Banking Security: Time for a New Approach

By Joseph Patanella, CEO, Trusted Knight

For any organisation, cybersecurity is now a primary concern. Businesses across the world are facing a barrage of threats daily and risk significant financial and reputational impact when deploying security mechanisms that are not equipped to face this barrage, which is too often the case. This is an unfortunate reality in today’s online business environment, and financial services organisations are at the tip of the spear.

For the second year in a row, the 2018 IBM X-Force Threat Intelligence Index found that in 2017 the financial services industry suffered the most cyber-attacks, accounting for 27 percent of security incidents across all industries, and 17 percent of attacks. 148 million records were breached across the industry.

It’s perhaps no surprise that banks are at the top of the priority list for cyber criminals given that is (literally) where the money is, and it is becoming an unmanageable challenge for financial organisations. Technological change is causing a generational shift in how people want to manage their money, and consumers now expect to be able to check their balances, transfer cash and pay bills from their personal electronic devices, not in person in a bank branch. Moreover, traditional financial institutions are competing with an ever-increasing number of tech-firms-turned-bankers allowing consumers to do just that – and more – over the internet. In fact, McKinsey research found that 73 percent of U.S. millennials would be more excited by a financial services offering from Google, Square or PayPal than from their banks. The message? Customers want to interact with their money in new ways enabled by technology. China, for example, is already moving towards this reality, with people able to message friends, invest money and carry out financial transactions through chat applications like WeChat.

From a customer retention point of view, this changing landscape means that banks need to do everything they can to remain relevant, and a non-negotiable component of that is making more services available online. But for these banks, ratcheting up online innovation means expanding the digital attack surface and creating new security exposures. In 2017, financial fraud losses across payment cards, remote banking and cheques totaled £731.8 million, with losses due to unauthorised remote banking fraud reaching £156.1 million, a 14 percent rise over 2016. With losses increasing year on year, many banks simply take the hit and reimburse customers who have lost cash to criminals, then go through the arduous process of trying to pinpoint how the fraud occurred and who was liable, then trying to recoup the losses. All this instead of tackling the issue head on and trying to prevent the breach from occurring in the first place.

A futile endeavour

One of the challenges that many banks face is that they are, in part, reliant on the end-users to protect themselves. Banks can install all the security and fraud prevention tools money can buy on their own networks and systems, but they cannot control the behaviour of unmanaged online banking consumers – many of whom lack awareness around even basic cybersecurity practices. The devices they use to access their banks online typically have inadequate defences – at best simply using a traditional antivirus solution (which is more than likely not up-to-date), at worst running no security software at all. Their computer operating systems are much more likely to be behind in applying software patches to address vulnerabilities. And these customers visit a wide range of sites and are likely to click nefarious links, get fooled by pop-ups or phishing emails, or visit websites that distribute malware without requiring any clicks at all. All of these things add up to a clear outcome for the banks – an increase in the likelihood that malware-infected endpoints are connecting to the banking web applications.

In recent years, many banks have offered free downloads of anti-virus and other endpoint security tools to their customers in an effort to mitigate some of this risk, but this approach is fraught with challenges. Adoption rates for software downloads are notoriously low and where customers do install the tools, most antivirus software still only protects against a subset of known threats, evidenced by well-known cases where new and even previously known threats repeatedly evade detection. Relying on end users to adequately protect themselves has clearly proven to be a failed approach. And with malware becoming increasingly sophisticated and capable of stealthier data exfiltration, aging antivirus products available to dutiful consumers clearly are no longer the solution to tackling the issue.

In essence, it’s a numbers game. Each digital touchpoint with customers is a risk, and with millions of customers connected via millions of devices it is not possible to protect them all. The criminals only need to get lucky once. Ultimately, a fight against cybercriminals on the endpoint is not winnable. That’s their turf, and they have all the advantage – but that doesn’t mean that all is lost.

Taking control

The answer lies in removing any of the banks’ reliance on customers or flawed endpoint protection tools. Banks have a huge potential advantage over the cyber criminals, and it’s time to start leveraging that advantage. The banks can control the full stack of every digital transaction – legitimate or otherwise. They need to evolve from an endpoint-focused security approach to a transaction-focused approach. Because the reality is it doesn’t matter if malware is present on an endpoint device, as long as it can’t get access to the information it seeks – the information in the transaction. This means that if transactions are isolated and inaccessible from the outside, the malware’s presence on an endpoint can be rendered useless.

While it’s almost impossible to stop every single cyber threat, it is absolutely possible to eliminate malware effectiveness in any individual transaction. For too long, organisations – financial and otherwise – have taken a piecemeal approach to cyber security, with disparate technologies focused on components in the transaction – the endpoint, the web application, the network, etc. This approach results in siloes that have no visibility into the big picture, and the ever-increasing fraud losses banks endure are clear evidence this hasn’t worked. It is now time for a new approach, one that eschews those futile endeavours and eliminates fraud by protecting the transactions.

By Joseph Patanella, CEO, Trusted Knight

For any organisation, cybersecurity is now a primary concern. Businesses across the world are facing a barrage of threats daily and risk significant financial and reputational impact when deploying security mechanisms that are not equipped to face this barrage, which is too often the case. This is an unfortunate reality in today’s online business environment, and financial services organisations are at the tip of the spear.

For the second year in a row, the 2018 IBM X-Force Threat Intelligence Index found that in 2017 the financial services industry suffered the most cyber-attacks, accounting for 27 percent of security incidents across all industries, and 17 percent of attacks. 148 million records were breached across the industry.

It’s perhaps no surprise that banks are at the top of the priority list for cyber criminals given that is (literally) where the money is, and it is becoming an unmanageable challenge for financial organisations. Technological change is causing a generational shift in how people want to manage their money, and consumers now expect to be able to check their balances, transfer cash and pay bills from their personal electronic devices, not in person in a bank branch. Moreover, traditional financial institutions are competing with an ever-increasing number of tech-firms-turned-bankers allowing consumers to do just that – and more – over the internet. In fact, McKinsey research found that 73 percent of U.S. millennials would be more excited by a financial services offering from Google, Square or PayPal than from their banks. The message? Customers want to interact with their money in new ways enabled by technology. China, for example, is already moving towards this reality, with people able to message friends, invest money and carry out financial transactions through chat applications like WeChat.

From a customer retention point of view, this changing landscape means that banks need to do everything they can to remain relevant, and a non-negotiable component of that is making more services available online. But for these banks, ratcheting up online innovation means expanding the digital attack surface and creating new security exposures. In 2017, financial fraud losses across payment cards, remote banking and cheques totaled £731.8 million, with losses due to unauthorised remote banking fraud reaching £156.1 million, a 14 percent rise over 2016. With losses increasing year on year, many banks simply take the hit and reimburse customers who have lost cash to criminals, then go through the arduous process of trying to pinpoint how the fraud occurred and who was liable, then trying to recoup the losses. All this instead of tackling the issue head on and trying to prevent the breach from occurring in the first place.

A futile endeavour

One of the challenges that many banks face is that they are, in part, reliant on the end-users to protect themselves. Banks can install all the security and fraud prevention tools money can buy on their own networks and systems, but they cannot control the behaviour of unmanaged online banking consumers – many of whom lack awareness around even basic cybersecurity practices. The devices they use to access their banks online typically have inadequate defences – at best simply using a traditional antivirus solution (which is more than likely not up-to-date), at worst running no security software at all. Their computer operating systems are much more likely to be behind in applying software patches to address vulnerabilities. And these customers visit a wide range of sites and are likely to click nefarious links, get fooled by pop-ups or phishing emails, or visit websites that distribute malware without requiring any clicks at all. All of these things add up to a clear outcome for the banks – an increase in the likelihood that malware-infected endpoints are connecting to the banking web applications.

In recent years, many banks have offered free downloads of anti-virus and other endpoint security tools to their customers in an effort to mitigate some of this risk, but this approach is fraught with challenges. Adoption rates for software downloads are notoriously low and where customers do install the tools, most antivirus software still only protects against a subset of known threats, evidenced by well-known cases where new and even previously known threats repeatedly evade detection. Relying on end users to adequately protect themselves has clearly proven to be a failed approach. And with malware becoming increasingly sophisticated and capable of stealthier data exfiltration, aging antivirus products available to dutiful consumers clearly are no longer the solution to tackling the issue.

In essence, it’s a numbers game. Each digital touchpoint with customers is a risk, and with millions of customers connected via millions of devices it is not possible to protect them all. The criminals only need to get lucky once. Ultimately, a fight against cybercriminals on the endpoint is not winnable. That’s their turf, and they have all the advantage – but that doesn’t mean that all is lost.

Taking control

The answer lies in removing any of the banks’ reliance on customers or flawed endpoint protection tools. Banks have a huge potential advantage over the cyber criminals, and it’s time to start leveraging that advantage. The banks can control the full stack of every digital transaction – legitimate or otherwise. They need to evolve from an endpoint-focused security approach to a transaction-focused approach. Because the reality is it doesn’t matter if malware is present on an endpoint device, as long as it can’t get access to the information it seeks – the information in the transaction. This means that if transactions are isolated and inaccessible from the outside, the malware’s presence on an endpoint can be rendered useless.

While it’s almost impossible to stop every single cyber threat, it is absolutely possible to eliminate malware effectiveness in any individual transaction. For too long, organisations – financial and otherwise – have taken a piecemeal approach to cyber security, with disparate technologies focused on components in the transaction – the endpoint, the web application, the network, etc. This approach results in siloes that have no visibility into the big picture, and the ever-increasing fraud losses banks endure are clear evidence this hasn’t worked. It is now time for a new approach, one that eschews those futile endeavours and eliminates fraud by protecting the transactions.