Skip to main content

Securing your doors is not enough. Go for a multi-layered security strategy.


Cyber-attacks are all over the news! From ransomware to phishing, farmware, malware and cryptojacking up to DoS attacks. It seems as if the internet has been transformed to the Wild West.
Combine this with our ever stronger dependency on the internet for our day-to-day life and it’s clear that cyber-security should be on the top of the agenda of every CEO and CIO. Especially in the banking industry, due to its strong dependency on the internet (online & mobile banking) and the sensitive nature of financial data. The whole banking system is based on trust: one successful cyber-attack can destroy this trust, resulting in enormous financial impacts for the affected bank. Even worse if customers would lose confidence in the security of their bank, this could lead to a Run on a Bank, which in case of a major bank could be catastrophic for the whole financial system.
While most bank CEOs and CIOs are conscious of these impacts, the examples of success ful cyber-attacks in recent year are not hard to find (the rate of breaches, or theft of sensitive data, in the financial services industry has tripled over the past five years):
  • In February 2016, hackers attacked the central bank of Bangladesh and issued 35 instructions using the SWIFT messaging system for an amount of $951 million. Fortunately, most of the transfers were blocked, but the cyber-attack did cost the bank $81 million.
  • In November 2016, the banking leg of the UK supermarket chain Tesco lost £2.5 million, when half of the 40,000 customer accounts were compromised. The attack resulted in a temporary freeze of all online transactions and in a fine by the FCA in 2018 of £16.4 million.
  • In December 2016, Russia’s Central Bank was breached for an amount of $31 million.
  • In May 2017, the WannaCry ransomware attack infected 230.000 computers in over 15O countries. In India several ATMs were shut down to avoid further infection (even though the link between the outage of the ATMs and the ransomware is denied by the Indian government).
  • In June 2017, the GoldenEye, also known as NotPetya, ransomware blocked thousands of computers worldwide. The impacts were considerable, e.g. the packages at TNT Express were blocked for several days in different European countries. Other major firms being impacts were FedEx, Merck, Cadbury…​ Apart from the National Bank of Ukraine, the impact on banks seems (as far is publicly known) to be limited, but the speed and impact of the outbreak put everyone on high alert.
  • In December 2017, the Russian bank Globex was attacked via its SWIFT network. Losses were not considerable (only $100.000), but the complexity of the attack shows the professionalism of certain hacker gangs (like Cobalt, Carbanak, Lazarus…​) specialized in attacking the financial industry.
  • In April 2018, 7 UK retail banks, including Santander, Royal Bank of Scotland, Barclays and Tesco Bank, had to limit or shut down their systems after sustained attacks. This cost them hundreds of thousands of pounds to remedy.
  • In October 2018 the Mumbai branch of the State Bank of Mauritius was hit by a cyber-attack through a fraudulent SWIFT payment, resulting in a loss of about $14 million.
  • In January 2019 state-backed hackers from North Korea infiltrated the Bank of Chile’s ATM network and siphoned off $10 million.
  • …​
Unfortunately, this is just the tip of the iceberg as most security breaches are not disclosed by banks, out of fear for reputational damage. Studies have showed that financial services firms are 300 times more frequently attacked than other businesses and that a typical American bank is attacked a staggering 1 billion times per year (which results in more than 30 attacks per second).
Not surprising however when you look at the impressive number of parties wanting to attack banks: state supported hackers (e.g. Russia, North-Korea…​), ethical or politically inspired hackers (hacktivists), financially inspired criminals, hackers attacking for the pride or kick, competitors (industrial espionage) and insiders who are frustrated against their employer.
Furthermore experts predict that the cost for banks of cyber-attacks will increase exponentially in the coming years, as banking becomes even more digitized, new channels like mobile, Open Banking APIs and Internet of Things become more popular and homeworking and new policies like "Bring Your Own Device" become rule rather than exception. With each digital door a bank opens, new vulnerabilities arise.
Combine this with the increased sophistication of the hacking attacks and it should be clear that cyber-security must be one of the main investment areas for banks in the coming years.
Those banks who are not sufficiently aware yet of the importance of this threat will be forced, either by security breaches or by regulators. Recent years regulators have started to introduce directives and frameworks to force banks to increase their security, e.g. PSD2’s Regulatory Technical Standards impose strong security requirements to all payments, GDPR not only imposes strong data security for personal and confidential data, but it also forces companies to publicly report breaches within 72 hours, TIBER-EU is the first European framework to test the resilience of bank against cyber-attacks…​.
But those investments should not all be going to IT solutions, like firewalls and improved authentication techniques. The increased sophistication of the attacks requires a cyber-security strategy, which is holistic for the whole organisation. This means all employees and all procedures are impacted, not just those of IT, as security is only as strong as its weakest link.
This cyber-security strategy should implement and enforce a range of best practices:
  • Overall end-to-end awareness of all employees of the risks and methods used in cyber-criminality. This can be done through training (e.g. training on social engineering techniques), information campaigns, customer education and "mystery customer" tests, but also via new methodologies like DevSecOps, which foresees that security is incorporated at any moment of a project implementation.
  • Layered approach: implement multiple layers of defense (physical security, firewalls, throttling, risk-based authentication, data encryption, network segmentation, VM/container security…​) to maximize isolation. It also means that making a distinction between trusted, internal systems and external, public systems is outdated. Under the new "Zero Trust" paradigm ("Never trust, always verify") also internal systems should not be trusted.
  • Devalorize data: if a hacker can gain access to your data, ensure the data is worth nothing. This can be done by strong encryption of all (sensitive) data.
  • Continuous monitoring for breaches (intrusions or abnormal behavior), i.e. audit and monitor all activities on all systems and (automatically) identify abnormal behavior on systems (e.g. user doing actions they normally don’t do, peaks in download/upload traffic or CPU usage…​). This monitoring is a balancing act between identifying all breaches, while avoiding too much "false positives", as those take up valuable analyst time and lead to incident fatigue.
  • Automatically reacting to a breach: as soon as a potential breach is identified (through continuous monitoring), automatic actions should be taken to contain the breach. This can be by automatically blocking all access rights of the suspicious user account, shutting down the impacted system and potentially switch to backup systems, disconnecting all connectivity to other systems from the breached system…​ After breach is contained and resolved, the system should automatically return to normal operations as quickly as possible.
  • Continuous Security testing: this should include:
    • Static Code analysis: automatic execution of static code analysis, allowing to detect security flaws (e.g. Cigital SecureAssist, Code Dx, IBM Security AppScan, Klocwork…​). This static code analysis should be part of the CI/CD pipeline.
    • A set of automated security tests, executed also as part of the CI/CD pipeline, allowing to identify security breaches automatically before going to production
    • Security tests as part of acceptance testing: include as part of the acceptance criteria of an acceptance testing phase, the successful execution of several security tests. Often these tests (e.g. PEN-tests) are executed by specialized firms.
    • White-hat ethical hackers: employ or temporarily hire a white-hat ethical hacker to find potential security flaws in your systems. This can also be organized in the form of a hackathon or a premium for any security flaw being reported (e.g. check out "Google Vulnerability Reward Program")
    • Continuous Resilience Testing: inject automatically random security attacks in the production system, to continuously validate if the system can properly react (e.g. Security Monkey from Netflix’s open source Simian Army).
  • Automatic patching: automatic identification and installation (preferably immediate and without downtime for end-users) of any new patch on libraries/software being used. Achieving this level of maturity might be complex for an organization. An alternative is working as much as possible with cloud-based managed solutions, which take care of all patching for you, without any impact for the user.
  • Sharing of information about hacking attacks: due to the strong interconnectivity of banks, a breach in 1 bank will likely also negatively impact another bank. It is therefore imperative to collaborate between banks on cyber-security. This includes defining security standards for data exchange, enforcing third parties connecting with banks to adhere to highest security standards, share best practices on cyber-security, share information on recent cyber-attacks…​
Most of these methods are however costly and often impact negatively the user experience and user productivity. New techniques reduce the need for this compromise, but some negative impacts of tightened security are still to be expected. It is therefore important to compose a good business case of which risk a bank is willing to take to improve usability and productivity. Based on this business case, a deliberate decision can be taken, including the necessary accountability.
Just like most regulations (e.g. MiFID2), cyber-security is mainly considered as cost for a bank, but when correctly implemented, it can also be an opportunity:
  • New risk-based authentication methods can not only improve security, but improve usability at the same time
  • With all reported data privacy and security issues, having a reliable and secure brand can be a valuable differentiator for attracting customers. The recent transformation of Apple into a "privacy-as-a-service" company (attacking the data-intensive business models of Google and Facebook) shows a need for secure services, which respect customer’s privacy. This differentiator will become even more important, when the bank positions itself as a central distribution platform for different products/services (from competitors and other industries).
  • Insurers have huge potential in the cyber-insurance space, not only providing products insuring customers against losses due to cyber-attacks, but also providing value-added services like knowledge sharing, trainings, APIs with cyber-security data, CyberGyms providing a training ground to train cyber-security specialists in responding to attacks…​
This article hopefully demonstrated that cyber-security is a large and complex topic, which will require considerable investments in the coming years, but also provides important opportunities to the financial services industry. Due to the complexity, it is important to collaborate with industry experts and outsource as much as possible the burdens related to cyber-security. A move to a public-cloud like AWS, Azure or GCP seems a contradiction when talking about security, but when the move to the cloud is calculated and well-executed it will likely increase your cyber-security (these cloud players have the best security specialists in-house), while reducing your spending on cyber-security at the same time.
The key message to be retained is that banks should start implementing their cyber-security strategy now and keep an open mind for new innovative solutions which can transform their cyber-security investments into business opportunities.

Comments

Popular posts from this blog

Transforming the insurance sector to an Open API Ecosystem

1. Introduction "Open" has recently become a new buzzword in the financial services industry, i.e.   open data, open APIs, Open Banking, Open Insurance …​, but what does this new buzzword really mean? "Open" refers to the capability of companies to expose their services to the outside world, so that   external partners or even competitors   can use these services to bring added value to their customers. This trend is made possible by the technological evolution of   open APIs (Application Programming Interfaces), which are the   digital ports making this communication possible. Together companies, interconnected through open APIs, form a true   API ecosystem , offering best-of-breed customer experience, by combining the digital services offered by multiple companies. In the   technology sector   this evolution has been ongoing for multiple years (think about the travelling sector, allowing you to book any hotel online). An excelle...

Are product silos in a bank inevitable?

Silo thinking   is often frowned upon in the industry. It is often a synonym for bureaucratic processes and politics and in almost every article describing the threats of new innovative Fintech players on the banking industry, the strong bank product silos are put forward as one of the main blockages why incumbent banks are not able to (quickly) react to the changing customer expectations. Customers want solutions to their problems   and do not want to be bothered about the internal organisation of their bank. Most banks are however organized by product domain (daily banking, investments and lending) and by customer segmentation (retail banking, private banking, SMEs and corporates). This division is reflected both at business and IT side and almost automatically leads to the creation of silos. It is however difficult to reorganize a bank without creating new silos or introducing other types of issues and inefficiencies. An organization is never ideal and needs to take a numbe...

RPA - The miracle solution for incumbent banks to bridge the automation gap with neo-banks?

Hypes and marketing buzz words are strongly present in the IT landscape. Often these are existing concepts, which have evolved technologically and are then renamed to a new term, as if it were a brand new technology or concept. If you want to understand and assess these new trends, it is important to   reduce the concepts to their essence and compare them with existing technologies , e.g. Integration (middleware) software   ensures that 2 separate applications or components can be integrated in an easy way. Of course, there is a huge evolution in the protocols, volumes of exchanged data, scalability, performance…​, but in essence the problem remains the same. Nonetheless, there have been multiple terms for integration software such as ETL, ESB, EAI, SOA, Service Mesh…​ Data storage software   ensures that data is stored in such a way that data is not lost and that there is some kind guaranteed consistency, maximum availability and scalability, easy retrieval...

IoT - Revolution or Evolution in the Financial Services Industry

1. The IoT hype We have all heard about the   "Internet of Things" (IoT)   as this revolutionary new technology, which will radically change our lives. But is it really such a revolution and will it really have an impact on the Financial Services Industry? To refresh our memory, the Internet of Things (IoT) refers to any   object , which is able to   collect data and communicate and share this information (like condition, geolocation…​)   over the internet . This communication will often occur between 2 objects (i.e. not involving any human), which is often referred to as Machine-to-Machine (M2M) communication. Well known examples are home thermostats, home security systems, fitness and health monitors, wearables…​ This all seems futuristic, but   smartphones, tablets and smartwatches   can also be considered as IoT devices. More importantly, beside these futuristic visions of IoT, the smartphone will most likely continue to be the cent...

PSD3: The Next Phase in Europe’s Payment Services Regulation

With the successful rollout of PSD2, the European Union (EU) continues to advance innovation in the payments domain through the anticipated introduction of the   Payment Services Directive 3 (PSD3) . On June 28, 2023, the European Commission published a draft proposal for PSD3 and the   Payment Services Regulation (PSR) . The finalized versions of this directive and associated regulation are expected to be available by late 2024, although some predictions suggest a more likely timeline of Q2 or Q3 2025. Given that member states are typically granted an 18-month transition period, PSD3 is expected to come into effect sometime in 2026. Notably, the Commission has introduced a regulation (PSR) alongside the PSD3 directive, ensuring more harmonization across member states as regulations are immediately effective and do not require national implementation, unlike directives. PSD3 shares the same objectives as PSD2, i.e.   increasing competition in the payments landscape and en...

Trade-offs Are Inevitable in Software Delivery - Remember the CAP Theorem

In the world of financial services, the integrity of data systems is fundamentally reliant on   non-functional requirements (NFRs)   such as reliability and security. Despite their importance, NFRs often receive secondary consideration during project scoping, typically being reduced to a generic checklist aimed more at compliance than at genuine functionality. Regrettably, these initial NFRs are seldom met after delivery, which does not usually prevent deployment to production due to the vague and unrealistic nature of the original specifications. This common scenario results in significant end-user frustration as the system does not perform as expected, often being less stable or slower than anticipated. This situation underscores the need for   better education on how to articulate and define NFRs , i.e. demanding only what is truly necessary and feasible within the given budget. Early and transparent discussions can lead to system architecture being tailored more close...

Low- and No-code platforms - Will IT developers soon be out of a job?

“ The future of coding is no coding at all ” - Chris Wanstrath (CEO at GitHub). Mid May I posted a blog on RPA (Robotic Process Automation -   https://bankloch.blogspot.com/2020/05/rpa-miracle-solution-for-incumbent.html ) on how this technology, promises the world to companies. A very similar story is found with low- and no-code platforms, which also promise that business people, with limited to no knowledge of IT, can create complex business applications. These   platforms originate , just as RPA tools,   from the growing demand for IT developments , while IT cannot keep up with the available capacity. As a result, an enormous gap between IT teams and business demands is created, which is often filled by shadow-IT departments, which extend the IT workforce and create business tools in Excel, Access, WordPress…​ Unfortunately these tools built in shadow-IT departments arrive very soon at their limits, as they don’t support the required non-functional requirements (like h...

An overview of 1-year blogging

Last week I published my   60th post   on my blog called   Bankloch   (a reference to "Banking" and my family name). The past year, I have published a blog on a weekly basis, providing my humble personal vision on the topics of Fintech, IT software delivery and mobility. This blogging has mainly been a   personal enrichment , as it forced me to dive deep into a number of different topics, not only in researching for content, but also in trying to identify trends, innovations and patterns into these topics. Furthermore it allowed me to have several very interesting conversations and discussions with passionate colleagues in the financial industry and to get more insights into the wonderful world of blogging and more general of digital marketing, exploring subjects and tools like: Search Engine Optimization (SEO) LinkedIn post optimization Google Search Console Google AdWorks Google Blogger Thinker360 Finextra …​ Clearly it is   not easy to get the necessary ...

Deals as a competitive differentiator in the financial sector

In my blog " Customer acquisition cost: probably the most valuable metric for Fintechs " ( https://bankloch.blogspot.com/2020/06/customer-acquisition-cost-probably-most.html ) I described how a customer acquisition strategy can make or break a Fintech. In the traditional Retail sector, focused on selling different types of products for personal usage to end-customers,   customer acquisition  is just as important. No wonder that the advertisement sector is a multi-billion dollar industry. However in recent years due to the digitalization and consequently the rise of   Digital Marketing , customer acquisition has become much more focused on   delivering the right message via the right channel to the right person on the right time . Big tech players like Google and Facebook are specialized in this kind of targeted marketing, which is a key factor for their success and multi-billion valuations. Their exponential growth in marketing revenues seems however coming to a halt...

AI in Financial Services - A buzzword that is here to stay!

In a few of my most recent blogs I tried to   demystify some of the buzzwords   (like blockchain, Low- and No-Code platforms, RPA…​), which are commonly used in the financial services industry. These buzzwords often entail interesting innovations, but contrary to their promise, they are not silver bullets solving any problem. Another such buzzword is   AI   (or also referred to as Machine Learning, Deep Learning, Enforced Learning…​ - the difference between those terms put aside). Again this term is also seriously hyped, creating unrealistic expectations, but contrary to many other buzzwords, this is something I truly believe will have a much larger impact on the financial services industry than many other buzzwords. This opinion is backed by a study of McKinsey and PWC indicating that 72% of company leaders consider that AI will be the most competitive advantage of the future and that this technology will be the most disruptive force in the decades to come. Deep Lea...