Financial cybercrime is now an as-a-service business, delegates were told at the Transform Finance Banking Cyber Security Forum in London this week.
Speaking under Chatham House rules – in which a discussion can be reported, but not a named speaker – the Information Security Lead at a commercial bank observed that banks primarily become targets because of their data, or because of their system capabilities. Most malicious attacks are now designed purely for financial gain, he said, rather than for the hacker equivalent of joyriding.
Fewer organisations are declaring cyber incidents, but the events themselves are increasing in frequency: in other words, attackers are going for the weakest targets.
Banks are particularly concerned with any loss of customer data, because of the potential damage to their reputations and trust, not to mention the financial penalties available under GDPR and the Data Protection Act. However, losses to shareholders can be ten times higher than any fines imposed by the regulators, according to one speaker.
While all this may be nothing new to cyber security experts who are in the front line of financial services, the key difference in recent years is that the entry level for newbie hackers has been dramatically lowered, thanks to Dark Web forums where malicious agents advertise their services and vouch for the skills of their associates.
With some attackers selling the steps that can be taken to evade two-factor authentication, and others entire databases of customer details, such forums act as hookup services for the hacker community, explained the Senior Threat Intelligence Consultant at a specialist security company.
The key to making these forums work is often insiders within banks themselves, delegates were told, though many such breaches may be accidental – or the result of sophisticated phishing attacks on unsuspecting employees – rather than overtly malicious in intent.
But while malicious insiders may be rare in many kinds of business, they are more commonplace in banks, because of the size of the financial prize and the nature of the data that banks hold. Hacker forums themselves both facilitate and encourage this type of behaviour, so being able to identify malicious insiders – or the accidental source of data breaches – is vital.
The morning session sought to outline the cyber security landscape for banks. Alongside the growing insider threat, two other trends impact on cyber security for the sector: the increasing sophistication of malicious actors and the growing complexity of the cloud service provider landscape. In each of these cases visibility is essential, because without that insight the partner ecosystem risks compromising a bank’s internal security practices
One speaker, the Chief Data Officer at a boutique bank, said that it is vital for banks to first identity what they are trying to protect and then develop an organisational strategy to manage the cyber security risks to systems, people, assets, and data – and to their capabilities.
One of the challenges here is that Chief Information Security Officers (CISOs) often come from a technology background, rather than a business- or data-focused one, so their approach zooms in on technology detail rather than out to the big picture of managing business risk.
In many organisations, data responsibilities sit across a number of different CxO roles, with the x variously standing in for Digital, Data, Privacy, Information, and Data Protection. Where this complexity exists, CxOs need to work together, despite the very different internal/external focuses of their roles.
Another big-picture problem is that there is no agreed information standard within financial services. All of the pillars of data governance – including classification, definitions, lineage, ownership/accountability, and quality – play a part in successful cyber security capabilities.
For another speaker, a Web scientist and Internet of Things (IoT) data specialist, GDPR itself is the foundation for cracking cyber security, alongside a privacy-preserving, security-minded, and risk-based business approach – as opposed to a traditional cyber security one. As a standalone industry, it was suggested that cyber security’s days are numbered.
Be part of a discussion and connect with like-minded leaders in your sector at our exclusive event series on banking and RegTech.