Time for financial services companies to take a more assertive approach to email phishing
May 2016 | PROFESSIONAL INSIGHT | RISK MANAGEMENT
Financier Worldwide Magazine
Britons today are far more likely to check their bank balance online than visit a high street branch. With a daily login of around 9.6 million, online banking is our most relied upon means of keeping in touch with our finances, and certainly there are huge advantages to this preferred method. The digital uptake has made way for the ‘paperless’ banking movement, making the way we view our statements far greener, and with facial recognition technology making headway in the industry, we are safer from identity fraud. Unfortunately, issues of environment and identity are not the only threats posed to banks and their customers. In fact, the most frequently used channel of communication between bank and client is perhaps the least protected.
For banks, the threat of email phishing constantly increases as more clients move online. According to our research, a staggering 97 percent of FTSE 250 companies are exposing their customers to the risks of phishing attacks. The majority of banks leave it up to customers to report instances of email phishing, rather than taking a more assertive approach.
How can financial services better protect themselves and their customers?
The first mistake most banks make is to rely so heavily on consumer awareness surrounding cyber security. It is not up to the customer to flag threats and issues to their bank, nor is it an effective method of prevention. Financial services companies must take greater measures and responsibility with their cyber security. We hear it from the horse’s mouth constantly; Mustafa Al-Bassam, the computer hacker who caused serious financial damage to companies such as Fox and Sony, knows that banks are failing to prevent cyber threats at their most basic level. In an interview with the Daily Mail, Mr Al-Bassam stated, “The majority of UK banks don’t even implement HTTPS encryption properly on their website, and show a poor understanding of how it is implemented in practice when I have tried to probe them about it. They certainly seem to be lagging behind in terms of modern standard security practices.” Mr Al-Bassam was 16 when he was arrested for his involvement in cyber crimes. The way you protect your company from a teenager is the same way you protect it from anyone: with defence that comes from the company, not the consumer.
An estimated 156 million phishing emails are sent every day, and that is a number that cannot be eradicated through advice alone. It is this kind of lax approach that leaves the security of millions of UK consumers in a very precarious position. Security breaches not only jeopardise customer information, but also company reputation. The recent HSBC security breach may have allowed the bank to emerge from the attack with client information untouched, but it did very little by way of maintaining company trust. In a similar situation, TalkTalk lost 101,000 customers following its cyber attack in October 2015, which equated to a £15m loss in revenue. With phishing attacks on the rise, business leaders cannot afford to ignore the increasing risks posed by cyber criminals. In light of the TalkTalk attacks, Andrew Tyrie, MP & Chairman of the Treasury Committee, expressed major concerns regarding security: “Bank IT systems just don’t seem to be up to the job... Incidents like these are unacceptably frequent, and sometimes serious. Until this is sorted out, the public will remain more exposed than necessary to the risks of IT banking failures.”
Solutions for companies are readily accessible, so it is a wonder these statistics surrounding poor cyber security are so high. DMARC, which stands for ‘Domain-based Message Authentication, Reporting & Conformance’ is an email authentication protocol that enables senders to monitor and protect a domain from fraudulent email. Amazingly, our research reveals that only 17 companies in the FTSE 250 are using the DMARC standard to prevent email scams, which enable the theft of customer passwords, bank account details, credit card numbers and other sensitive information. Preventative measures like this are well within the reach of these large corporations but many seem to constantly fall short when the question of cyber security is raised.
The time has come for companies to recognise their responsibility in the fight against cyber crime. When giants like HSBC and TalkTalk are brought to their knees from the comfort of a hacker’s bedroom, it becomes clear that there is no company too large or well respected to be dragged through the dirt. Britons are speeding into innovation; isn’t it time that cyber security kept pace?
Stuart Robb is the founder and chief executive officer of Cyber Security Partners. He can be contacted on +44 (0) 203 784 4460 or by email: stuart.robb@cybersecuritypartners.co.uk.
© Financier Worldwide
BY
Stuart Robb
Cyber Security Partners