Cybersecurity in financial services

By Javvad Malik, Security Awareness Advocate at KnowBe4

Unsurprisingly, due to the immense scale of valuable information, and money dealt with daily, financial services typically rank as one of the most targeted industries for cyberattacks, next to healthcare and public administration. Indeed, according to the Boston Consulting Group, financial service firms are hit with cyberattacks 300 times more than companies from any other industry. These threats show no sign of slowing down either. Rather, as the world of finance migrates online and evolves, with trends suggesting an increase in the implementation of FinTech business models and the digital wallet, organisations will inevitably experience greater pressures to combat an ever-changing and ever-growing stream of cyberthreats. Amidst these developments we are forced to ask, are financial organisations prepared?

The transformation trajectory of the financial industry 

The rise of FinTech ‘disruptors’, or innovative start-ups, such as Monzo and Revolut, have fuelled the adoption of various technologies by traditional banks, who are shifting strategies in an attempt to keep up. Among other trends, traditional banks are having to progressively outsource certain activities to minimise operational complexities. This is particularly necessary as consumers are demanding banking in real time, whereby they can track their financial activity and move money instantly.

Javvad Malik

This means, for example, embracing cloud-based software and infrastructure-as-a-service (SaaS and IaaS) applications to administer operations such as Customer Relationship Management or Human Resources. Not only does the cloud allow banks to more effectively manage and store sizeable datasets, but it also provides a more comprehensive analysis of the data amassed, while keeping costs to a minimum. More recently, as revealed in the PwC ‘Financial Services Technology 2020 and Beyond: Embracing Disruption’ report, banks are not solely employing private clouds, but expanding the use of SaaS and IaaS to cover core services on public clouds offered by tech giants such as Amazon, Microsoft and Google. In other words, using the public cloud to process deposits, loans and credit scoring. In fact, the International Data Corporation has even predicted that public cloud spending will grow from $229 billion in 2019 to nearly $500 billion in 2023.

With greater use of cloud computing, we have since also witnessed a shift towards digitalisation and alongside that, AI and machine learning. Both have been fundamental in conducting a more accurate and objective credit assessment of prospective borrowers as well as the risks posed by customer behaviour, when deciding on insurance premiums. It has also revolutionised fraud detection, and advanced stock performance predictions. On top of that, AI has been pivotal in improving customer experience, with chatbots aiding individuals to find solutions to their problems, and voice-controlled assistants helping to check account balances or send reminders concerning upcoming bills. In the future, as machine learning creates smarter robots, it is unlikely that any such function will remain contingent upon human input nor oversight. Rather, a significant proportion of services offered by banks, insurance companies or investment firms could soon become fully automated.

Another trend that will likely have an unprecedented impact on financial industries is the advent of blockchain. Blockchain is a much cheaper means of performing automated contractual agreements, financial transactions etc. as it eliminates the need for numerous intermediaries to confirm authenticity, all of whom would otherwise procure a levy in the process. Moreover, it provides transparency and traceability, enabling processes to run faster and more smoothly in industries such as insurance, trade as well as banking.

Finally, we have the Internet of Things (IoT), whereby devices are interconnected and its data accessible, via the internet. Just observing as commuters buzz in and out of underground barriers in central London, we see fitness trackers, watches and mobile phones used to make payments. Only last year, Tesla announced that it would be using data gathered from its cars to formulate tailored car insurance plans. These are just a couple of ways that the financial industry is leveraging this new phenomenon. As we progress through 2020 and beyond, there is no doubt that this will only continue to expand. As a matter of fact, the Verizon’s launch of its 5G network in April 2019, which set into motion an aggressive race among telecom companies around the world for market share in this domain, will undeniably result in the unparalleled growth of the IoT sphere. According to IHS Inc., it is estimated that by 2025, there will be over 75 billion connected IoT devices! Above all else, the vast quantity of data that can be harvested from billions of these devices will further aid institutions to personalise their services as well as build better relationships with each individual customer. Yet, where do we draw the line between customer convenience and security?

The double-edged sword 

Unfortunately, while these new technologies are transforming financial institutions for the better, they also expose the same institutions to potentially detrimental risks. For instance, as banks begin to entrust third-party service providers with core functions, the probability of an insider threat occurring escalates. The data breach at Nedbank detected in February 2020, is a clear demonstration of what could go wrong, even when just dealing with customer-facing functions. In this instance, the South African bank’s third-party marketing contractor had a vulnerability in its network, which ultimately compromised 1.7 million of the bank’s client details, including names and addresses.

AI and machine learning, on the other hand, brings its own set of problems. Among them is data poisoning attacks in which malicious actors inject fraudulent training data into a model, leading to inaccurate assessments. This method could easily be used to cause havoc. For example, AI might be applied to gauge public sentiment towards a publicly listed firm through analysing the news or online discussions. However, bad actors can easily introduce falsified data that could be damaging to the company’s performance in the financial markets. In another case, AI used to compile a set of stocks for investment funds or a trade portfolio, might be adversely manipulated and result in a considerable loss of money. This is particularly true if we do indeed enter a world of complete automation and no human oversight to identify abnormal activity. While these scenarios may seem to come straight out of a dystopian science fiction novel, we have already seen similar stories take place as cybercriminals endeavour to inspire financial panic. Purely through a rumour spread on WhatsApp, suggesting that MetroBank might be “shut down or going bankrupt”, hordes of people began scrambling to withdraw money and valuables from their account. Imagine the reaction that would ensue if fake news was generated from what could be a deemed a more ‘reliable’ source.

Blockchain too has its drawbacks. This is notably prompted by its use of smart contracts, or self-executing code that does not require manual intervention to complete financial transactions. These contracts depend on third-party information sources that feed data into the network, also known as “oracles”.  It is through these oracles that organisations may face an important cyberthreat, as it is here that corrupt data might infiltrate the blockchain and lead the whole network down a rabbit hole of issues.

Finally, we have the most exploited avenues, which arguably comes in two forms: a poorly secured device and a poorly educated employee. While companies may apply rigorous safety measures on a number of devices, the vast quantity of existing devices means that others, unavoidably, fall through the cracks. In fact, 71% of Chief Information Officers are regularly blindsided by unknown devices. What is more, the familiar use of phishing, smishing and other social engineering tactics remains prevalent, if not ramped up towards both employees and clients. This is all the more true in the banking sector, where efforts to “go green” have meant going paperless. With that, follows a greater dependence on emails and texts to communicate with clients, and more opportunities for bad actors to exploit. As we saw in 2018, the cybercriminal group, London Blue, specifically targeted 50,000 finance executives with BEC scams. In another investigation, more than 1900 potential bank phishing sites were registered in the first half of 2019, a rise of 14% compared to the preceding year.

Cyber readiness and resolutions 

Despite the expansion of cyberthreats, both in quantity and in form, the Hiscox 2019 Cyber Readiness Report revealed that as many as 74% of organisations are failing to meet the expertise and best practice standards necessary to overcome cyberthreats. This can largely be attributed to the lack of awareness, of the threat itself as well as how to manage it. At the crux of any strategy, therefore, is the requirement for financial organisations to remain vigilant and informed about imminent threats, whether through liaising with their software and hardware manufacturers, building a network with other businesses to share insights and experiences, or staying on the lookout for research papers or relevant news from reputable sources.

It also means training employees to highlight to the company’s security experts of any devices they use as part of work, or how to identify and handle phishing emails.

Lastly, more provisions should be put in place to advice clients on how to recognise an authentic communication or request coming from the institution, and when it is a fake. When we improve awareness, we will have won half the battle.