By Aare Reintam, COO, CybExer Technologies
Cybersecurity threats are nothing new, however the pace at which they are gathering momentum is increasingly concerning, particularly for those in the financial sector who continue to find themselves the main target of cyber attacks.
The financial and banking sectors have proved to be one of the most lucrative hunting grounds for cyber criminals, as it not only provides direct access to the ebb and flow of the world’s finances but also to reams of customer data, which if sold on the dark web to those invested in identity theft, provides a highly lucrative financial return.
The financial and banking sector is a lifeline for economies and vital to people’s daily activities. For banks, failing services put much more than their reputation at stake. Being able to make and receive payments is critical to the functioning of any economy and society, and the protection of data is a question of integrity.
In 2020 a report from UK Finance stated that the unauthorised financial fraud losses across payment cards in the country, remote banking and cheques totalled £783.8 million in 2020. Deloitte reported that Europe’s banking capital, Switzerland, suffered an increase in cyber attacks from a norm of 100-150, to a massive 350 in April alone. The pandemic served as a huge catalyst for cyber crime in the already vulnerable financial services sector, with many financial institutions needing to move away from face to face to a majority digital offering, courtesy of Covid’s impact on how customers now interact with their banks. In their attempt to digitise their offering and move with the times, many banks found themselves partnering with FinTechs and third party app developers, thereby creating an extensive ecosystem consisting of multiple players.
However multiple players bring the need for integration of multiple vendor systems too – not all of which are cohesive or particularly secure from the outset. While it is critical for many of the banks to move with the times and digitise themselves, these partnerships and the resulting supply chains have in many ways created a rod for the bank’s backs. The supply chains are typically vulnerable and therefore susceptible to attack, creating huge opportunities for cyber criminals to access a treasure trove of customer data and monetary assets.
The criminals seems to have also realised the existence of this loophole, understanding that the host of vulnerabilities in these financial sector supply chains provide a better target than even the banks themselves. By intercepting the data in the supply chain, say with malware, hackers are able to access the inner sanctum of the banks through these third party apps with ease. Once inside the bank’s environment, the malware is triggered to then be able to run riot.
One would think that this exponential rise in cyberattacks would put many banks on high alert and encourage them to not only assess their full supply chain and the risks it carries but implement strategies to mitigate any cybersecurity threats. However, this has not been the case, as many banks face the realisation that this entails significant time and resource and the implementation of an expensive and experienced fully dedicated team, to the cause.
Additionally, difficulties exist with being able to accurately pinpoint what form those cybersecurity threats will take. Agile and adept, the nature of the attack changes constantly making it extremely difficult for the financial sector to put exact measures in place, which risk being redundant within weeks with the emergence of new creative cyber attacks.
As these attacks increase in their sophistication, there is no doubt a sense of inevitability is being felt by the banks and financial institutions, who recognise that at some point they are bound to become a target for these cyberattacks. However, it’s not all doom and gloom, with measures readily available today, that can ensure some level of damage limitation. Primarily, this takes the form of education and awareness across the entire organisation from the CEO to IT and every department in between. We have entered an era where cyber security strategy must become part of the business models of every responsible business and organisation globally.
Many banks are now engaging their staff in interactive simulation environments that educate participants on how to spot a potential threat and how to best deal and manage with it in order to ensure business continuity. With human error being the main point of origination for many security vulnerabilities. The reality is that every person within an organisation carries some level of responsibility, so training courses are not only geared towards an organisations IT department or cyber security team, but typically towards all current and new employees. It offers broad-based educational and awareness programmes in a safe environment where staff can be trained and assessed on their ability to mitigate any incoming threat.
The organisation’s infrastructure as a whole, can also be assessed in terms of analysing its technical and organisational capabilities with a view to developing it so it becomes the first line of defence against any attack. Typically this involves security testing and research. For example, in security testing, different tools and solutions can be safely targeted with attacks to assess their security and identify vulnerabilities before their actual use in an operational environment. With security research, continuous efforts to analyse exploits and vulnerabilities can also be conducted.
If the banking and financial sectors can continue to move in the direction of investing not only on digitisation but also cyber security awareness and education, they stand to form a fully equipped and cyber literate army that may form the best solution to combating a problem that currently shows little sign of disappearing.
Cyber security strategy should be an integral part of our roadmap for digitalisation – it helps organisations to take a systematic approach to protecting digital services. It’s essential that organisations are holistic about cyber security, taking into account the core business and the ecosystem around it.
Cyber security strategy is a process, not simply an analysis or a project, and management has to deal with it in the same way that it deals with other business processes. In banking, there needs to be proper leadership and a garuantee that personnel have the neccessary level of education, right down to the last employee. This is non-negotiable for banks and financial service organisations that want better protection and prevention when it comes to cyber.