Banks must protect the “crown jewels” from cyber-attack – but can’t keep attackers out completely
Banks need to recognise that building a wall to keep cyber-security threats out will not work. With breaches from both sides of the wall inevitable, financial institutions would do better to pare down their activities and focus on defending their core assets – including intellectual property and transactional systems.
“People think they can defend everything but they can’t,” said Ryan Ruben, regional lead managing security and privacy, EMEA at Protiviti, a global consulting firm. “Attackers will always get in sooner or later. At the same time, rolling out security to the whole company is very expensive. The key here is to not just throw money at the problem. You really need to work out what you cannot afford to lose – the crown jewels – and pick your battles carefully.”
Ruben added that core areas of a business might include its transaction systems, intellectual property such as the secret recipe for Coca Cola, which supposedly no single individual knows, and trading systems. For example, when the Swiss franc was revalued in January, a company that was unable to trade could have faced major losses.
Although awareness about cyber-security is arguably increasing, following years of high-profile incidents, a survey by Protiviti found that only 30% of corporates surveyed had invested in technologies to improve security, less than 10% were making effective use of the technology they had, and over 50% had no active data loss prevention solution. 80% have limited active monitoring of potential data loss incidents and only 20% had an effective security incident and event monitoring system in place.
For financial institutions, the dangers of cyber-crime are constantly being highlighted by new incidents. In February 2015, a joint international operation by Europol’s European Cybercrime Centre seized servers said to have controlled the Ramnit botnet that had infected 3.2 million computers internationally. Other recent attacks include the Carbanak cyber-attack which stole $1 billion from banks in 30 countries over the two years leading up to February.
“Risk appetite is an issue for banks,” said Jonathan Wyatt, head of business IT at Protiviti. “Banks would say they are risk-averse, but actually if you start throwing scenarios at them you find it’s not really true. In fact they have quite a high tolerance for risks.”
Wyatt added that banks are open to a number of risks from a cybercrime perspective – and the biggest danger is attacks carried out from the inside, because most systems are designed to keep intruders out and once an attacker has passed that point, there may be virtually nothing stopping their activities. Routes in always exist – there’s always someone who can be blackmailed, or a contractor can come to work for the bank and exploit that access, or an attacker may even socially engineer themselves or someone else into a position of authority at the target bank.
“What you need is to have two people watching, with a kill switch, that can terminate an account’s activity if it looks suspicious,” he said. “The other thing is they may even turn your own security against you. For example, an attacker may use a secure shell to remain undetected and protect themselves from scrutiny. It looks like legitimate traffic. You’d never know it was them if you weren’t expecting it. The more eyes you have monitoring what goes on internally, the better the chance you can spot that before it’s too late.”
Adding to the difficulty is the fact that in the survey, 20% acknowledge the risks their firm was operating under but did not believe the cost of the solutions could be justified. Attacks targeting privileged users were also highlighted – 30% of respondents did not believe privileged users presented a high enough risk to justify buying systems to monitor their accounts more carefully. “The role that authorised access and the insider plays, whether knowingly or inadvertently, in security incidents is regularly understated,” added Wyatt.
Several regulatory and industry initiatives have already been launched to help tackle the problem of cyber-attacks on financial institutions. CBEST was launched in June last year by the Bank of England, together with UK regulator the Financial Conduct Authority and non-profit security organisation CREST, as well as cyber intelligence company Digital Shadows. It sets out a blueprint for controlled cyber security testing, the aim of which is to ensure key financial assets are protected against cybercrime. The tests mimic the actions of threats such as sophisticated cyber-attacks against financial services assets.