Skip to main content

Securing your doors is not enough. Go for a multi-layered security strategy.


Cyber-attacks are all over the news! From ransomware to phishing, farmware, malware and cryptojacking up to DoS attacks. It seems as if the internet has been transformed to the Wild West.
Combine this with our ever stronger dependency on the internet for our day-to-day life and it’s clear that cyber-security should be on the top of the agenda of every CEO and CIO. Especially in the banking industry, due to its strong dependency on the internet (online & mobile banking) and the sensitive nature of financial data. The whole banking system is based on trust: one successful cyber-attack can destroy this trust, resulting in enormous financial impacts for the affected bank. Even worse if customers would lose confidence in the security of their bank, this could lead to a Run on a Bank, which in case of a major bank could be catastrophic for the whole financial system.
While most bank CEOs and CIOs are conscious of these impacts, the examples of success ful cyber-attacks in recent year are not hard to find (the rate of breaches, or theft of sensitive data, in the financial services industry has tripled over the past five years):
  • In February 2016, hackers attacked the central bank of Bangladesh and issued 35 instructions using the SWIFT messaging system for an amount of $951 million. Fortunately, most of the transfers were blocked, but the cyber-attack did cost the bank $81 million.
  • In November 2016, the banking leg of the UK supermarket chain Tesco lost £2.5 million, when half of the 40,000 customer accounts were compromised. The attack resulted in a temporary freeze of all online transactions and in a fine by the FCA in 2018 of £16.4 million.
  • In December 2016, Russia’s Central Bank was breached for an amount of $31 million.
  • In May 2017, the WannaCry ransomware attack infected 230.000 computers in over 15O countries. In India several ATMs were shut down to avoid further infection (even though the link between the outage of the ATMs and the ransomware is denied by the Indian government).
  • In June 2017, the GoldenEye, also known as NotPetya, ransomware blocked thousands of computers worldwide. The impacts were considerable, e.g. the packages at TNT Express were blocked for several days in different European countries. Other major firms being impacts were FedEx, Merck, Cadbury…​ Apart from the National Bank of Ukraine, the impact on banks seems (as far is publicly known) to be limited, but the speed and impact of the outbreak put everyone on high alert.
  • In December 2017, the Russian bank Globex was attacked via its SWIFT network. Losses were not considerable (only $100.000), but the complexity of the attack shows the professionalism of certain hacker gangs (like Cobalt, Carbanak, Lazarus…​) specialized in attacking the financial industry.
  • In April 2018, 7 UK retail banks, including Santander, Royal Bank of Scotland, Barclays and Tesco Bank, had to limit or shut down their systems after sustained attacks. This cost them hundreds of thousands of pounds to remedy.
  • In October 2018 the Mumbai branch of the State Bank of Mauritius was hit by a cyber-attack through a fraudulent SWIFT payment, resulting in a loss of about $14 million.
  • In January 2019 state-backed hackers from North Korea infiltrated the Bank of Chile’s ATM network and siphoned off $10 million.
  • …​
Unfortunately, this is just the tip of the iceberg as most security breaches are not disclosed by banks, out of fear for reputational damage. Studies have showed that financial services firms are 300 times more frequently attacked than other businesses and that a typical American bank is attacked a staggering 1 billion times per year (which results in more than 30 attacks per second).
Not surprising however when you look at the impressive number of parties wanting to attack banks: state supported hackers (e.g. Russia, North-Korea…​), ethical or politically inspired hackers (hacktivists), financially inspired criminals, hackers attacking for the pride or kick, competitors (industrial espionage) and insiders who are frustrated against their employer.
Furthermore experts predict that the cost for banks of cyber-attacks will increase exponentially in the coming years, as banking becomes even more digitized, new channels like mobile, Open Banking APIs and Internet of Things become more popular and homeworking and new policies like "Bring Your Own Device" become rule rather than exception. With each digital door a bank opens, new vulnerabilities arise.
Combine this with the increased sophistication of the hacking attacks and it should be clear that cyber-security must be one of the main investment areas for banks in the coming years.
Those banks who are not sufficiently aware yet of the importance of this threat will be forced, either by security breaches or by regulators. Recent years regulators have started to introduce directives and frameworks to force banks to increase their security, e.g. PSD2’s Regulatory Technical Standards impose strong security requirements to all payments, GDPR not only imposes strong data security for personal and confidential data, but it also forces companies to publicly report breaches within 72 hours, TIBER-EU is the first European framework to test the resilience of bank against cyber-attacks…​.
But those investments should not all be going to IT solutions, like firewalls and improved authentication techniques. The increased sophistication of the attacks requires a cyber-security strategy, which is holistic for the whole organisation. This means all employees and all procedures are impacted, not just those of IT, as security is only as strong as its weakest link.
This cyber-security strategy should implement and enforce a range of best practices:
  • Overall end-to-end awareness of all employees of the risks and methods used in cyber-criminality. This can be done through training (e.g. training on social engineering techniques), information campaigns, customer education and "mystery customer" tests, but also via new methodologies like DevSecOps, which foresees that security is incorporated at any moment of a project implementation.
  • Layered approach: implement multiple layers of defense (physical security, firewalls, throttling, risk-based authentication, data encryption, network segmentation, VM/container security…​) to maximize isolation. It also means that making a distinction between trusted, internal systems and external, public systems is outdated. Under the new "Zero Trust" paradigm ("Never trust, always verify") also internal systems should not be trusted.
  • Devalorize data: if a hacker can gain access to your data, ensure the data is worth nothing. This can be done by strong encryption of all (sensitive) data.
  • Continuous monitoring for breaches (intrusions or abnormal behavior), i.e. audit and monitor all activities on all systems and (automatically) identify abnormal behavior on systems (e.g. user doing actions they normally don’t do, peaks in download/upload traffic or CPU usage…​). This monitoring is a balancing act between identifying all breaches, while avoiding too much "false positives", as those take up valuable analyst time and lead to incident fatigue.
  • Automatically reacting to a breach: as soon as a potential breach is identified (through continuous monitoring), automatic actions should be taken to contain the breach. This can be by automatically blocking all access rights of the suspicious user account, shutting down the impacted system and potentially switch to backup systems, disconnecting all connectivity to other systems from the breached system…​ After breach is contained and resolved, the system should automatically return to normal operations as quickly as possible.
  • Continuous Security testing: this should include:
    • Static Code analysis: automatic execution of static code analysis, allowing to detect security flaws (e.g. Cigital SecureAssist, Code Dx, IBM Security AppScan, Klocwork…​). This static code analysis should be part of the CI/CD pipeline.
    • A set of automated security tests, executed also as part of the CI/CD pipeline, allowing to identify security breaches automatically before going to production
    • Security tests as part of acceptance testing: include as part of the acceptance criteria of an acceptance testing phase, the successful execution of several security tests. Often these tests (e.g. PEN-tests) are executed by specialized firms.
    • White-hat ethical hackers: employ or temporarily hire a white-hat ethical hacker to find potential security flaws in your systems. This can also be organized in the form of a hackathon or a premium for any security flaw being reported (e.g. check out "Google Vulnerability Reward Program")
    • Continuous Resilience Testing: inject automatically random security attacks in the production system, to continuously validate if the system can properly react (e.g. Security Monkey from Netflix’s open source Simian Army).
  • Automatic patching: automatic identification and installation (preferably immediate and without downtime for end-users) of any new patch on libraries/software being used. Achieving this level of maturity might be complex for an organization. An alternative is working as much as possible with cloud-based managed solutions, which take care of all patching for you, without any impact for the user.
  • Sharing of information about hacking attacks: due to the strong interconnectivity of banks, a breach in 1 bank will likely also negatively impact another bank. It is therefore imperative to collaborate between banks on cyber-security. This includes defining security standards for data exchange, enforcing third parties connecting with banks to adhere to highest security standards, share best practices on cyber-security, share information on recent cyber-attacks…​
Most of these methods are however costly and often impact negatively the user experience and user productivity. New techniques reduce the need for this compromise, but some negative impacts of tightened security are still to be expected. It is therefore important to compose a good business case of which risk a bank is willing to take to improve usability and productivity. Based on this business case, a deliberate decision can be taken, including the necessary accountability.
Just like most regulations (e.g. MiFID2), cyber-security is mainly considered as cost for a bank, but when correctly implemented, it can also be an opportunity:
  • New risk-based authentication methods can not only improve security, but improve usability at the same time
  • With all reported data privacy and security issues, having a reliable and secure brand can be a valuable differentiator for attracting customers. The recent transformation of Apple into a "privacy-as-a-service" company (attacking the data-intensive business models of Google and Facebook) shows a need for secure services, which respect customer’s privacy. This differentiator will become even more important, when the bank positions itself as a central distribution platform for different products/services (from competitors and other industries).
  • Insurers have huge potential in the cyber-insurance space, not only providing products insuring customers against losses due to cyber-attacks, but also providing value-added services like knowledge sharing, trainings, APIs with cyber-security data, CyberGyms providing a training ground to train cyber-security specialists in responding to attacks…​
This article hopefully demonstrated that cyber-security is a large and complex topic, which will require considerable investments in the coming years, but also provides important opportunities to the financial services industry. Due to the complexity, it is important to collaborate with industry experts and outsource as much as possible the burdens related to cyber-security. A move to a public-cloud like AWS, Azure or GCP seems a contradiction when talking about security, but when the move to the cloud is calculated and well-executed it will likely increase your cyber-security (these cloud players have the best security specialists in-house), while reducing your spending on cyber-security at the same time.
The key message to be retained is that banks should start implementing their cyber-security strategy now and keep an open mind for new innovative solutions which can transform their cyber-security investments into business opportunities.
Labels:

Comments

Post a Comment

Popular posts from this blog

Transforming the insurance sector to an Open API Ecosystem

1. Introduction "Open" has recently become a new buzzword in the financial services industry, i.e.   open data, open APIs, Open Banking, Open Insurance …​, but what does this new buzzword really mean? "Open" refers to the capability of companies to expose their services to the outside world, so that   external partners or even competitors   can use these services to bring added value to their customers. This trend is made possible by the technological evolution of   open APIs (Application Programming Interfaces), which are the   digital ports making this communication possible. Together companies, interconnected through open APIs, form a true   API ecosystem , offering best-of-breed customer experience, by combining the digital services offered by multiple companies. In the   technology sector   this evolution has been ongoing for multiple years (think about the travelling sector, allowing you to book any hotel online). An excellent example of this
45 comments
Read more

Are product silos in a bank inevitable?

Silo thinking   is often frowned upon in the industry. It is often a synonym for bureaucratic processes and politics and in almost every article describing the threats of new innovative Fintech players on the banking industry, the strong bank product silos are put forward as one of the main blockages why incumbent banks are not able to (quickly) react to the changing customer expectations. Customers want solutions to their problems   and do not want to be bothered about the internal organisation of their bank. Most banks are however organized by product domain (daily banking, investments and lending) and by customer segmentation (retail banking, private banking, SMEs and corporates). This division is reflected both at business and IT side and almost automatically leads to the creation of silos. It is however difficult to reorganize a bank without creating new silos or introducing other types of issues and inefficiencies. An organization is never ideal and needs to take a number of cons
6 comments
Read more

RPA - The miracle solution for incumbent banks to bridge the automation gap with neo-banks?

Hypes and marketing buzz words are strongly present in the IT landscape. Often these are existing concepts, which have evolved technologically and are then renamed to a new term, as if it were a brand new technology or concept. If you want to understand and assess these new trends, it is important to   reduce the concepts to their essence and compare them with existing technologies , e.g. Integration (middleware) software   ensures that 2 separate applications or components can be integrated in an easy way. Of course, there is a huge evolution in the protocols, volumes of exchanged data, scalability, performance…​, but in essence the problem remains the same. Nonetheless, there have been multiple terms for integration software such as ETL, ESB, EAI, SOA, Service Mesh…​ Data storage software   ensures that data is stored in such a way that data is not lost and that there is some kind guaranteed consistency, maximum availability and scalability, easy retrieval and searching
26 comments
Read more

IoT - Revolution or Evolution in the Financial Services Industry

1. The IoT hype We have all heard about the   "Internet of Things" (IoT)   as this revolutionary new technology, which will radically change our lives. But is it really such a revolution and will it really have an impact on the Financial Services Industry? To refresh our memory, the Internet of Things (IoT) refers to any   object , which is able to   collect data and communicate and share this information (like condition, geolocation…​)   over the internet . This communication will often occur between 2 objects (i.e. not involving any human), which is often referred to as Machine-to-Machine (M2M) communication. Well known examples are home thermostats, home security systems, fitness and health monitors, wearables…​ This all seems futuristic, but   smartphones, tablets and smartwatches   can also be considered as IoT devices. More importantly, beside these futuristic visions of IoT, the smartphone will most likely continue to be the center of the connected devi
16 comments
Read more

Neobanks should find their niche to improve their profitability

The last 5 years dozens of so-called   neo- or challenger banks  (according to Exton Consulting 256 neobanks are in circulation today) have disrupted the banking landscape, by offering a fully digitized (cfr. "tech companies with a banking license"), very customer-centric, simple and fluent (e.g. possibility to become client and open an account in a few clicks) and low-cost product and service offering. While several of them are already valued at billions of euros (like Revolut, Monzo, Chime, N26, NuBank…​), very few of them are expected to be profitable in the coming years and even less are already profitable today (Accenture research shows that the average UK neobank loses $11 per user yearly). These challenger banks are typically confronted with increasing costs, while the margins generated per customer remain low (e.g. due to the offering of free products and services or above market-level saving account interest rates). While it’s obvious that disrupting the financial ma
7 comments
Read more

PFM, BFM, Financial Butler, Financial Cockpit, Account Aggregator…​ - Will the cumbersome administrative tasks on your financials finally be taken over by your financial institution?

1. Introduction Personal Financial Management   (PFM) refers to the software that helps users manage their money (budget, save and spend money). Therefore, it is often also called   Digital Money Management . In other words, PFM tools   help customers make sense of their money , i.e. they help customers follow, classify, remain informed and manage their Personal Finances. Personal Finance   used to be (or still is) a time-consuming effort , where people would manually input all their income and expenses in a self-developed spreadsheet, which would gradually be extended with additional calculations. Already for more than 20 years,   several software vendors aim to give a solution to this , by providing applications, websites and/or apps. These tools were never massively adopted, since they still required a lot of manual interventions (manual input of income and expense transaction, manual mapping transactions to categories…​) and lacked an integration in the day-to-da
5 comments
Read more

Can Augmented Reality make daily banking a more pleasant experience?

With the   increased competition in the financial services landscape (between banks/insurers, but also of new entrants like FinTechs and Telcos), customers are demanding and expecting a more innovative and fluent digital user experience. Unfortunately, most banks and insurers, with their product-oriented online and mobile platforms, are not known for their pleasant and fluent user experience. The   trend towards customer oriented services , like personal financial management (with functions like budget management, expense categorization, saving goals…​) and robo-advise, is already a big step in the right direction, but even then, managing financials is still considered to be a boring intangible and complex task for most people. Virtual (VR) and augmented reality (AR)   could bring a solution. These technologies provide a user experience which is   more intuitive, personalised and pleasant , as they introduce an element of   gamification   to the experience. Both VR and AR
9 comments
Read more

Beyond Imagination: The Rise and Evolution of Generative AI Tools

Generative AI   has revolutionized the way we create and interact with digital content. Since the launch of Dall-E in July 2022 and ChatGPT in November 2022, the field has seen unprecedented growth. This technology, initially popularized by OpenAI’s ChatGPT, has now been embraced by major tech players like Microsoft and Google, as well as a plethora of innovative startups. These advancements offer solutions for generating a diverse range of outputs including text, images, video, audio, and other media from simple prompts. The consumer now has a vast array of options based on their specific   output needs and use cases . From generic, large-scale, multi-modal models like OpenAI’s ChatGPT and Google’s Bard to specialized solutions tailored for specific use cases and sectors like finance and legal advice, the choices are vast and varied. For instance, in the financial sector, tools like BloombergGPT ( https://www.bloomberg.com/ ), FinGPT ( https://fin-gpt.org/ ), StockGPT ( https://www.as
2 comments
Read more

From app to super-app to personal assistant

In July of this year,   KBC bank   (the 2nd largest bank in Belgium) surprised many people, including many of us working in the banking industry, with their announcement that they bought the rights to   broadcast the highlights of soccer matches   in Belgium via their mobile app (a service called "Goal alert"). The days following this announcement the news was filled with experts, some of them categorizing it as a brilliant move, others claiming that KBC should better focus on its core mission. Independent of whether it is a good or bad strategic decision (the future will tell), it is clearly part of a much larger strategy of KBC to   convert their banking app into a super-app (all-in-one app) . Today you can already buy mobility tickets and cinema tickets and use other third-party services (like Monizze, eBox, PayPal…​) within the KBC app. Furthermore, end of last year, KBC announced opening up their app also to non-customers allowing them to also use these third-party servi
9 comments
Read more

Eco-systems - Welcome to a new cooperating world

Last week I attended the Digital Finance Summit conference in Brussels, organized by Fintech Belgium, B-Hive, Febelfin and EBF. A central theme of the summit was the cooperation between banks and Fintechs and more in general the rise of ecosystems. In the past I have written already about this topic in my blogs about "Transforming the bank to an Open API Ecosystem ( https://www.linkedin.com/pulse/transforming-bank-open-api-ecosystem-joris-lochy/ ) and "The war for direct customer contact - Banks should fight along!" ( https://www.linkedin.com/pulse/war-direct-customer-contact-banks-should-fight-along-joris-lochy/ ), but still I was surprised about the number of initiatives taken in this domain. In my last job at The Glue, I already had the pleasure to work on several interesting cases: TOCO   ( https://www.toco.eu ): bringing entrepreneurs, accountants and banks closer together, by supporting entrepreneurs and accountants in their daily admin (and in the f
9 comments
Read more