Robert Rutherford, CEO of the business and technical consultancy QuoStar
Tesco Bank was the most recent victim of a large scale cyber attack in the UK, with£2.5m drained from customer accounts. Although no personal data was compromised in this instance,the Financial Conduct Authority (FCA) has expressed concern over the cybersecurity of banks across the country. On this occasion, Tesco Bank was able to refund all money stolen but this should serve as a warning to all banks to up their IT security levels. Cyber criminals are changing their methods and even the biggest of companies are becoming easier to target. These hackers are patient and precise, researching months before to understand what the weaknesses are within a business.
Cybersecurity is essential to the financial services industry and attacks like these demonstrate that firms must start to take this subject matter seriously -as the list of victims just keeps on growing. According to the FCA, five cyber-attacks were reported in 2014, opposed to 75 in just the first 10 months of 2016.
Cyber criminals are beginning to implement smarter strategies in order to outsmart IT systems and security controls. Basic security measures are no longer keeping banks safe, so it is important that firms find new and efficient ways to protect themselves from potential data breaches.
Why banks are such easy targets
Cyber criminals want the reward of reputation and money, and they know exactly where to find it. In fact,three quarters of all data breaches have been found to be money-motivated according to a 2016 Verizon study.
Outdated technology creates holes in the system that allows cyber criminals to access a firm’s network. However, it appears that spending money on IT solutions isn’t considered a very worthy investment or even of much importance to companies. Tesco Bank received several warnings prior the cyber attack regarding their IT systems butignored them. Before the attack occurred, hackers were caught on live chat rooms referring to Tesco Bank as a “money machine” as a result of its lax IT security systems.
How staff can help stop cyber attacks
The biggest threat to cybersecurity used to mostly come through external sources back in the ‘hacking for fun’ days over the past two decades. However, the focus has shifted in recent years with the target being the end user of an IT system, such as the employee or customer. A large percentage of attacks comes through social engineering, which refers to a cyber criminal manipulating a member of staff in order to gain access to a firm’s network. For example, a cyber criminal could call a firm pretending to be their IT technician, and ultimately persuade the member of staff to give them all of the network details. Whatever the method used, staff should be aware that these attacks exist and therefore know how to spot the tell tale signs.
Senior management must take responsibility when data breaches happen and they should, at all times, alert employees of any risks or threats to the business. It’s important that staff are aware of the importance cybersecurity has to their business, in addition to the role they play in stopping, reporting and preventing data breaches. A well-tested way to keep employees aware of risks and prevention methods would be to have training in a seminar-based format where someone in a senior position or from the IT team explains cybersecurity to employees and why it’s important to take it seriously.
The methods banks could use to improve cybersecurity
Ensuring that IT systems are up to date at all times with the latest software is crucial for any firms, but this becomes increasingly important in the case of financial services firms holding enormous amounts of data. It is still commonplace for banks to have solely password-protected systems, which is unacceptable in terms of today’s required IT security levels. This practice is dangerous for both banks and their customers, and leaves them highly vulnerable to cyber-attacks.
The ISO 27001 standard can help greatly when it comes to IT security, as it enables financial institutions to identify the risks to their operations, and then assign controls to prevent or minimise the likelihood of them occurring. It’s a living standard that ensures continuous improvement to a firm’s cyber defences.
Whilst technology is usually the final piece of the cybersecurity puzzle, banks must look to update the legacy systems leaving their firms at risk, and train their staff on how to stop, block and report any suspicious activity. With their reputation, funds and data at risk, it has never been more important for banks to fully become cyber secure.