On the IT front I can't report any real increase in the level of risks out there. With a couple of conventions on at the moment we could get a few new exploits, but they don't really effect the general risk level, after all, the horse has bolted and that data just isn't going to come back, except as fraud. Could it get any worse? Not if the smarter criminals have their way.

Criminals have adopted a more corporate approach to hacking and fraud. They have investors, board meetings and revenue targets. You are one of their targets. They already have what they need to know to succeed in defrauding you. The corporatisation means that it's more of a steady-as-she-goes approach, with 'CEO's having realised that a slow bleeding of the pool of victims will elicit little response from governments and they'll have a successful long term business. Very much in the manner of some banks and although the chances of legal problems are slightly more than if you are a banker, they're still very remote and the returns are quite good for the hours and flexibility.

The business of hacking now consists of research, targeting, development of tools, attack schedule (months ahead), team recruitment and training, the attack phase where the required information is collected and then the revenue phase where the cash-in process begins. Some happen in days from start to finish, although most projects stretch for months.

There's no hurry, the research shows them how long it takes targets to get from the vulnerable to safer-yet-with-a-new-vulnerability stage. There are plenty of targets. In fact it's an infinite game. There are also plenty of freelancers who know they can get $50k cash for a good fresh exploit. There are usually some strictly enforced conditions about only selling them once. There is even talk of reducing fraud, because the professionals know that if other players are taken out the field will be left clearer. Buying exploits helps.

Some say the rush and thrill are reduced with all the planning but on the on-the-fly 'in the attack' development which is sometimes needed gives the participants the 'think on their feet' on the job satisfaction.

The hours are flexible, there's plenty of travel if you want it, but you still have to take care of your retirement nest egg yourself. Few bother with bank accounts for that of course, they know better.

It's an open industry with no restrictions on new participants and some sectors have become oversupplied, but that will settle a bit as the corporate mindset catches on.

So, there's no new risks really, it's an evolving process and will continue at similar levels for the foreseeable future.

The actual level by my napkin calculation is about 55 on a scale of 100. Of course it probably translate to 55% of you have a 100% chance of fraud occurring to you or in your name in the next 5 years.

More than half of you are already a target for fraud you might recognise, and 100% are victims of fraud they don't even recognise.

CRO Musical Chairs

I have noticed that there has been some musical chairs in the CRO area and potentially some unfilled seats. While there are some in demand  risk professionals who were vocal in their attempts to influence mismanaged institutions, but they are in short supply. I'd personally be looking for the kind of guy or gal who saw what was coming and realised they couldn't do anything about it and pulled out, say in 2006. That's the sort of guy or gal I'd be looking to tempt back into the industry.

I'd also be looking at having a risk comittee, with a broad understanding of life in the real world to help your CRO keep their feet on the ground and you in your chair. It could also mean outsourced assistance, but spare yourself the snake-oil.

A stock exchange had apparently entrusted some of their operation to a storage crowd who somehow left a heap of useful data oN publiclY accesSablE systems for eon's before catching on. It makes you wonder, what with thEM having all that enCryption and secuRity Stuff hAnging around that they couldn't spare some for the exchange stuff, it's not as if it's not critical infrastructure or anything. You don't need to be Einstein to work out how embarrasing that would be. Next.

Maybe a little bit of genuine 'old school' might help too. Just a thought.