The big fight
Written by Liz Morrell
Liz Morrell casts an eye over an intensifying cat and mouse game between financial services companies and cyber criminals
Cybercrime is an increasing risk to any business but throw in the potential immediate wins from attacking financial services companies and it’s little surprise that the sector is one of the most vulnerable. Indeed according to PWC’s Global Economic Crime Survey, published last November, cybercrime ranks as one of the top four economic crimes, coming only behind asset misappropriation, accounting fraud and bribery and corruption with risks that include damage to both reputation and company wallet.
And it’s a similar concern for the World Economic Forum which identified cybercrime as a major risk to the financial services industry in its annual Global Risks report for 2012. No-one argues cybercrime is big business but, with attacks largely undisclosed, judging the scale of the problem is tough. “In financial services we see very few security breaches reported but we know that are under constant attack and that some of those attacks are getting through,” says David Spinks, CSIRS chairman.
In the PWC survey half of respondents in the financial services industry felt that the risk of cybercrime had increased in the past 12 months compared with 36 per cent for other industries surveyed. John Yeo, director at Trustwave SpiderLabs EMEA, says this has prompted a change in thinking. “There has been a philosophical mindshift in that it’s no longer ‘I’m confident we’re secured against attack’. The smart ones are saying what do we do when we are attacked and so are geared up to respond.”
Motivations have changed as criminals have realised the wins. “We have recently witnessed a clear shift from a for-fun environment, where hacking and attacks were primarily carried out to show the hacker outside-the-box thinking aptitude, to a context driven by profit,” says Dr Lorenzo Cavallaro, professor of systems security at Royal Holloway Information Security Group.
Nick Staib, security specialist at HSBC and First Direct, also notes that cyber criminals mean business. “What has changed in the last five years is we have seen online fraudsters are not just very organised but are also increasingly clever. Our job is to stay one step ahead. We don’t see cybercrime as a problem but a challenge to be met head on.”
Companies are increasingly exposed to the threat of cybercrime because their public arena is now so much wider than ever before. “In part, the risk of cybercrime is growing due to the expanding landscape of how organisations conduct business and engage with customers online, e.g. the rush to mobile applications to increase online commerce, and in part because of easier access to tools and techniques used by cyber criminals. This combination results in low risk, high reward opportunities for fraudsters, who can be located anywhere in the world with internet access,” says Kris McConkey, PwC’s forensic technology lead on cyber security.
The increasing adoption of multiple channels of access is also widening risk. Mobile and social media are two of the most recent to increase risk with social media particularly allowing criminals to change tactics. “The sophistication of attacks is increasing. Where previously you would have someone getting through via the firewall now the trend is on collection of data and identity theft,” says Spinks.
This means social media is particularly a problem because of the rich personal data it can contain. The extent of the risk to mobile is debatable. Some say it’s a channel that is not yet being targeted. “Mobile hasn’t been attacked yet and at the moment apps are limited to people you have paid before so for the fraudster it is of little interest,” Staib notes. Indeed, he argues that checking balances and other services via mobile rather than the internet is actually safer because the individual is not in the online environment where attacks normally happen.
Cavallaro observes that mobile malware is on the increase and the channel seems vulnerable as it opens up because the same protection that PCs share is not available on mobile devices. “The threat is there. If you look at one of the challenges it is that the operating system vendors don’t have the understanding of financial services so the systems aren’t there for protecting them,” says Thomas Bostrom Jorgensen, CEO at Encap who argues that multi-factor authentication is a must.
McConkey says financial services companies must get to grips with the risks. “The pace of mobile adoption has been very attractive to businesses, but the understanding of risks associated with the mobile platforms has struggled to keep pace.” Mobile devices are also opening financial services companies up to the risk of security breaches amongst employees. “Mobile devices may generally store a mix of user and company data, exposing the latter to potential leaks that are not under the company control anymore,” says Cavallaro.
Yeo agrees: “There is a lot more to be done from a due diligence point of view looking at how you are storing data, how it is moving around the environment and whether people have had unauthorised access”. He highlights his research which suggests it takes an average of six months for data breaches to be discovered.
Financial services companies are working hard to combat cybercrime and to some extent it is working but many describe it as a cat and mouse game. Typical defence tactics include a shift towards 24x7 transaction monitoring, browser protection services, security certificates, malware detecting software and anti-phishing solutions as well as authentication measures such as 3D Secure for online shopping and dynamic passwords, SMS passwords, tokens, DAP/CAP technology and transaction signing for accessing online/mobile banking.
Increasingly customer behaviour is being analysed to discover anomalies in account use. “We have a fraud engine that is checking transactions and detects anomalies in behaviour – that then goes into a fraud queue to be checked,” says Staib. Response is then key and calls for a managed security provider or departments that are 24/7.
However, according to McConkey a frightening number don’t have such access. “More than a third of UK respondents to our survey said that they have no access, internally or externally, to forensic technology investigators to provide the rapid response required when dealing with a cybercrime incident. Having this ‘hotline’ and being able to respond quickly is critical to successfully mitigating and remediating incidents.”
As well as technology solutions financial services companies must consider their own business processes too - from training (of both staff and customers), access controls to monitoring and reporting – all of which often see a varying level of focus, according to McConkey. An important key to beating cybercrime lies in collaboration – sharing risks, threats and knowledge between banks and financial services companies. Staib says most banks do work together well on this. Yet McConkey argues such collaborative approaches must be evident within the business too. “Big leaps forward can be made if organisational silos can be broken down. For example, marketing teams often have sophisticated tools to monitor social media trends and customer engagement. Security teams would benefit from being able to apply the same technology in their role.”
Financial services companies must also be very aware of the risk of insiders within their businesses. “Nearly all successfully executed cybercrime involves an insider threat. That is most worrying because I can put all the barbed wire I want around my building and spend billions of pounds on security but if one of my employees has the keys to the IT system and gives them to someone else then all my defences have been breached,” comments Cavallaro.
Of course, the harder the challenge the more likely cyber criminals will divert their attentions elsewhere and this means that financial services companies should pay particular attention to weaker links in their supply chain and running due diligence on third party suppliers. “The PwC survey shows that cybercrime and fraud more generally is on the rise at small and mid size companies,” says McConkey.
Yeo adds: “Across our caseloads we looked at who was responsible for systems administration of those breached and in the majority of cases (76 per cent) it was a third party that was compromised,” he says, suggesting that the trend to cloud computing may further the risk.
Cybercrime is big business and its perpetrators operate in a parallel industry of their own. “There is no question that cybercrime activity has become increasingly organised, innovative and focused,” says McConkey. “Advanced cyber threat groups are patient, they invest heavily in the research and development of custom malicious code and clever means to exfiltrate data. They have internal hierarchies, technical training and target lists in much the same way that large enterprises do, and they are methodical and persistent.”
Cavallaro backs this up: “It’s like managing a real-world legitimate business. You have exploit kits to make up for the technical skills you may miss out and, if someone doesn’t have the in-house knowledge to develop a service (e.g., infecting hosts, writing sophisticated malware), than, this can be purchased on the internet by other cyber crooks.”
Cybercrime is constantly evolving. In the same way that technology advances are reshaping how the financial services industry operates and the services it offers to customers, so increasing computer power is also opening up the ability for attack. It seems the cat and mouse game between the two parallel worlds will continue for some time yet.