Metropolitan Police Commissioner Sir Bernard Hogan-Howe has said that banks should not refund victims of online fraud because doing so rewards them for poor cyber security practices.
The commissioner told The Times that “the public were being ‘rewarded for bad behaviour’ and needed incentives to update anti-virus software and ensure passwords were safe.”
Online fraud victims can currently expect full refunds from their bank unless they’ve been ‘grossly negligent’, but Sir Bernard thinks this a mistake, commenting: “If you are continually rewarded for bad behaviour you will probably continue to do it but if the obverse is true you might consider changing behaviour.
“The system is not incentivising you to protect yourself. If someone said to you, ‘If you’ve not updated your software I will give you half back’, you would do it.”
Sir Bernard’s suggestion that the victims were themselves to blame is contentious to say the least, and has drawn criticism from consumer groups and others.
According to the BBC, Which? executive director Richard Lloyd said: “With online fraud increasing, this is an astonishingly misjudged proposal from the Met Police Commissioner.
“When we investigated last year, we found too often that banks were dragging their feet when dealing with fraud. The priority should be for banks to better protect their customers, rather than trying to shift blame on to the victims of fraud.”
Majority of financial fraud caused by data hacks and malware
A week before Sir Bernard made his comments, Financial Fraud Action UK (FFA UK) issued its Year-end 2015 fraud update: Payment cards, remote banking and cheque. Its analysis shows that financial fraud losses across payment cards, remote banking and cheques totalled £755 million in 2015 – a 26% year-on-year increase compared with 2014, and with payment cards accounting for 75% of these losses.
Broken down further, FFA UK’s analysis shows that the majority (70%) of these card frauds (in other words, 52.5% of all financial fraud losses in 2015) were caused by remote purchase – i.e. “when stolen payment card details are fraudulently used to make a purchase on the internet, over the telephone or through mail order”.
FFA UK explains: “Intelligence suggests that much of [this] increase is due to fraudsters using card details stolen through data hacks and malware.”
On many such occasions, the victims are actually entirely blameless – it is the merchants who process, transmit and store card data that are at fault for poor security practices. A cursory glance through the archives of this blog – and numerous other news outlets – confirms this: cyber attacks and data breaches are regularly in the news, and millions of financial details are lost every week.
Best-practice corporate cyber security
As cyber attacks and data breaches continue to increase in cost, likelihood and severity, it is incumbent on every business to implement security best practices to protect cardholder data.
ISO 27001 is the international standard for an information security management system (ISMS), a risk-based approach to information security that covers everything in your organisation that might put you at risk – people, processes and technology.
Help towards ISO 27001 certification
Achieving certification to the Standard can be a complicated and time-consuming undertaking: organisations must provide documented evidence of their compliance with ISO 27001, which in the case of larger or more complex businesses can mean that you need to create thousands of pages of documentation. This is where IT Governance’s ISO 27001:2013 ISMS Documentation Toolkit can help.
Created by expert ISO 27001 practitioners, and enhanced by ten years of customer feedback and continual improvement, it provides all of the ISMS documents you need in order to comply with ISO 27001, including 11 policies, 66 procedures, 24 work instructions and 36 records acceptable for your ISO 27001 certification audit, plus an Information Security Manual and additional guidance.
All document templates can be customised to suit your company’s needs with a single click.