Editorial & Advertiser Disclosure Global Banking And Finance Review is an independent publisher which offers News, information, Analysis, Opinion, Press Releases, Reviews, Research reports covering various economies, industries, products, services and companies. The content available on globalbankingandfinance.com is sourced by a mixture of different methods which is not limited to content produced and supplied by various staff writers, journalists, freelancers, individuals, organizations, companies, PR agencies Sponsored Posts etc. The information available on this website is purely for educational and informational purposes only. We cannot guarantee the accuracy or applicability of any of the information provided at globalbankingandfinance.com with respect to your individual or personal circumstances. Please seek professional advice from a qualified professional before making any financial decisions. Globalbankingandfinance.com also links to various third party websites and we cannot guarantee the accuracy or applicability of the information provided by third party websites. Links from various articles on our site to third party websites are a mixture of non-sponsored links and sponsored links. Only a very small fraction of the links which point to external websites are affiliate links. Some of the links which you may click on our website may link to various products and services from our partners who may compensate us if you buy a service or product or fill a form or install an app. This will not incur additional cost to you. A very few articles on our website are sponsored posts or paid advertorials. These are marked as sponsored posts at the bottom of each post. For avoidance of any doubts and to make it easier for you to differentiate sponsored or non-sponsored articles or links, you may consider all articles on our site or all links to external websites as sponsored . Please note that some of the services or products which we talk about carry a high level of risk and may not be suitable for everyone. These may be complex services or products and we request the readers to consider this purely from an educational standpoint. The information provided on this website is general in nature. Global Banking & Finance Review expressly disclaims any liability without any limitation which may arise directly or indirectly from the use of such information.

CYBER-ATTACKS ARE ON THE RISE FOR FINANCIAL SERVICES: WHY A CULTURE OF SHARING HAS NEVER BEEN MORE IMPORTANT

By Hamish Karamsadkar, digital trust and cyber security expert at PA Consulting Group

People around the world were shocked as the WannaCry and “#NotPetya” ransomware viruses exposed and exploited IT weaknesses in leading companies around the world, including the Bank of China, FedEx, DLA Piper and the UK’s National Health Service. But with cybercrime in financial services (FS) reaching staggering levels and the costs to the global economy reportedly averaging £266 billion a year for the last three years, should we really be that surprised? While everyone looks inwardly in the event of a breach, we have to learn that to deal with the combination of the increasingly sophisticated attackers and the relentless advance of technology we need to share more readily.

 Emerging technologies bring new risks

An ever-more connected customer base means more focus on digitising products, services, and transactions. So FS firms are increasingly dependent on the internet and emerging technologies which increase risk in a digitally perimeter-less environment.

With each new technology on the radar, a complementary vulnerability exists. For example:

  • Botnet attacks: The dark side of the ‘Internet-of-Things’, this relates to digital devices that are connected to the internet and that have been breached to commit fraud or attack network servers (in 2015, two ethical researchers were able to wirelessly take control of a Jeep Grand Cherokee, resulting in a recall of 1.4 million vehicles!). For financial institutions, botnet attacks have contributed to the loss of £millions and are considered the most prevalent attack method for financial businesses globally.
  • Cloud computing and data storage: As the world’s data moves to the cloud we expect to see increasingly sophisticated attacks on cloud infrastructures, shifting from device to cloud-based botnets, exploiting vulnerabilities in cloud servers. A 2015 Cloud Security report found ‘brute force’ attacks on cloud environments climbed from 30% to 44% of customers, and vulnerability scans increased from 27% to 44% in that year. Brute force attacks typically involve a large number of attempts testing multiple common credential failings to find a way in, while vulnerability scans are automated attempts to find a security weakness in applications, services or protocol implementations that can be exploited. These types of incidents have been far more likely to target on-premises environments in the past, but are now occurring at near-equivalent rates in both environments.
  • Payments technology: As companies and consumers adopt new mobile payments technologies, such as Apple Pay and Google Wallet, cyber criminals are intensifying their efforts. In 2015, Google Wallet user credentials were stolen after the service fell prey to an Android ‘Fake ID‘ exploit – related fraud cases in the US have since been running into the $millions. Inevitably, FS institutions will need to quickly understand the threats that new mobile payments technologies pose to established business models.

Over and above new threats on the horizon, the FS industry has existing concerns which make cyber-security doubly challenging, including extensive compliance regulations, the struggle to secure customer data, and supplier risk.

 So how should firms respond?

Too many institutions rely on general IT-risk management processes in the hope they’ll be enough in the event of a major cyber-attack. But FS firms need to protect themselves by analysing data and looking for trends to pre-empt potential attackers.

A US- study highlighted that a mass spear-phishing email campaign in 2013 demonstrated that many institutions lacked the right vision and strategy to defend against evolving and persistent threats. Criminals stole almost $1billion from 100 banks in 30 countries. The malware used wasn’t detected by affected businesses for almost 300 days after the attack. In short, long-term protection which should focus on improving incidence response or enhancing cultural security behaviours is sacrificed in favour of real-time threat detection.

Firms need to remember that technology alone cannot secure your department from a crippling cyber-attack. User education needs to be integrated with robust technology into a business-wide programme for cyber security.

Assume anything is possible

The best way businesses can improve their cyber resilience is to embrace a risk-based approach to managing cyber security.A risk-based approach starts with the assumption that an unauthorised user already has the capability to gain access to a system. With this in mind, a risk-based approach undertakes a process of threat modeling where security experts look at the entire IT environment and documents threats (existing or emerging) and their potential impact on a businesses’ security posture. Ultimately, a risk-based approach needs to form part of an overall risk management strategy and should involve:

  • breaking down silos between technical IT areas and the wider business
  • focusing on educating staff (regardless of seniority or accountability) about cyber security in a way that demystifies complex topics
  • identifying where the business is most vulnerable to attack and where most critical information and system capabilities are, and
  •         assessing how effective incident response processes are, identifying and remediating any gaps.

Stand together

Given the sophistication, complexity, and evolution of the techniques and technologies used by attackers, even a sizeable organisation with ample information security resources may find it difficult to plan and implement an adequate response by itself.

As cyber threats evolve, FS institutions will need to share knowledge, particularly as compliance and regulation becomes increasingly normalised. Internally, organisations can significantly strengthen their ability to protect their business as well as their customers by sharing and pooling data on attack methods, loss prevention, and information security.