By Hamish Karamsadkar, digital trust and cyber security expert at PA Consulting Group
People around the world were shocked as the WannaCry and “#NotPetya” ransomware viruses exposed and exploited IT weaknesses in leading companies around the world, including the Bank of China, FedEx, DLA Piper and the UK’s National Health Service. But with cybercrime in financial services (FS) reaching staggering levels and the costs to the global economy reportedly averaging £266 billion a year for the last three years, should we really be that surprised? While everyone looks inwardly in the event of a breach, we have to learn that to deal with the combination of the increasingly sophisticated attackers and the relentless advance of technology we need to share more readily.
Emerging technologies bring new risks
An ever-more connected customer base means more focus on digitising products, services, and transactions. So FS firms are increasingly dependent on the internet and emerging technologies which increase risk in a digitally perimeter-less environment.
With each new technology on the radar, a complementary vulnerability exists. For example:
- Botnet attacks: The dark side of the ‘Internet-of-Things’, this relates to digital devices that are connected to the internet and that have been breached to commit fraud or attack network servers (in 2015, two ethical researchers were able to wirelessly take control of a Jeep Grand Cherokee, resulting in a recall of 1.4 million vehicles!). For financial institutions, botnet attacks have contributed to the loss of £millions and are considered the most prevalent attack method for financial businesses globally.
- Cloud computing and data storage: As the world’s data moves to the cloud we expect to see increasingly sophisticated attacks on cloud infrastructures, shifting from device to cloud-based botnets, exploiting vulnerabilities in cloud servers. A 2015 Cloud Security report found ‘brute force’ attacks on cloud environments climbed from 30% to 44% of customers, and vulnerability scans increased from 27% to 44% in that year. Brute force attacks typically involve a large number of attempts testing multiple common credential failings to find a way in, while vulnerability scans are automated attempts to find a security weakness in applications, services or protocol implementations that can be exploited. These types of incidents have been far more likely to target on-premises environments in the past, but are now occurring at near-equivalent rates in both environments.
- Payments technology: As companies and consumers adopt new mobile payments technologies, such as Apple Pay and Google Wallet, cyber criminals are intensifying their efforts. In 2015, Google Wallet user credentials were stolen after the service fell prey to an Android ‘Fake ID‘ exploit – related fraud cases in the US have since been running into the $millions. Inevitably, FS institutions will need to quickly understand the threats that new mobile payments technologies pose to established business models.
Over and above new threats on the horizon, the FS industry has existing concerns which make cyber-security doubly challenging, including extensive compliance regulations, the struggle to secure customer data, and supplier risk.
So how should firms respond?
Too many institutions rely on general IT-risk management processes in the hope they’ll be enough in the event of a major cyber-attack. But FS firms need to protect themselves by analysing data and looking for trends to pre-empt potential attackers.
A US- study highlighted that a mass spear-phishing email campaign in 2013 demonstrated that many institutions lacked the right vision and strategy to defend against evolving and persistent threats. Criminals stole almost $1billion from 100 banks in 30 countries. The malware used wasn’t detected by affected businesses for almost 300 days after the attack. In short, long-term protection which should focus on improving incidence response or enhancing cultural security behaviours is sacrificed in favour of real-time threat detection.
Firms need to remember that technology alone cannot secure your department from a crippling cyber-attack. User education needs to be integrated with robust technology into a business-wide programme for cyber security.
Assume anything is possible
The best way businesses can improve their cyber resilience is to embrace a risk-based approach to managing cyber security.A risk-based approach starts with the assumption that an unauthorised user already has the capability to gain access to a system. With this in mind, a risk-based approach undertakes a process of threat modeling where security experts look at the entire IT environment and documents threats (existing or emerging) and their potential impact on a businesses’ security posture. Ultimately, a risk-based approach needs to form part of an overall risk management strategy and should involve:
- breaking down silos between technical IT areas and the wider business
- focusing on educating staff (regardless of seniority or accountability) about cyber security in a way that demystifies complex topics
- identifying where the business is most vulnerable to attack and where most critical information and system capabilities are, and
- assessing how effective incident response processes are, identifying and remediating any gaps.
Given the sophistication, complexity, and evolution of the techniques and technologies used by attackers, even a sizeable organisation with ample information security resources may find it difficult to plan and implement an adequate response by itself.
As cyber threats evolve, FS institutions will need to share knowledge, particularly as compliance and regulation becomes increasingly normalised. Internally, organisations can significantly strengthen their ability to protect their business as well as their customers by sharing and pooling data on attack methods, loss prevention, and information security.