Dr. Wael Aggan, CEO, CloudMask
Banks are all about money. Money for individuals, money for businesses and obviously money for the banks. With all these riches, it’s no wonder that the finance sector is a major target for cybercrime. From selling sensitive personal and account details on the underground market to fraudulently accessing online accounts, there is a lot to gain.
The British National Security Strategy has listed organised cybercrime on a par with terrorism as a major threat to national security. It is important to recognise that today’s cybercriminals are not driven by glory; they are organised and in the case of banking fraud, motivated by money. In the same way that hacktivists are influenced by personal causes and nation-states driven by espionage. They are all after the same thing – your data – and data is the fuel that drives cybercrime economics.
Cybercriminals are even more active than we think. It’s been uncovered that the banks are understating the real amount of fraud happening by at least half of what it is in reality. The latest Annual Fraud Indicator estimated that retail banking fraud cost £475 million a year, based on reports from banks. The Times revealed in August that 3.6 million in banking fraud had been left out of official figures.
Banks are not alone in disguising the true scale of cyber-attacks. Organisations around the world are guilty of not being transparent when it comes to cybercrime reporting. In many cases, organisations are unaware that they have been victim to a breach. Sophisticated stealth attacks are increasingly common and in many cases personal data is stolen and no one will know until months down the line when their identity has been stolen and new credit cards applied for or bank accounts emptied. Despite all of this, breaches that are made public are rising significantly.
A report by the British Bankers’ Association found that 93 percent of large organisations suffered a security breach last year and seven in 10 banking chief executives see cybersecurity as a major risk to growth. Cyber security is emerging as a key threat to the banking system and regulators now take the ability of a lender to withstand a serious online attack almost as seriously as measures of strength such as capital levels and short-term liquidity buffers.
The UK Information Commissioner’s Office (ICO) reported 1,559 data breaches between April 2013 and March 2014. By September this year, the ICO issued fines totalling £5,391,000 in the UK for data breaches since it was given this power in 2010.
This is only one of the issues when being transparent about security breaches. Not only do consumers and business lose confidence but your reputation goes down the drain and it costs money. The financial services sector has suffered badly, facing some of the biggest fines in history including the Financial Service Authority fining HSBC £3.2m for data protection failures in July 2009 and then Zurich Insurance for £2.3m over customers’ data loss just over a year later.
The most recent security breach is possibly the largest ever seen where the US’s biggest bank, JP Morgan Chase, admitted that 76 million households and seven million businesses had their private information compromised in a cyber-attack. Customers’ names, addresses, telephone numbers and email addresses were compromised in the attack.
The digitisation of the global economy has made our lives easier and has created huge opportunities for businesses as well as the banks but it has also created security risks. Banks are trying their best to keep the bad guys out but are they winning the battle against cybercrime?
The Bank of England did an exercise in 2013, Operation Waking Shark 2, simulating a cyber-attack on the British financial system which demonstrated very limited knowledge by the banks on how to deal with these types of attacks. Despite a number of initiatives from intelligence agencies, financial authorities and the institutions themselves, vulnerability to cyber-crime remains one of the key threats facing the financial sector.
Banks are spending a huge amount of time and money to protect data and increase defenses against cybercrime. The British Bankers’ Association report found that British financial companies spent £700m on cybersecurity last year.
The UK Information Commissioner has issued guidelines about protecting personal data and suggests anonymising data. As per the ICO definition, ‘anonymisation is the process of turning data into a form which does not identify individuals and where identification is not likely to take place. This allows for a much wider use of the information. The Data Protection Act controls how organisations use ‘personal data’ – that is, information which allows individuals to be identified.’
Could it be that simple? Maybe it’s time to strip it all back and look what is important. What are cybercriminals after? Forget building walls around your riches and spending fortunes on intelligence. It seems that by making simple changes to how data is created, stored, processed and consumed, banks can remain competitive in the global economy and consumers might have greater confidence using in their bank.
Banks are all about money, but for cybercriminals the money is in the data.