IT Governance Blog: how can banks address cyber security challenges?

Cyber crime is spiralling out of control in the financial industry. The FCA (Financial Conduct Authority) received 145 breach notifications in 2018, up from 25 the previous year.

Things are particularly bad among investment banks, which saw a tenfold increase year-on-year (from 3 to 34), and retail banks (from 1 to 25).

But it’s not as though cyber crime is a new thing in the industry. You might remember that in April 2017, seven British banks, including Santander, Royal Bank of Scotland and Barclays, were forced offline following a series of attacks.

Meanwhile, Tesco Bank was fined £16.4 million in October 2018 for failing to prevent a cyber attack that occurred the previous year.

Why have things have got so much worse? And how can banks take back the initiative?

‘More threat actors’

The increase in data breach reports doesn’t necessarily mean that the financial industry’s cyber security measures are regressing.

It simply means that banks haven’t invested in defences at the same pace that crooks have spent on attacks.

A CISO at one UK bank told the Financial Times:

We are seeing a lot more threat actors knocking at the front door… it ranges from individual kids to, increasingly, the criminal fraternity and national states. You have to constantly improve to keep up and protect yourself.

This mindset can be hard to accept, because it shows how much the odds are stacked against you. Organisations need to be vigilant, continually looking for vulnerabilities and keeping up to date with criminal trends.

Crooks go to the same lengths, but they have a much higher margin for error. The consequence of a failed attack is negligible (it’ll cost them only time and resources), and it only takes one success for them to recoup their investment many times over.

As such, it’s practically impossible for any half-decent cyber criminal not to make money. The only thing stopping them is the possibility of being apprehended, and that’s unfortunately easier said than done.

Stopping cyber criminals

According to Richard Breavington, head of RPC’s cyber instance and breach response team:

We know that the number of cybercriminals prosecuted under the Computer Misuse Act is below 100 annually.

When you compare that to the number of cyber crimes being reported across all industries, you can see that it’s a very lucrative criminal enterprise.

The nature of cyber crime makes it incredibly difficult to bring perpetrators to justice.

Criminal investigators are getting better at forensic analysis, in which they can trace an attack back to a specific computer or location, but crooks can obfuscate this information using botnets, which allow attackers to hijack a device and its connection.

Another problem is that the majority of attackers operate internationally, complicating the logistics of policing cyber crime.

Proceedings will inevitably be slower when units from different countries must work together, and they can practically grind to a halt when those countries don’t have dedicated cyber crime units, which is often the case in eastern Europe, where many cyber criminals reside.

Assume that you’ll be breached

The picture we’ve painted so far is bleak, and it gets even worse when you factor in what’s actually at stake when it comes to cyber security.

The best-case scenario when implementing defences is that you stop an attack before it does any damage. But that’s a short-term win, and it’s only a win if you consider keeping the status quo a victory.

After all, you’re no better off than before the attack. There’s no reward for thwarting a crook’s attempt, only the satisfaction of a job well done and the relief of knowing things could have been much worse.

But given the current climate, the idea that things could be worse is very much worth celebrating. There are simply too many threats, from the growing horde of cyber criminals to negligent employees and technological failures, for you to stay safe for long.

That’s why it’s essential to work with the assumption that security incidents are a matter of when, not if, while also remembering that they can be delayed through effective defences.

That way you’re prepared for when an incident occurs and have realistic objectives. The aim shouldn’t be to avoid being breached, because that’s impossible.

Instead, you should be assessing whether you’re doing everything in your power to stay secure. In other words, is your cyber security budget appropriate to the size of your business and the threat you’re facing?

Appropriate defences

Banks should have proportionately tougher cyber security defences than other organisations, because they deal with financial information, which cyber criminals prize for its inherent value.

Unlike other forms of data, which is worth only what someone is willing to pay for it, financial information can be used to access funds directly.

All crooks need to do is transfer and then launder the money, which they often do by purchasing and then returning gift cards or luxury goods.

This tactic has become increasingly popular in recent years, due to the changing economics of the dark web.

With cyber crime increasing, there is more personal information for sale. The number of buyers has also increased, but not to the extent that supply has, meaning the going rate for personal data has decreased.

However, this is moot if you’re stealing payment card data, because you avoid the marketplace altogether.

Any organisation that stores payment card information is therefore a prime target, hence the spike in attacks against banks in the past year.

If those institutions are going to fight back, they need to react to the changing threat landscape and invest more heavily in their defences.

Follow the Bank of England’s initiative

If you’re reluctant to overhaul or invest heavily in cyber security, look no further than the BoE (Bank of England), which recently admitted it needs to significantly improve its IT systems.

The statement was a humbling moment for the BoE, which criticised UK banks’ cyber security practices in June 2018.

Nine months later, a Public Accounts Committee inquiry found that the rate of modernisation at the BoE lags behind both private and public sectors.

“Many of the Bank’s processes are overly complicated, inefficient and very costly to administer,” the committee said.

If there’s a positive to be taken from this revelation, it’s that the BoE is aware of its shortcomings and stated its intentions to improve its operations – something many other organisations refuse to do.

It also demonstrates the pitfalls of information security spending. Technology operations at the BoE cost £101.4 million in 2017–18 (of a total budget of £647 million), which seems excessive.

The BoE argued that it needs to invest heavily in IT, given that £600 billion passes through its systems each day, but conceded that its processes could be more efficient.

The most obvious room for improvement was in the “high levels of manual processors and legacy IT systems”, as well as the duplication of applications that occurred as a result of the BoE incorporating the Prudential Regulation Authority’s systems in 2014.

This shows cyber security spending isn’t simply a case of more equals better. It’s easy to say that you’re spending a certain percentage of your budget on defence, but that doesn’t say anything about whether the money is well-spent.

The problem often stems from processes being bolted on to existing systems. This can cause you to lose track of exactly what systems you have in place, with new processes being duplicated and old ones being made redundant.

This is often hard to see if you are evaluating your security systems purely on whether they meet their objective. The BoE’s systems, for example, did their job superbly. Last year, its services went down just 0.01% of the time, compared with 0.37% in central government.

However, that doesn’t necessarily justify the amount of money that was spent. The BoE admitted as much, vowing to make its systems more efficient both financially and for employees.