under false pretenses, attempting to steal personal user information.

Brand Abuse Online content, such as social media, that misuses an organization’s brand with the purpose of misleading users.

Mobile Application Fraud Mobile applications using an organization’s brand without permission.

IN 2019, RSA identified

30 GLOBAL FRAUD ATTACKS PER HOUR

Phishing

54%Rogue Mobile Apps

175% Financial Malware

41%Social Media Attacks

62%

@


ALL OTHERS

2%Fraud Attack Trends: Q4 2019

Top Phishing Target Countries

PHISHING TARGETS Canada was targeted by 7 out of 10 phishing attacks in Q4, remaining the top targeted country, and overall attack volume increased 100 percent from Q3. India saw a 30 percent increase in overall phishing volume quarter over quarter while the Philippines experienced a 52 percent decrease and Spain experienced a 30 percent decrease compared to Q3.

EMEAAPAC

NORTH AMERICA

Atlantic OceanPacific Ocean

LATAM Pacific Ocean

Australia

Argentina

Barbados

Bermuda

Bolivia

Brazil

Chile

Colombia

Dominican RepublicHaiti

Jamaica

Peru

Puerto Rico

Trinidad and Tobago

VenezuelaBangladesh

Hong Kong

Indonesia

Japan

Republic of Korea

Macau

Myanmar

New Zealand

Philippines

Singapore

Taiwan

Thailand

Vietnam

Austria

Belgium

Cyprus

Czech Republic

Denmark

Finland

France

GibraltarGreece

Iceland

Ireland

IsraelItaly

Kazakhstan

Kuwait

Lebanon

Luxembourg

Mozambique

Nigeria

Poland

Qatar

Romania

Russian Federation

Saudia Arabia

Serbia

Slovakia

Slovenia

Sweden

SwitzerlandUkraine

United Arab Emirates

United Kingdom

Brunei Darussalam

CANADA

71%

SPAIN

4% INDIA

6%

PHILIPPINES

2%

CHINA

2%

NETHERLANDS

5%

POLAND

1%

UNITED STATES

6%

SOUTH AFRICA

1%

MEXICO

1%

TURKEY

1%Germany


Fraud Attack Trends: Q4 2019

Top Phishing Hosting Countries

PHISHING HOSTSIn Q4, we saw the Netherlands and the United Kingdom re-enter the top ten hosting country list while Australia and Hong Kong dropped off. Germany moved to the second top hosting country, with the number of phishing attacks hosted there nearly doubling, moving from 2.5 percent to just over 5 percent in Q4.

HOSTING COUNTRIES

1. United States 6. China

2. Germany 7. Canada

3. Malaysia 8. Netherlands

4. India 9. France

5. Russia 10. United Kingdom


CONSUMER FRAUD TRENDS: Q4 2019The RSA Fraud and Risk Intelligence team analyzes consumer fraud data and informs the security and risk management decisions for major organizations while serving the public interest by identifying, preventing and reducing financial cyber fraud attacks on consumers. Observing consumer fraud trends over time can support decision-makers on how to build or refine their digital risk management strategy across customer-facing deployments.

These data points are intended to broadly frame the current consumer fraud atmosphere, and identify relevant trends, by tracking broad indicators of online fraud across both financial and e-commerce focus areas.


Consumer Fraud Trends: Q4 2019

Transaction and Fraud Transaction Distribution by Channel

FRAUD TRANSACTION METHODAfter two quarters of witnessing a shift in the volume of fraud transactions from mobile to web, the mobile channel has once again become the predominant channel for fraud transactions. In Q4, RSA observed 72 percent of fraud transactions originating in the mobile channel, and specifically 59 percent, or about three out of every five fraud transactions, attributed to mobile browsers. This is the highest percentage of fraud transactions originating from mobile browsers observed by RSA since we began tracking this data.

The average value of a fraudulent payment transaction in the mobile channel was $480.

2016Q4

2017Q1

2017Q2

2017Q3

2017Q4

2018Q1

2018Q2

2018Q3

31%

15%

54%

31%

15%

54%

32%

17%

51%

33%

20%

47%

34%

21%

45%

34%

21%

45%

34%

21%

45%

2018Q4

34%

22%

44%

35%

21%

44%

35%

21%

44%

Web Mobile Browser Mobile App

2019Q1

34%

21%

45%

2019Q2

15%

35%

50%

2019Q3

28%

25%

47%

2019Q4

2016Q4

2017Q1

2017Q2

2017Q3

2017Q4

2018Q1

15%

39%

45%

24%

36%

39%

25%

36%

39%

29%

36%

35%

36%

32%

32%

39%

26%

35%

2018Q2

40%

31%

29%

2018Q3

37%

36%

27%

2018Q4

21%

49%

30%

Web Mobile Browser Mobile App

29%

43%

28%

2019Q1

16%

27%

57%

2019Q2

18%

20%

62%

2019Q3

13%

59%

59%

28%

2019Q4

TRANSACTION METHODIn the fourth quarter of 2019, mobile browsers and mobile applications accounted for 53 percent of overall transactions observed by RSA.

Source: RSA Fraud & Risk Intelligence Service, October 2019-December 2019

fraud transactions originated from a mobile browser

OUT OFEVERY3 5



Average Credit Card Transaction and Fraud Transaction Values(E-Commerce, by Region)

In Q4, the most drastic difference between the value of genuine and fraud transactions was observed in Australia and New Zealand, where the average value of a fraud transaction was $414, nearly triple the value of a genuine transaction. In North America, the average value of a fraud transaction decreased 40 percent from Q3 and showed little difference in value between genuine vs. fraudulent transactions. As merchants and financial services providers resolve fraudulent transaction cases and chargebacks from the holiday shopping season, it will be interesting to observe how these numbers change in the coming quarter.

$$$$$$$$$$$$$$$$$$$$

$$$$$$$$$$$$$$$$$$$$$

$$$$$$$

$$$$$$$$$$$$$$$$$$$$

$$$$$$$

$$$$$$$

$$$$$$$$$$$$$$$$$$$$

$$$$$$$$$$$$$$$$$$

$$$$$$$$$$$$$$$$$$$$

$$$$$$$$$

$$$$$$$$$$$$$$$$

$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

$$$$$$$$$$$$$

$$$$$$$$$$$$$

Transaction Value Fraud Transaction Value

$$

$414

$242$239

$214

$158

$214

$135 $140

EUROPEANUNION AMERICAS UK AUSTRALIA/

NEW ZEALAND

$$$$$$$$$$$$$$$$$$$$

$$$$$$$$$$$$$$$$$$$$$

$$$$$$$

$$$$$$$$$$$$$$$$$$$$

$$$$$$$

$$$$$$$

$$$$$$$$$$$$$$$$$$$$

$$$$$$$$$$$$$$$$$$

$$$$$$$$$$$$$$$$$$$$

$$$$$$$$$

$$$$$$$$$$$$$$$$

$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

$$$$$$$$$$$$$

$$$$$$$$$$$$$

Transaction Value Fraud Transaction Value

$$

$414

$242$239

$214

$158

$214

$135 $140

EUROPEANUNION AMERICAS UK AUSTRALIA/

NEW ZEALAND


REGION TRANSACTION VALUE FRAUD TRANSACTION VALUE DIFFERENCE $

European Union $135 $214 $79Americas $214 $239 $25UK $158 $242 $84Australia/New Zealand $140 $414 $274



Device Age vs. Account AgeANALYSIS“Device Age” refers to how long the RSA Fraud Platform has “known” or “trusted” a given device (laptop, smartphone, etc.). “Account Age” refers to how long the RSA Fraud Platform has “known” or “trusted” a given account (login, etc.). This data demonstrates the importance of accurate device identification to minimize false positives and customer friction during a login or transaction event.

E-COMMERCEIn Q4, 60 percent of fraud transaction value originated from a new device but trusted account, indicating account takeover activity continues to be a preferred and successful attack vector for cybercriminals.

ONLINE BANKING: LOGIN While less than 1 percent of logins were attempted from a combination of a new account and new device, this scenario accounted for 41 percent of total fraud volume observed in Q4. This is indicative of fraudsters using stolen credentials from data breaches to set up mule accounts to facilitate cash out or new account fraud.

ONLINE BANKING: PAYMENTIn Q4, despite representing only 0.5% of total payment transactions, 35 percent of payment fraud attempts originated from a new account and new device, an increase from 27 percent last quarter. This indicates a continued increase in credential stuffing attacks where fraudsters attempt to use Source: RSA Fraud & Risk Intelligence Service, October 2019-December 2019

compromised credentials from data breaches to initiate payments from victims’ accounts.

Fraudsters continue to perfect the art of automation in cybercrime, and that has been most frequently observed in account takeover attacks with the use of credential stuffing tools. Typical success rates for credential stuffing tools range from 0.5% to 3%. That may not sound all that high, but for a fraudster working with a million

username-password-email combinations—not far-fetched, considering the volume of breached records for sale—it can easily add up to tens of thousands of successful matches that can then be monetized. Refer to RSA’s recent blog, Credential Stuffing Breeds Fraud on a Grand Scale, for a look at how automated tools are enabling fraudsters to commit fraud on a large scale and with less effort than ever before.

New Account/New Device

Trusted Account/Trusted Device

Trusted Account/New Device







E-COMMERCE PAYMENT ONLINE BANKING LOGIN ONLINE BANKING PAYMENT

NEW ACCOUNT: Account Age < 1DTRUSTED ACCOUNT: Account Age >= 90D

NEW DEVICE: Account-Device Age < 1DTRUSTED DEVICE: Account-Device Age >= 90D

% of fraud value% of transaction volume

4.8

19.5

39.8

2.5

37.0

.1

32.0

4.10.4% 0.4%

6%

20%

37%

4%

38%

60%

41%

0.5%

83%

10%

5%

24%

32.0

12.0

0.4%

35%

0.5%

86%

15%

5%

28%














4.8

19.5

39.8

2.5

37.0

.1

32.0

4.10.4% 0.4%

6%

16%

37%

4%

37%

64%

36%

0.5%

83%

13%

5%

26% 32.0 12.0

0.4%

27%

0.3%

86%

26%

4%

28%














4.8

19.5

39.8

2.5

37.0

.1

32.0

4.10.4% 0.4%

6%

16%

37%

4%

37%

64%

36%

0.5%

83%

13%

5%

26% 32.0 12.0

0.4%

27%

0.3%

86%

26%

4%

28%

Typical success rates for credential stuffing tools range from 0.5% to 3%. That may not sound high, but considering the volume of breached records for sale, it can easily add up to tens of thousands of successful matches that can be monetized.

https://www.rsa.com/en-us/blog/2020-02/credential-stuffing-breeds-fraud-on-grand-scale

https://www.rsa.com/en-us/blog/2020-02/credential-stuffing-breeds-fraud-on-grand-scale


ANALYSISIn Q4, RSA recovered over 6 million unique compromised cards and card previews, a 19 percent increase from the previous quarter. In total for the year, RSA recovered more than 32.5 million unique compromised payment cards and card previews from reliable online fraud stores, social media and other sources. Eighty-three percent of all compromised cards for sale can be attributed to five countries: the United States, India, Spain, Brazil and the United Kingdom.

0

1,000,000

2,000,000

3,000,000

4,000,000

5,000,000

6,000,000

JULY AUGUST SEPTEMBER

2,365,129

2,163,010

1,560,655


Compromised Credit Cards Discovered/Recovered by RSA



FEATURE ARTICLE

Cyber Attack Risk Tops Risk Management Priorities for Global Organizations2020 is widely expected to mark an inflection point for digital transformation, when long-hyped technologies like Cloud, AI, and IoT begin to produce meaningful outcomes for organizations that have been bold enough to invest in them. Along with the prospect of boundless opportunity, digital transformation is also creating unique risks and evolutionary changes to traditional risk management. In this article, featuring excerpts from the recently published RSA Digital Risk Report, we explore the digital initiatives organizations are investing in, their impact on risk management priorities and the role of security, risk, and business leaders in managing digital risk.

According to IDC, organizations spent an estimated $1.18 trillion on digital transformation in 2019, and that number is expected to top $6 billion over the next four years. There are several different types of digital transformations covering a wide range of technology shifts. According to the RSA Digital Risk Report, 78 percent of respondents selected three or more categories of investment and indicated several different types of transformations were ongoing within the company.

According to the RSA Digital Risk Report, 78 percent of respondents selected three or more categories of investment and indicated several different types of transformations were ongoing within the company.

Which of the following types of Digital Transformation initiatives has your organization implemented in the past two years? Select all that apply.

Percentage of Respondents

Cloud (Moving a significant number of workloads to the cloud or optimizing across multiple clouds)

61%

Customer apps (Extending applications or services to customers) 49%

Digital footprint (Extending our digital footprint to a wider environment e.g. sensors, mobile devices etc.)

47%

Dynamic workforce (Enabling a “work anywhere” workforce) 46%

Advanced analytics (Applying advanced analytics techniques e.g. artificial intelligence)

44%

Process automation (Replacing legacy/analogue operational processes with digital processes or technologies)

43%

Partner apps (Extending applications or services to partners) 42%

IoT (Linking our legacy and IoT systems together) 36%

Agile dev (Using agile software development) 36%

Robotics (Implementing robotics/automation systems) 33%

Sensors (Setting up always-connected, sensor-enabled or location-aware technologies)

29%

n=1, 034

https://www.businesswire.com/news/home/20190424005113/en/Businesses-Spend-1.2-Trillion-Digital-Transformation-Year


The fact that multiple technology initiatives are simultaneously affecting organizations is a strong indicator for the increased complexity of digital business operations. For example, 61 percent cited cloud initiatives as a major part of their digital initiatives shaping not only the technology landscape but adding layers of complexity to third-party risk with the relationships with SaaS, IaaS and PaaS providers. Another example was the emphasis on customer and partner applications and expansion of the digital footprint of the organization. This expansion not only increases the attack surface for cyber threats but agile development lifecycles and DevOps are straining risk and security teams’ ability to keep up.

The types of digital risk priorities cited by organizations surveyed varied depending on their industry and region, however, cyber attack risk and risks introduced by a rapidly changing and dynamic workforce topped the list. Managing third-party risks ranked as the third priority. Looking at future risk management objectives for the next two years, respondents’ viewpoints diverged by industry suggesting that market forces brewing in each sector play the largest role in influencing the risk management priorities associated with an organization’s digital transformation. The figure to the right illustrates the top risk management priorities by industry over the next two years.

FINANCE & INSURANCE WHOLESALE & RETAIL IT, TECHNOLOGY& TELECOM HEALTH & PHARMA PUBLIC SECTOR ALL RESPONDENTS

Data PrivacyRisks

ProcessAutomationRisks

Third-PartyRisks

ComplianceRisks

Cloud-RelatedRisks

BusinessResiliencyRisks

Cyber AttackRisks

DynamicWorkforceRisks

Data PrivacyRisks


Third-PartyRisks

Cloud-RelatedRisks


Data PrivacyRisks

ComplianceRisks

Cyber AttackRisks


Cyber AttackRisks


Data PrivacyRisks


ComplianceRisks

Cloud-RelatedRisks


Cyber AttackRisks

ComplianceRisks

Cyber AttackRisks

Cyber AttackRisks

Data PrivacyRisks

Data PrivacyRisks




Third-PartyRisks

Third-PartyRisks

Third-PartyRisks

Third-PartyRisks

ComplianceRisks

ComplianceRisks

Cloud-RelatedRisks

Cloud-RelatedRisks

Cloud-RelatedRisks







1

2

3

4

5

6

7

8

GradationScale(rank)


Data PrivacyRisks


Third-PartyRisks

ComplianceRisks

Cloud-RelatedRisks


Cyber AttackRisks


Data PrivacyRisks


Third-PartyRisks

Cloud-RelatedRisks


Data PrivacyRisks

ComplianceRisks

Cyber AttackRisks


Cyber AttackRisks


Data PrivacyRisks


ComplianceRisks

Cloud-RelatedRisks


Cyber AttackRisks

ComplianceRisks

Cyber AttackRisks

Cyber AttackRisks

Data PrivacyRisks

Data PrivacyRisks




Third-PartyRisks

Third-PartyRisks

Third-PartyRisks

Third-PartyRisks

ComplianceRisks

ComplianceRisks

Cloud-RelatedRisks

Cloud-RelatedRisks

Cloud-RelatedRisks







1

2

3

4

5

6

7

8



Data PrivacyRisks


Third-PartyRisks

ComplianceRisks

Cloud-RelatedRisks


Cyber AttackRisks


Data PrivacyRisks


Third-PartyRisks

Cloud-RelatedRisks


Data PrivacyRisks

ComplianceRisks

Cyber AttackRisks


Cyber AttackRisks


Data PrivacyRisks


ComplianceRisks

Cloud-RelatedRisks


Cyber AttackRisks

ComplianceRisks

Cyber AttackRisks

Cyber AttackRisks

Data PrivacyRisks

Data PrivacyRisks




Third-PartyRisks

Third-PartyRisks

Third-PartyRisks

Third-PartyRisks

ComplianceRisks

ComplianceRisks

Cloud-RelatedRisks

Cloud-RelatedRisks

Cloud-RelatedRisks







1

2

3

4

5

6

7

8



Data PrivacyRisks


Third-PartyRisks

ComplianceRisks

Cloud-RelatedRisks


Cyber AttackRisks


Data PrivacyRisks


Third-PartyRisks

Cloud-RelatedRisks


Data PrivacyRisks

ComplianceRisks

Cyber AttackRisks


Cyber AttackRisks


Data PrivacyRisks


ComplianceRisks

Cloud-RelatedRisks


Cyber AttackRisks

ComplianceRisks

Cyber AttackRisks

Cyber AttackRisks

Data PrivacyRisks

Data PrivacyRisks




Third-PartyRisks

Third-PartyRisks

Third-PartyRisks

Third-PartyRisks

ComplianceRisks

ComplianceRisks

Cloud-RelatedRisks

Cloud-RelatedRisks

Cloud-RelatedRisks







1

2

3

4

5

6

7

8



Data PrivacyRisks


Third-PartyRisks

ComplianceRisks

Cloud-RelatedRisks


Cyber AttackRisks


Data PrivacyRisks


Third-PartyRisks

Cloud-RelatedRisks


Data PrivacyRisks

ComplianceRisks

Cyber AttackRisks


Cyber AttackRisks


Data PrivacyRisks


ComplianceRisks

Cloud-RelatedRisks


Cyber AttackRisks

ComplianceRisks

Cyber AttackRisks

Cyber AttackRisks

Data PrivacyRisks

Data PrivacyRisks




Third-PartyRisks

Third-PartyRisks

Third-PartyRisks

Third-PartyRisks

ComplianceRisks

ComplianceRisks

Cloud-RelatedRisks

Cloud-RelatedRisks

Cloud-RelatedRisks







1

2

3

4

5

6

7

8



Data PrivacyRisks


Third-PartyRisks

ComplianceRisks

Cloud-RelatedRisks


Cyber AttackRisks


Data PrivacyRisks


Third-PartyRisks

Cloud-RelatedRisks


Data PrivacyRisks

ComplianceRisks

Cyber AttackRisks


Cyber AttackRisks


Data PrivacyRisks


ComplianceRisks

Cloud-RelatedRisks


Cyber AttackRisks

ComplianceRisks

Cyber AttackRisks

Cyber AttackRisks

Data PrivacyRisks

Data PrivacyRisks




Third-PartyRisks

Third-PartyRisks

Third-PartyRisks

Third-PartyRisks

ComplianceRisks

ComplianceRisks

Cloud-RelatedRisks

Cloud-RelatedRisks

Cloud-RelatedRisks







1

2

3

4

5

6

7

8



Data PrivacyRisks


Third-PartyRisks

ComplianceRisks

Cloud-RelatedRisks


Cyber AttackRisks


Data PrivacyRisks


Third-PartyRisks

Cloud-RelatedRisks


Data PrivacyRisks

ComplianceRisks

Cyber AttackRisks


Cyber AttackRisks


Data PrivacyRisks


ComplianceRisks

Cloud-RelatedRisks


Cyber AttackRisks

ComplianceRisks

Cyber AttackRisks

Cyber AttackRisks

Data PrivacyRisks

Data PrivacyRisks




Third-PartyRisks

Third-PartyRisks

Third-PartyRisks

Third-PartyRisks

ComplianceRisks

ComplianceRisks

Cloud-RelatedRisks

Cloud-RelatedRisks

Cloud-RelatedRisks







1

2

3

4

5

6

7

8



Data PrivacyRisks


Third-PartyRisks

ComplianceRisks

Cloud-RelatedRisks


Cyber AttackRisks


Data PrivacyRisks


Third-PartyRisks

Cloud-RelatedRisks


Data PrivacyRisks

ComplianceRisks

Cyber AttackRisks


Cyber AttackRisks


Data PrivacyRisks


ComplianceRisks

Cloud-RelatedRisks


Cyber AttackRisks

ComplianceRisks

Cyber AttackRisks

Cyber AttackRisks

Data PrivacyRisks

Data PrivacyRisks




Third-PartyRisks

Third-PartyRisks

Third-PartyRisks

Third-PartyRisks

ComplianceRisks

ComplianceRisks

Cloud-RelatedRisks

Cloud-RelatedRisks

Cloud-RelatedRisks







1

2

3

4

5

6

7

8



Data PrivacyRisks


Third-PartyRisks

ComplianceRisks

Cloud-RelatedRisks


Cyber AttackRisks


Data PrivacyRisks


Third-PartyRisks

Cloud-RelatedRisks


Data PrivacyRisks

ComplianceRisks

Cyber AttackRisks


Cyber AttackRisks


Data PrivacyRisks


ComplianceRisks

Cloud-RelatedRisks


Cyber AttackRisks

ComplianceRisks

Cyber AttackRisks

Cyber AttackRisks

Data PrivacyRisks

Data PrivacyRisks




Third-PartyRisks

Third-PartyRisks

Third-PartyRisks

Third-PartyRisks

ComplianceRisks

ComplianceRisks

Cloud-RelatedRisks

Cloud-RelatedRisks

Cloud-RelatedRisks







1

2

3

4

5

6

7

8



Data PrivacyRisks


Third-PartyRisks

ComplianceRisks

Cloud-RelatedRisks


Cyber AttackRisks


Data PrivacyRisks


Third-PartyRisks

Cloud-RelatedRisks


Data PrivacyRisks

ComplianceRisks

Cyber AttackRisks


Cyber AttackRisks


Data PrivacyRisks


ComplianceRisks

Cloud-RelatedRisks


Cyber AttackRisks

ComplianceRisks

Cyber AttackRisks

Cyber AttackRisks

Data PrivacyRisks

Data PrivacyRisks




Third-PartyRisks

Third-PartyRisks

Third-PartyRisks

Third-PartyRisks

ComplianceRisks

ComplianceRisks

Cloud-RelatedRisks

Cloud-RelatedRisks

Cloud-RelatedRisks







1

2

3

4

5

6

7

8


Figure 5: Top Risk Management Priorities by Industry (next two years)Please think about your organization’s strategy to manage the risks that may emerge or increase due to your digital transformation

over the next two years. What do you believe will be your organization’s most important objective? Select one.

Cyber attack risk and risks introduced by a rapidly changing and dynamic workforce topped the digital risk priority list.


Aside from prioritizing the digital risks to focus on, getting the right people involved in being accountable and making decisions is also critical. Digital risk management still largely falls to IT and Security teams, as indicated by the RSA Digital Risk Report, with little involvement from the business. Respondents demonstrated an ongoing challenge to enlist the business in addressing digital risk with only 7 percent indicating line of business owners involved in implementing digital technologies are also involved in the risk management.

Without this engagement, the strategy can become slanted towards a technologist view. From the IT and security teams’ perspective, they must shoulder the burden as the business may feel “this is just a technology issue and can be solved with technology.” However, many digital initiatives require risk management adjustments not just in the technology arena but in the business process layer. Risk and security issues must be addressed in the first line of

defense – the business itself. Without a collaborative approach across all teams, risk can hide in the cracks in between the lines of defense. The figure above shows the departments that have been engaged in both legacy and digital risk management.

While cyber attacks, workforce dynamics and third-party risk are top-of-mind issues, every organization feels the effect of digital transformation in different ways. Multiple areas of risk must be addressed in a comprehensive, cohesive strategy. RSA’s study illustrates that, to meet the demands of the digital transformation efforts underway, security and risk management processes must leverage collaboration across IT, security and risk functions along with an increased involvement of the business. To view the full version of the RSA Digital Risk Report, visit www.rsa.com/digitalrisk

Figure 7. Departments Involved in Risk Management

IT Team SecurityTeam

Risk Team ComplianceTeam

OperationsTeam

FinanceTeam

AuditingTeam

ProcurementTeam

Anti-fraudTeam

Legal Team The LOBDriving the

DigitalTransformation

73%66% 65% 65%

47% 50%

25% 27%30% 31%

25% 25%

16% 16%10% 9%

20% 20%20% 21%

9% 7%

Legacy Risk Management Digital Risk Management

Over the past two years, which departments in your organization were most involved in your organization’s strategy to manage the risks that arose from its legacy (non-digitized) operations? Over the next two years, which departments in your organization will be most involved in your organization’s strategy to manage the risks that may arise from its digital transformations? Check all that apply.

Without a collaborative approach across all teams, risk can hide in the cracks in between the lines of defense.

http://www.rsa.com/digitalrisk

©2020 Dell Inc. or its subsidiaries. All rights reserved. RSA and the RSA logo, are registered trademarks or trademarks of Dell Inc. or its subsidiaries in the United States and other countries. All other trademarks are the property of their respective owners. RSA believes the information in this document is accurate. The information is subject to change without notice. Published in the USA 2/20 W339501 H18178

DIGITAL RISK IS EVERYONE’S BUSINESS HELPING YOU MANAGE IT IS OURS RSA offers business-driven security solutions that provide organizations with a unified approach to managing digital risk that hinges on integrated visibility, automated insights and coordinated actions. RSA solutions are designed to effectively detect and respond to advanced attacks; manage user access control; and reduce business risk, fraud and cybercrime. RSA protects millions of users around the world and helps more than 90 percent of the Fortune 500 companies thrive and continuously adapt to transformational change.

Find out how to thrive in a dynamic, high-risk digital world at rsa.com

http://www.rsa.com

http://rsa.com

rsa quarterly fraud report€¦ · and organizations more aware of the current state of cybercrime...

Documents