Skip to main content

Securing your doors is not enough. Go for a multi-layered security strategy.


Cyber-attacks are all over the news! From ransomware to phishing, farmware, malware and cryptojacking up to DoS attacks. It seems as if the internet has been transformed to the Wild West.
Combine this with our ever stronger dependency on the internet for our day-to-day life and it’s clear that cyber-security should be on the top of the agenda of every CEO and CIO. Especially in the banking industry, due to its strong dependency on the internet (online & mobile banking) and the sensitive nature of financial data. The whole banking system is based on trust: one successful cyber-attack can destroy this trust, resulting in enormous financial impacts for the affected bank. Even worse if customers would lose confidence in the security of their bank, this could lead to a Run on a Bank, which in case of a major bank could be catastrophic for the whole financial system.
While most bank CEOs and CIOs are conscious of these impacts, the examples of success ful cyber-attacks in recent year are not hard to find (the rate of breaches, or theft of sensitive data, in the financial services industry has tripled over the past five years):
  • In February 2016, hackers attacked the central bank of Bangladesh and issued 35 instructions using the SWIFT messaging system for an amount of $951 million. Fortunately, most of the transfers were blocked, but the cyber-attack did cost the bank $81 million.
  • In November 2016, the banking leg of the UK supermarket chain Tesco lost £2.5 million, when half of the 40,000 customer accounts were compromised. The attack resulted in a temporary freeze of all online transactions and in a fine by the FCA in 2018 of £16.4 million.
  • In December 2016, Russia’s Central Bank was breached for an amount of $31 million.
  • In May 2017, the WannaCry ransomware attack infected 230.000 computers in over 15O countries. In India several ATMs were shut down to avoid further infection (even though the link between the outage of the ATMs and the ransomware is denied by the Indian government).
  • In June 2017, the GoldenEye, also known as NotPetya, ransomware blocked thousands of computers worldwide. The impacts were considerable, e.g. the packages at TNT Express were blocked for several days in different European countries. Other major firms being impacts were FedEx, Merck, Cadbury…​ Apart from the National Bank of Ukraine, the impact on banks seems (as far is publicly known) to be limited, but the speed and impact of the outbreak put everyone on high alert.
  • In December 2017, the Russian bank Globex was attacked via its SWIFT network. Losses were not considerable (only $100.000), but the complexity of the attack shows the professionalism of certain hacker gangs (like Cobalt, Carbanak, Lazarus…​) specialized in attacking the financial industry.
  • In April 2018, 7 UK retail banks, including Santander, Royal Bank of Scotland, Barclays and Tesco Bank, had to limit or shut down their systems after sustained attacks. This cost them hundreds of thousands of pounds to remedy.
  • In October 2018 the Mumbai branch of the State Bank of Mauritius was hit by a cyber-attack through a fraudulent SWIFT payment, resulting in a loss of about $14 million.
  • In January 2019 state-backed hackers from North Korea infiltrated the Bank of Chile’s ATM network and siphoned off $10 million.
  • …​
Unfortunately, this is just the tip of the iceberg as most security breaches are not disclosed by banks, out of fear for reputational damage. Studies have showed that financial services firms are 300 times more frequently attacked than other businesses and that a typical American bank is attacked a staggering 1 billion times per year (which results in more than 30 attacks per second).
Not surprising however when you look at the impressive number of parties wanting to attack banks: state supported hackers (e.g. Russia, North-Korea…​), ethical or politically inspired hackers (hacktivists), financially inspired criminals, hackers attacking for the pride or kick, competitors (industrial espionage) and insiders who are frustrated against their employer.
Furthermore experts predict that the cost for banks of cyber-attacks will increase exponentially in the coming years, as banking becomes even more digitized, new channels like mobile, Open Banking APIs and Internet of Things become more popular and homeworking and new policies like "Bring Your Own Device" become rule rather than exception. With each digital door a bank opens, new vulnerabilities arise.
Combine this with the increased sophistication of the hacking attacks and it should be clear that cyber-security must be one of the main investment areas for banks in the coming years.
Those banks who are not sufficiently aware yet of the importance of this threat will be forced, either by security breaches or by regulators. Recent years regulators have started to introduce directives and frameworks to force banks to increase their security, e.g. PSD2’s Regulatory Technical Standards impose strong security requirements to all payments, GDPR not only imposes strong data security for personal and confidential data, but it also forces companies to publicly report breaches within 72 hours, TIBER-EU is the first European framework to test the resilience of bank against cyber-attacks…​.
But those investments should not all be going to IT solutions, like firewalls and improved authentication techniques. The increased sophistication of the attacks requires a cyber-security strategy, which is holistic for the whole organisation. This means all employees and all procedures are impacted, not just those of IT, as security is only as strong as its weakest link.
This cyber-security strategy should implement and enforce a range of best practices:
  • Overall end-to-end awareness of all employees of the risks and methods used in cyber-criminality. This can be done through training (e.g. training on social engineering techniques), information campaigns, customer education and "mystery customer" tests, but also via new methodologies like DevSecOps, which foresees that security is incorporated at any moment of a project implementation.
  • Layered approach: implement multiple layers of defense (physical security, firewalls, throttling, risk-based authentication, data encryption, network segmentation, VM/container security…​) to maximize isolation. It also means that making a distinction between trusted, internal systems and external, public systems is outdated. Under the new "Zero Trust" paradigm ("Never trust, always verify") also internal systems should not be trusted.
  • Devalorize data: if a hacker can gain access to your data, ensure the data is worth nothing. This can be done by strong encryption of all (sensitive) data.
  • Continuous monitoring for breaches (intrusions or abnormal behavior), i.e. audit and monitor all activities on all systems and (automatically) identify abnormal behavior on systems (e.g. user doing actions they normally don’t do, peaks in download/upload traffic or CPU usage…​). This monitoring is a balancing act between identifying all breaches, while avoiding too much "false positives", as those take up valuable analyst time and lead to incident fatigue.
  • Automatically reacting to a breach: as soon as a potential breach is identified (through continuous monitoring), automatic actions should be taken to contain the breach. This can be by automatically blocking all access rights of the suspicious user account, shutting down the impacted system and potentially switch to backup systems, disconnecting all connectivity to other systems from the breached system…​ After breach is contained and resolved, the system should automatically return to normal operations as quickly as possible.
  • Continuous Security testing: this should include:
    • Static Code analysis: automatic execution of static code analysis, allowing to detect security flaws (e.g. Cigital SecureAssist, Code Dx, IBM Security AppScan, Klocwork…​). This static code analysis should be part of the CI/CD pipeline.
    • A set of automated security tests, executed also as part of the CI/CD pipeline, allowing to identify security breaches automatically before going to production
    • Security tests as part of acceptance testing: include as part of the acceptance criteria of an acceptance testing phase, the successful execution of several security tests. Often these tests (e.g. PEN-tests) are executed by specialized firms.
    • White-hat ethical hackers: employ or temporarily hire a white-hat ethical hacker to find potential security flaws in your systems. This can also be organized in the form of a hackathon or a premium for any security flaw being reported (e.g. check out "Google Vulnerability Reward Program")
    • Continuous Resilience Testing: inject automatically random security attacks in the production system, to continuously validate if the system can properly react (e.g. Security Monkey from Netflix’s open source Simian Army).
  • Automatic patching: automatic identification and installation (preferably immediate and without downtime for end-users) of any new patch on libraries/software being used. Achieving this level of maturity might be complex for an organization. An alternative is working as much as possible with cloud-based managed solutions, which take care of all patching for you, without any impact for the user.
  • Sharing of information about hacking attacks: due to the strong interconnectivity of banks, a breach in 1 bank will likely also negatively impact another bank. It is therefore imperative to collaborate between banks on cyber-security. This includes defining security standards for data exchange, enforcing third parties connecting with banks to adhere to highest security standards, share best practices on cyber-security, share information on recent cyber-attacks…​
Most of these methods are however costly and often impact negatively the user experience and user productivity. New techniques reduce the need for this compromise, but some negative impacts of tightened security are still to be expected. It is therefore important to compose a good business case of which risk a bank is willing to take to improve usability and productivity. Based on this business case, a deliberate decision can be taken, including the necessary accountability.
Just like most regulations (e.g. MiFID2), cyber-security is mainly considered as cost for a bank, but when correctly implemented, it can also be an opportunity:
  • New risk-based authentication methods can not only improve security, but improve usability at the same time
  • With all reported data privacy and security issues, having a reliable and secure brand can be a valuable differentiator for attracting customers. The recent transformation of Apple into a "privacy-as-a-service" company (attacking the data-intensive business models of Google and Facebook) shows a need for secure services, which respect customer’s privacy. This differentiator will become even more important, when the bank positions itself as a central distribution platform for different products/services (from competitors and other industries).
  • Insurers have huge potential in the cyber-insurance space, not only providing products insuring customers against losses due to cyber-attacks, but also providing value-added services like knowledge sharing, trainings, APIs with cyber-security data, CyberGyms providing a training ground to train cyber-security specialists in responding to attacks…​
This article hopefully demonstrated that cyber-security is a large and complex topic, which will require considerable investments in the coming years, but also provides important opportunities to the financial services industry. Due to the complexity, it is important to collaborate with industry experts and outsource as much as possible the burdens related to cyber-security. A move to a public-cloud like AWS, Azure or GCP seems a contradiction when talking about security, but when the move to the cloud is calculated and well-executed it will likely increase your cyber-security (these cloud players have the best security specialists in-house), while reducing your spending on cyber-security at the same time.
The key message to be retained is that banks should start implementing their cyber-security strategy now and keep an open mind for new innovative solutions which can transform their cyber-security investments into business opportunities.
Labels:

Comments

Post a Comment

Popular posts from this blog

Transforming the insurance sector to an Open API Ecosystem

1. Introduction "Open" has recently become a new buzzword in the financial services industry, i.e.   open data, open APIs, Open Banking, Open Insurance …​, but what does this new buzzword really mean? "Open" refers to the capability of companies to expose their services to the outside world, so that   external partners or even competitors   can use these services to bring added value to their customers. This trend is made possible by the technological evolution of   open APIs (Application Programming Interfaces), which are the   digital ports making this communication possible. Together companies, interconnected through open APIs, form a true   API ecosystem , offering best-of-breed customer experience, by combining the digital services offered by multiple companies. In the   technology sector   this evolution has been ongoing for multiple years (think about the travelling sector, allowing you to book any hotel online). An excelle...
59 comments
Read more

RPA - The miracle solution for incumbent banks to bridge the automation gap with neo-banks?

Hypes and marketing buzz words are strongly present in the IT landscape. Often these are existing concepts, which have evolved technologically and are then renamed to a new term, as if it were a brand new technology or concept. If you want to understand and assess these new trends, it is important to   reduce the concepts to their essence and compare them with existing technologies , e.g. Integration (middleware) software   ensures that 2 separate applications or components can be integrated in an easy way. Of course, there is a huge evolution in the protocols, volumes of exchanged data, scalability, performance…​, but in essence the problem remains the same. Nonetheless, there have been multiple terms for integration software such as ETL, ESB, EAI, SOA, Service Mesh…​ Data storage software   ensures that data is stored in such a way that data is not lost and that there is some kind guaranteed consistency, maximum availability and scalability, easy retrieval...
29 comments
Read more

IoT - Revolution or Evolution in the Financial Services Industry

1. The IoT hype We have all heard about the   "Internet of Things" (IoT)   as this revolutionary new technology, which will radically change our lives. But is it really such a revolution and will it really have an impact on the Financial Services Industry? To refresh our memory, the Internet of Things (IoT) refers to any   object , which is able to   collect data and communicate and share this information (like condition, geolocation…​)   over the internet . This communication will often occur between 2 objects (i.e. not involving any human), which is often referred to as Machine-to-Machine (M2M) communication. Well known examples are home thermostats, home security systems, fitness and health monitors, wearables…​ This all seems futuristic, but   smartphones, tablets and smartwatches   can also be considered as IoT devices. More importantly, beside these futuristic visions of IoT, the smartphone will most likely continue to be the cent...
21 comments
Read more

AI in Financial Services - A buzzword that is here to stay!

In a few of my most recent blogs I tried to   demystify some of the buzzwords   (like blockchain, Low- and No-Code platforms, RPA…​), which are commonly used in the financial services industry. These buzzwords often entail interesting innovations, but contrary to their promise, they are not silver bullets solving any problem. Another such buzzword is   AI   (or also referred to as Machine Learning, Deep Learning, Enforced Learning…​ - the difference between those terms put aside). Again this term is also seriously hyped, creating unrealistic expectations, but contrary to many other buzzwords, this is something I truly believe will have a much larger impact on the financial services industry than many other buzzwords. This opinion is backed by a study of McKinsey and PWC indicating that 72% of company leaders consider that AI will be the most competitive advantage of the future and that this technology will be the most disruptive force in the decades to come. Deep Lea...
17 comments
Read more

An overview of 1-year blogging

Last week I published my   60th post   on my blog called   Bankloch   (a reference to "Banking" and my family name). The past year, I have published a blog on a weekly basis, providing my humble personal vision on the topics of Fintech, IT software delivery and mobility. This blogging has mainly been a   personal enrichment , as it forced me to dive deep into a number of different topics, not only in researching for content, but also in trying to identify trends, innovations and patterns into these topics. Furthermore it allowed me to have several very interesting conversations and discussions with passionate colleagues in the financial industry and to get more insights into the wonderful world of blogging and more general of digital marketing, exploring subjects and tools like: Search Engine Optimization (SEO) LinkedIn post optimization Google Search Console Google AdWorks Google Blogger Thinker360 Finextra …​ Clearly it is   not easy to get the necessary ...
12 comments
Read more

A bank account - A concept of the past

Almost every recent article written about banking starts with the statement that the   banking industry is being disrupted   by new competitors, new innovations and new technologies. Although this statement is definitely true, the extend of the disruption can still be debated. Even the most innovative neo-banks still work with bank (current, saving, term and investment) accounts, cards (credit and debit), traditional credits, existing payment infrastructure…​ The user experience surrounding the origination and servicing of these products has dramatically improved (and will continue to evolve), but the underlying banking products are not really disrupted. You could argue that banking products are so intertwined with society and our way of thinking about finance, that they can’t be disrupted, but looking at those products you cannot ignore that they are far from an optimal solution in our current digital world. Let’s consider   cards   for example. Isn’t ...
11 comments
Read more

The UPI Phenomenon: From Zero to 10 Billion

If there is one Indian innovation that has grabbed   global headlines , it is undoubtedly the instant payment system   UPI (Unified Payments Interface) . In August 2023, monthly UPI transactions exceeded an astounding 10 billion, marking a remarkable milestone for India’s payments ecosystem. No wonder that UPI has not only revolutionized transactions in India but has also gained international recognition for its remarkable growth. Launched in 2016 by the   National Payments Corporation of India (NPCI)   in collaboration with 21 member banks, UPI quickly became popular among consumers and businesses. In just a few years, it achieved   remarkable milestones : By August 2023, UPI recorded an unprecedented   10.58 billion transactions , with an impressive 50% year-on-year growth. This volume represented approximately   190 billion euros . In July 2023, the UPI network connected   473 different banks . UPI is projected to achieve a staggering   1 ...
1 comment
Read more

Low- and No-code platforms - Will IT developers soon be out of a job?

“ The future of coding is no coding at all ” - Chris Wanstrath (CEO at GitHub). Mid May I posted a blog on RPA (Robotic Process Automation -   https://bankloch.blogspot.com/2020/05/rpa-miracle-solution-for-incumbent.html ) on how this technology, promises the world to companies. A very similar story is found with low- and no-code platforms, which also promise that business people, with limited to no knowledge of IT, can create complex business applications. These   platforms originate , just as RPA tools,   from the growing demand for IT developments , while IT cannot keep up with the available capacity. As a result, an enormous gap between IT teams and business demands is created, which is often filled by shadow-IT departments, which extend the IT workforce and create business tools in Excel, Access, WordPress…​ Unfortunately these tools built in shadow-IT departments arrive very soon at their limits, as they don’t support the required non-functional requirements (like h...
15 comments
Read more

Peer-to-peer payments - A crucial component towards a cashless society

The Corona crisis has led to an exponential   decrease in the usage of cash , due to the associated hygienic problems and the enormous rise of eCommerce. While in commercial transactions cash is disappearing rapidly, it is however still commonly used for   informal money exchanges , like between friends, family, colleagues…​, but also those payments are becoming more and more digital, thanks to   peer-to-peer payment (P2P) solutions . These solutions drastically   improve the user experience   (removing friction) for both the person initiating the payment (= the payer) and the person receiving the payment (= the recipient), compared to a simple initiation of a wire transfer in a banking app. Before clarifying where those solutions bring most value, it is important to first identify the   typical use cases , where peer-to-peer payments are most common, as the P2P payment solutions need to optimally accommodate these use cases: Family giving a   cash gif...
3 comments
Read more

Marketplaces in the financial industry - Here to stay?

Marketplaces are   hip and trendy   on the internet and will likely evolve even more in the near future. In some markets (like food delivery, transportation, commerce, holiday…​) they already represent double digit market shares (e.g. in 2018 $1.86 trillion was spent globally on the top 100 online marketplaces), but for the financial services sector, their impact (even though there are a few unicorn FinTechs in this space) on the industry is still limited. Any form of   intermediation   (travel agents, taxi dispatchers…​) will likely be replaced by a modern, digital and more direct equivalent, i.e. a digital marketplace. As the business of banks is exactly the intermediation between people having excess money and people needing money, the financial services sector will be significantly impacted. Furthermore, marketplaces are strongly intertwined with other concepts like the   gig-economy, the sharing-economy and the API-economy . All these trends will ultimately...
11 comments
Read more