By Robert Wood, Technical Manager, Cigital
The need for strong security in the banking industry is not a new concept; the threats and methods utilised to exploit and steal from the industry however, are constantly evolving. Consequently, security controls need to adapt to the targeted, yet holistic nature, of these new attacks. However, determining the correct path for that adaptation requires significant effort. Red teaming is the process of modeling an adversary: determining how they think, what they see, and how they will attack your critical assets using any techniques and attack surface accessible to them. Operationally, this may mean that a Red Team leverages vulnerabilities across many domains (such as web application security, network security, social engineering, process manipulation, or physical security) into a singular composite attack, driven by the set of objectives they are working to achieve. This process can be applied in a security assessment or strategic planning capacity to help improve the intelligence, awareness, and effectiveness of a security initiative.
3 advantages to red teaming
From a security assessment perspective, red teaming processes can be used to gauge the effectiveness of an organisation’s security posture in a production environment. The key advantages of using a true red team are:
- Utilising the entirety of the organisation to identify vulnerabilities and subsequent composite attacks, rather than operating in a vacuum. This emphasizes the importance thatsystems, software, people, and processes are able to prevent vulnerabilities in the first place, identifying areas for improvement along the way.
- Operating in a covert manner relative to operations and engineering teams. The ability for those teams and any automated infrastructure to detect and alert on red teaming activities is critical to detecting real world attacks.
- Coercing incident response teams into reacting to their efforts, highlighting any process weaknesses or bottlenecks along the way. The ability for an organisation to swiftly and successfully react to an attack is a critical step in minimising the impact.
Contrary to the traditional vulnerability scan or penetration test,which is a targeted effort on components that are considered important by the organisation, red teams operate with a different mindset. The red team attacks what an adversary considers important and relative to achieving the established objectives. However, red teaming is not meant to replace targeted security assessments. Red teaming augmentsthese assessments and provides a different set of results and attack intelligence back to the security initiative.
What does it mean to be red team secure?
Being red team secure means that an organisation can withstand the simulated attack efforts of a red team as they model different types of adversaries, such as insider threats, criminal organisations, and coordinated hacker groups. The prevention, detection, and response capabilities of any security organisation are paramount to its overall success in protecting critical assets. It also ensures that these capabilities extend to the entire organisation and not just select pieces. This is critical given the interconnected nature of a modern financial services organisation.
Over time, things naturally change within an organisation to facilitate job efficiency. This may cause a significantshift away from an original design or intention. This shift from a known, understood state frequently introduces new connections, storage locations, communication channels, and configurations. This createsattack surfacesthat are completely unknown to a security team, and, therefore, never reviewed. As a result, these new changes may introduce new vulnerabilities in addition to not being considered in a standardised risk management review.
Adversaries are opportunistic and do not restrict themselves to specific attack vectors or pieces of attack surface based on risk management policies or organisational structure. Adversaries look at organisations in a holistic manner, driven by the assets they’re targeting; therefore they will identify vulnerabilities across many different aspects of an organisation and how those vulnerabilities fit together into composite attacks.This composite attack approach can be used to highlight more specific risk measurements to a class or set of vulnerabilities, depending on how it can be leveraged to compromise critical assets.
The bottom line
Security leadership in the banking industry should start by understanding the adversaries they need to defend against, including their capabilities and motives. An effective definition should include qualitative analysis and quantitative measurements regarding attack skills, time to dedicate, number of resources available, etc. Once these adversaries are understood, they can be effectively modeled through red teaming processes to stress test the security posture of an organisation. Without a sound understanding of relevant adversaries, organisations cannot answer the “secure against what/whom?” question and can only perform very general red teaming activities, degrading the potential benefit.
In summary, the industry as a whole is responsible for protecting a very sensitive collective set of assets. That value and sensitivity has historically and will continue to attack malicious actors, who will attempt to access or steal those assets. Red teaming is a proactive measure to identify the methods and paths that an adversary may take to compromise a set of assets, instead of simply identifying more vulnerabilities.
A quarter of banking customers noted an improvement in customer service over lockdown, research shows
SAS research reveals that banks offered an improved customer experience during lockdown
This represents some good news for banks in an extremely challenging time, with 59% of customers also saying they’d pay more to buy or use products and services from any company that provided them with a good customer experience over lockdown.
The improvement in customer experience also coincides with a rise in the number of digital customers. Since the pandemic started, the number of banking customers using a digital service or app has grown by 11%, adding to an existing 58% who were already digital customers. Over half (53%) of new users plan to continue using these digital services permanently moving forward.
Brian Holden, Director, Financial Services at SAS UK & Ireland, said:
“It’s notable that in times of need customers value being able to communicate with their bank and place an even higher value on good customer service. A rise in the number of digital customers means banks can now reach a wider audience online, leveraging AI and analytics to offer a more personalised experience.
“There is work to be done, though. Even greater personalisation is needed if banks are to win over the 12% of customers who felt banking services deteriorated over lockdown. And this personalisation will need to get right down to a segment of one to properly reflect the unique circumstances some individuals now find themselves in due to the pandemic.”
While the number of digital users grew over lockdown, there is still a quarter (24%) of the banking customer base that have chosen not to make the switch to digital services.
Meanwhile, failure to offer a consistently satisfactory customer experience could prove costly for banks, with a third (33%) of customers claiming that they would ditch a company after just one poor experience. This number jumps to 90% for between one and five poor examples of customer service, so this just underlines how much retail banks can win or lose in these difficult times.
For more insight into how other industries across EMEA performed during lockdown, download the full report: Experience 2030: Has COVID-19 created a new kind of customer?
Swedish Bank Stress Tests in Line with Recent Rating Actions
The Swedish Financial Supervisory Authority’s (FSA) latest stress test results show major Swedish banks’ robust ability to absorb credit losses. The results support Fitch Ratings’ view that short-term risks have abated in recent months, and are in line with Fitch’s assessment of major Swedish banks’ capitalisation at ‘aa-‘, which was a factor when Fitch removed the ratings of Handelsbanken, Nordea (not covered by the FSA’s stress test) and SEB from Rating Watch Negative in September.
The FSA estimated about SEK130 billion of credit losses over 2020-2022 for the three largest banks (Swedbank, Handelsbanken and SEB) under its stress test. This represents about 220bp of their loans, or about 70bp annually. However, the banks’ pre-impairment profitability in the stress test could absorb credit losses of up to about 110bp of loans annually. Fitch’s baseline expectation is for credit losses below 20bp of loans in 2020 and 8bp-12bp in 2021.
Capital remained strong under the stress test. The average common equity Tier 1 (CET1) ratio fell by only 2.8pp (1.9pp if banks did not pay dividends) from 17.6% at end-June 2020. The capital decline was not driven by credit losses, which could be absorbed by pre-impairment profitability, but by risk-weighted asset inflation.
The three banks’ 3Q20 results showed that capital has been resilient despite the coronavirus crisis. The banks had a CET1 capital surplus over regulatory minimums, including buffers, of almost SEK100 billion (excluding about SEK33 billion earmarked for dividends). SEB had a CET1 ratio of 19.4% at end-September, Handelsbanken’s was 17.8% and Swedbank’s 16.8%.
The SEK130 billion credit losses under the latest stress test are lower than under the FSA’s spring 2020 stress test (SEK145 billion), which also covered a shorter period of two years. However, they are still larger than the actual losses incurred by the three banks during the 2008-2010 crisis. This is despite tightened underwriting standards by the three banks in recent years, including, in the case of SEB and Swedbank, in the Baltics, the source of most of their loan impairment charges in the previous crisis.
In its baseline economic forecasts, the FSA assumes a harsher shock to Sweden’s GDP in 2020 and 2021 (-6.9% and 1%, respectively) than Fitch’s baseline (-4% and 3.4%), although it assumes a similar recovery by end-2022. It also assumes real estate price corrections, which appears particularly conservative in light of a 11% housing property price increase over January to November 2020.
The ratings of Handelsbanken (AA), Nordea (AA-) and SEB (AA-) are on Negative Outlook due to medium-term risks to our baseline scenario. The rating of Swedbank (A+) is on Stable Outlook, reflecting significant headroom at the current rating level following a one-notch downgrade in April due to shortcomings in anti-money laundering risk controls.
Future success for banks will be driven by balancing physical and digital services
Digital acceleration due to COVID-19 has not eliminated the need for bank branches
Faster service (23%), smaller queues (26%) and longer opening hours (31%) are among customers’ biggest asks of their bank branch, new research from Diebold Nixdorf today reveals. But with 41% consumers saying they would be comfortable to engage with all banking services via an app, it is vital that banks respond to the full spectrum of customer needs – balancing and evolving their offerings on multiple fronts.
A third (35%) of customers say they will always want access to physical, in-branch banking services in some capacity and one in ten (10%) consumers will never bank predominantly online in the future. This demonstrates that there remains an important role for the services a branch provides. This role, however, continues to shift away from purely transactional banking:
A quarter (26%) value face-to-face advice when it comes to their banking needs
One in five (18%) seek advice on different products
17% want to speak to the staff or other customers.
Matt Phillips, Diebold Nixdorf vice president, head of financial services UK & Ireland, said: “The majority of banks have spent the last decade focusing on their digital strategies and investing in improving – or establishing – their online customer experience. However, the data shows that there is still an essential role for physical branches. Banks now increasingly face the challenge of continuing to provide customers with access to a range of physical and as well as digital services, giving them the flexibility to choose the best service for them at any given moment in time.”
When looking beyond the impact of COVID-19, planned branch visits by customers are expected to rebound to 28%, following a dip to 11% during lockdown. And when asked about the new services they’d like to see inside their bank, sixteen percent of respondents said more self-service machines would improve their in-branch experience.
Matt Phillips continues: “In a world that is fast evolving and where the future is digital, there’s no doubt that high street banks must, and are, responding to the needs of highly digital customers. But not every customer requirement is digital. There is still a strong need for physical bank branches and the interaction and services they offer, and striking this balance between physical and digital is where the industry must come together to provide solutions. For example, building a strong, leave-behind strategy is something we’re seeing across the board when banks have to close branches, ensuring customers have access to self-service machines to complete all their transactional needs.”
The Coming AI Revolution
By H.P Bunaes, CEO and founder of AI Powered Banking. There is a revolution in AI coming and it’s going...
Q&A with Joe Steele, Head of Workplace Technology at Starling Bank
In just under a year, many businesses had no choice but to go online and with digital transformation on the rise...
How financial services organisations are using data to underpin future growth
By John O’Keeffe, Director of Looker EMEA at Google Cloud In addition to the turmoil caused by the COVID-19 pandemic, a...
Three questions the financial services industry must answer in 2021
Xformative, a Mastercard Start Path recipient, shares what these questions mean for fintech partners and their innovations This year, fintechs...
A quarter of banking customers noted an improvement in customer service over lockdown, research shows
SAS research reveals that banks offered an improved customer experience during lockdown A quarter (27%) of banking customers noted an...
Is Digital Transformation the Key to Business Survival in the New World?
After a turbulent year, enterprises are returning to the prospect of a new world following an unprecedented pandemic. Around the...
Virtual communications: How to handle difficult workplace conversations online
Have potentially difficult conversation at work, like discussing a pay rise, explaining deadline delays or going through performance reviews are...
Black Friday payment data reveals rapid growth of ‘pay later’ methods like Klarna
Payment processor Mollie reveals the most popular payment methods for Black Friday Mollie, one of the fastest-growing payment service providers,...
Brand guidelines: the antidote to your business’ identity crisis
By Andrew Johnson, Creative Director and Co-Founder. How well do you really know your business? Do you know which derivative of your...
COVID-19 creates long and winding road for startups seeking investment
By Jayne Chan, Head of StartmeupHK, Invest Hong Kong Countless technology and other companies describe themselves as innovators, disruptors or...