Cyber crime and FS: blocking the path of least resistance
June 2020 | COVER STORY | BANKING & FINANCE
Financier Worldwide Magazine
June 2020 Issue
Virtually every company – from small-scale enterprise to multinational – is a potential victim of cyber crime. The financial services (FS) sector in particular is an obvious target, given the sensitive data and the trillions of dollars routinely handled by financial institutions (FIs).
According to Boston Consulting Group’s ‘Global Wealth 2019: Reigniting Radical Growth’ report, FS firms are 300 times more likely than other companies to be targeted by a cyber attack. Furthermore, a 2020 Accenture report – ‘Securing the Digital Economy: Reinventing the Internet for Trust’– forecasts that nearly $350bn could be lost by the FS sector to cyber crime over the next five years. When mapped across 16 additional sectors over the same period, the economic value at risk globally is $5.2 trillion (a figure likely to escalate in the wake of the coronavirus (COVID-19) outbreak).
“FIs are among the most high-value targets for cyber attackers,” says Ofer Israeli, chief executive of Illusive Networks. “Yet, despite the vast resources these institutions devote to cyber security, attackers do get in. Additionally, the challenge of finding and thwarting malicious insiders, often trusted employees and contractors, before real damage is done continues to be inherently difficult. Complex ecosystems, continuous business transformation and innovation, M&A activity, cloud adoption, rapidly evolving FinTech and a growing consumer-driven attack surface simply multiply the problem for FIs. The sum total of these activities increases the importance of early attack detection.”
Adding its weight to the cyber crime debate is 2019 research by Clearswift, which reveals that 70 percent of FS companies in the UK experienced a cyber security incident during the previous 12 months – a sobering statistic illustrating the serious threat that both data breaches and malicious attacks pose.
“Alarmingly, less than a quarter of our research respondents had an adequate level of budget allocated to cyber security, while almost three-quarters wanted to see an increase in their organisation’s cyber security spending,” relates Alyn Hockey, vice president of product management at Clearswift. “So, the cyber security threat is real and growing, yet FS firms are having to fight this threat with insufficient budgets and resources.”
Clearswift’s research also found that around half of the cyber attacks reported in the 12-month period originated from employees failing to follow security protocols. This threat was most evident among mid-sized financial companies, with 52 percent saying their biggest problem was employees not adhering to corporate data protection policies.
Additional causes of cyber security incidents include the introduction of malware and viruses via third-party devices, such as USBs and bring your own device (BYOD) products, file and image downloads, and employees sharing data with unintended recipients.
Numerous recent analyses shine further light on the extent of the cyber threat facing FS firms. Ponemon Institute research indicates that the FS sector is more effective in detecting and containing cyber attacks than actually preventing them. A survey by Ovum found that an estimated 40 percent of banks get 160,000 duplicate, irrelevant or erroneous cyber security alerts every day. A survey of 100 FS firms by Vanson Bourne found 70 percent have experienced a security incident in the last 12 months, mostly stemming from employees failing to follow security protocol or data protection policies. And according to Accenture, the average cost of cyber crime per FS firm is $18.5m, compared to $13m across all sectors.
The need to do more to fight cyber crime is essential due to the technological advances which enable cyber attackers to improve their tactics and techniques faster than FS companies’ security teams can effectively respond. These methods grow more sophisticated each year.
“2020 is likely to be a turning point, where new technologies scale and come online, exacerbating cyber risk and affecting every business, government and individual,” believes Lutfey Siddiqi, visiting professor-in-practice at the London School of Economics and Political Science. “With these many evolving challenges, there is an opportunity for all public and private stakeholders to adopt better strategies and effectively collaborate at a global level.”
Attack vectors
Cyber crime, although pervasive and utilising a range of attack vectors, falls into common categories, each requiring companies to adopt differing cyber incident response strategies.
In Mr Hockey’s view, the multiple threats facing FS firms can be categorised into two distinct camps: to steal or to disrupt. “Stolen personal data may be used to compromise customers through their identities being stolen, which in turn can lead to their accounts being ransacked,” he says. “Disruption, perhaps due to political reasons, can impact the trading of an FS firm and could result in a loss of revenue. Both types of attacks carry similar consequences: reduced business and reduced customer confidence and the risks of heavy fines if personal data is comprised.”
According to a 2019 report from Accenture – ‘Unlocking the Value of Improved Cybersecurity Protection’ – the types of cyber attacks most commonly experienced by FS firms are, in descending order, malware, phishing and social engineering, web-based attacks, botnets, malicious code, denial of service, stolen devices, ransomware, and malicious insiders.
“The threat landscape is wide, varied and evolving,” observes Mr Hockey. “Malware, ransomware and phishing are all widely-deployed tactics, while social engineering techniques, and weaponised documents and websites, change all the time. Keeping up with what is going on is a major challenge for any FS firm. The proliferation of threats leads vendors to respond with specific solutions for individual threats, each of which needs implementing and integrating with existing technology. This can result in even more vulnerabilities to be managed.”
While reputation-damaging cyber theft of personally identifiable information (PII) and payment data routinely hits the headlines, according to Mr Israeli other issues concern senior management somewhat more. “FS executives are primarily worried about attacks that disrupt operations or release strategic information,” he explains. “For FIs, access and control risks such as overprivileged accounts or legacy credentials can create paths to crown jewel systems.”
Defensive measures
To afford themselves the fullest protection in the event of a cyber crime, FS firms need to devise a strategic plan that not only resists an initial cyber assault with a minimum of disruption and damage, but can also maintain resistance on an ongoing basis.
As opined by Deloitte in its ‘The state of cybersecurity at financial institutions’ analysis, “while it is important to have an adequate budget for cyber security, how a programme is organised and governed is equally, if not more impactful”. According to Deloitte, firms first need to know that accountability starts at the top and shared responsibilities make a difference, while recognising that multiple lines of defence should be maintained, and cyber risk exposure distributed.
Firms can then take a further step toward a comprehensive cyber security plan by implementing best practices, as outlined by Live Consulting. First, create a cyber security framework which accounts for every device, access point and person in the organisation. This creates roles and builds an IT infrastructure that is both secure and scalable. Second, employ end-to-end encryption, which is one of the strongest defences against cyber attacks and also reduces the amount of damage done. Third, involve all business units, since cyber security is an issue that everyone in the organisation needs to be aware of and vigilant about enforcing. Fourth, regularly update and monitor. It is necessary to continuously monitor network resources and software updates, with regular reporting helping to identify threats in real time, saving potentially billions in losses.
“Triage is critical,” suggests Mr Israeli. “Security teams are overloaded by false alarms, so quickly focusing on real attacks and deprioritising others is paramount. Companies need to put greater emphasis on the post-breach stages of the attack. The goal should be identifying and paralysing attackers early – preferably where they first establish a beachhead, before they can move from system to system gathering data and doing damage as they go.
“Most FIs have deployed multiple layers of security, including threat awareness and cyber risk management solutions, across their infrastructure,” he continues. “However, these security layers are typically siloed from each other. The missing component is visibility and protection across the network and all endpoints to identify gaps where other controls might not be as effective.”
Despite the best practice solutions available and the fact that cyber crime is omnipresent, the reality is that many FS firms remain ill-prepared to respond to an attack. “There are several things firms need to do,” says Mr Hockey. “Identify how the attack happened and work to contain the situation so that it does not continue. This may involve taking systems offline to perform a thorough investigation. Once the systems have been restored, it is then a question of reviewing not only how to secure the entity better through technology and process, but also to evaluate any lessons learnt over the period of the breach.”
Clearly, with cyber crime having a damaging effect on those that fall victim, defensive measures should not be cheap. According to Deloitte, FIs spend an average of 0.3 percent of revenue and 10 percent of their IT budget on cyber security, equivalent to around $2300 per employee. But this level of spending is largely inadequate, in the view of a recent spending forecast by the International Data Corporation (IDC).
Coping with compliance
With burgeoning cyber crime leading to a more stringent regulatory environment, FS firms are under increasing pressure to manage the cost and complexities involved in fulfilling their compliance obligations.
“It is true that there is more regulatory compliance than ever for firms to manage,” observes Mr Hockey. “There is more general regulation relating to data security, such as the General Data Protection Regulation (GDPR), as well as a range of sector-specific regulation to comply with. The penalty for non-compliance is huge, from massive fines to the long-term implications of being branded as an organisation that does not look after its customers’ data properly. This means that despite the cost and complexity, FS firms have to take regulatory compliance very seriously, or the consequences could be catastrophic.”
One example of the increasing pressure being exerted by regulators is the action taken by the Society for Worldwide Interbank Financial Telecommunication (SWIFT) after cyber hackers illegally transferred around $1bn from the Federal Reserve Bank of New York account of Bangladesh Bank in 2016. Designed to help protect FIs against cyber fraud, SWIFT’s customer security programme (CSP) includes a customer security controls framework (CSCF) which describes a set of security controls required to be implemented by companies on their SWIFT infrastructure.
In the experience of Mr Israeli, the biggest obstacle to better cyber threat detection is that compliance efforts often detract attention from threat detection functions. “These compliance requirements must be harmonised with a firm’s other security efforts aimed at reducing overall enterprise risk,” he says. “But this is easier said than done when regulatory obligations consume so much attention and security operations centre (SOC) teams continue to face staff shortages.
“Companies must look for a solution that protects SWIFT systems by effectively detecting, reporting and mitigating targeted attacks that pose a high risk of financial and strategic damage,” he continues. “Deception-based platforms do that while also addressing the broader range of cyber risk by stopping the lateral movement of attackers toward critical systems once they are inside the network, which can help firms meet SWIFT compliance standards.”
Deception-based platforms are also a useful defensive measure for FS companies, as they can detect, analyse and defend against zero-day and advanced cyber attacks, often in real time.
Staying safe
With the world reeling from the onslaught of COVID-19, cyber criminals will seek to take advantage of mass disruption and uncertainty. Consequently, it has never been more important for FS firms to construct effective frameworks, policies and processes to address a heightened cyber risk environment.
“Cyber criminals in 2020 are incredibly professional, organised and technically adept,” concludes Mr Hockey. “Unfortunately, this makes keeping businesses safe against this ever-evolving threat a real challenge. Any firm in the FS sector needs to take cyber security seriously and up the pace of innovation and deployment of effective data protection and threat mitigation strategies. Understanding the latest threats and the defences that may be effective against them is important, as is addressing the cyber security skills shortages that exist in many FS organisations.”
Although a cyber attack is virtually inevitable, a damaging security breach can be prevented provided appropriate measures are taken and control procedures followed. Moreover, FS firms that are currently falling behind in their cyber response should consider that the fallout from an attack, in addition to financial loss, could result in loss of industry trust and customer goodwill.
© Financier Worldwide
BY
Fraser Tennant