Featured

23rd January 2019 | Mansfield Thomas | Head of Security and Fraud Prevention

Steady As A Rock. Banking Security During Turbulent Times

Hardly a week passes without reading a headline or watching a news clip concerning another major data breach or loss of client information by a globally renowned corporation. In 2017, the United States alone suffered a reported 1,579 data breaches with 8.5% of those targeting the financial industry1. Globally, the average total cost of a data breach was $3.86 million in 20182 and the cost of cybercrime was highest in the financial services industry with an average annualized cost of $18 million3. So what are modern financial institutions, like Golden Sand Bank, doing to combat this rise in cybercrime? 

The Rise of Cybercrime as an Industry

With the advent of the integrated circuit, technology has grown in leaps and bounds depositing us here today in 2019 where we can use the miniature computers (smartphones) in our pockets to access the entire width and breadth of human knowledge (as well as our bank accounts) thanks to the world wide web. We can use our mobiles to speak with friends around the globe, look up recipes for dinner, or even run an e-business. But for all of the benefits technology brings us, it also gives rise to new types of crimes and a new type of threat actor. I’m talking, of course, about the cyber-criminal.

Since the very first misuse of a data network for profit, committed by the brothers François and Joseph Blanc in 18344, cybercrime as an industry has consistently grown until we’ve reached the point where cyber-criminals are merging into groups and forming corporations such as the Russian-based CyberVor or RBN. Much like any legitimate business, these cybercrime ventures possess an organizational structure, networks, marketing teams, and many other features found in your normal corporation5. And it’s not hard to imagine why these criminal enterprises form when cybercrime worldwide is estimated to generate more than $1.5 trillion annually6.

Groups like the multinational team behind WebStresser.org which were responsible for enabling the massive Distributed Denial of Service (DDoS) attacks against seven major UK banks in 20177 stand to make large profits by providing less-than-legitimate services to anyone with the coin (or BitCoin) to hire them. In fact, before their website’s seizure by law enforcement authorities, the group offered, “the strongest and most reliable server stress testing” and “24/7 customer support spread on over three different continents” and offered different packages of DDoS services ranging from their “bronze membership” at $18.99/mo, all the way up to their “platinum membership” for $49.99/mo8

Other groups contribute to the growth of the industry by hosting online marketplaces which enable criminals to buy or sell illegal goods or services. Already we have seen multiple iterations of what is perhaps the most infamous of them, The Silk Road, rise only to be taken down again and again by law enforcement authorities. Further, the rise of cryptocurrencies such as BitCoin or Ripple have helped to facilitate this growth as they are largely unregulated and offer a higher level of anonyminity than payment transactions using conventional currencies9.

So in light of this surge in a newly-mainstream, illicit market, what controls are financial institutions around the globe implementing to counteract this new threat and guard their client’s data and transactions? 

Cyber Security Technologies

Just as rapidly as cyber-criminals are devising new ways to circumvent and compromise data systems, cyber security professionals are developing and improving the tools and technology needed to defeat them. From simple solutions such as the segmentation of network infrastructure, to more advanced technologies like machine-learning and Artificial Intelligence, the growth of the cyber security industry has both matched and surpassed that of its malicious counterpart.  

Financial institutions around the globe already implement standard network security features such as firewalls, which filter ingoing and outgoing network traffic; intrusion detection and prevention systems which monitor incoming network traffic, data storage activity, and processes running on systems; along with other standard network control measures. In addition, recent advances in cyber security technologies provide a plethora of new controls which can be implemented by forward-thinking companies around the globe to improve their level of data security. For example, context-aware behavioural analytics is using bioprinting, location tracking, and user behavioural profiles to determine whether a user’s system account is actually being operated by the user, or by a cyber-criminal who has compromised that set of user credentials and is using them for nefarious purposes10. Other technologies, such as Virtual Dispersive Networking (VDN), are used to ensure the security of transmitted information in a manner similar to modern military radios. The information is broken into multiple chunks, which are then encrypted and transmitted over randomized network paths, thus making the interception and decryption of the complete data file much more difficult11. With many companies now turning to cloud-based data storage both for business use and as a control to mitigate the risk from ransomware attacks, data formats such as Security Assertion Markup Language (SAML) are being developed and combined with existing SSO technology to ensure the confidentiality, integrity, and availability of data stored in the cloud12.

While all of these technologies might sound exciting and high tech, the security of a financial institution is still only as strong as its weakest link, which in most cases, is the people. With all of the modern defense mechanisms employed by companies globally, cyber criminals have discovered that it is much easier and much less costly to exploit the human factor of a secured system than it is to try and hack through a firewall or circumvent other security controls. As a result, we have witnessed the prolific rise worldwide of phishing and other forms of social engineering attacks. These attacks are cheap, easy to launch against a wide variety and vast number of targets, and can be designed to exploit many different aspects of the human psyche. So how do security departments counteract this threat you might ask? By continuously training and developing their employees in the field of cyber security, companies can mitigate part of the risk incurred by their employees handling sensitive data. Part of any robust security strategy, continuous employee training should cover everything from the company’s security policies, to cyber awareness and current threat actors’ tactics. Cyber security should form part of a company’s culture with employees at all levels invested and taking an active interest in the success of the company’s security strategy. Once again, technology helps to implement the solution as now, more and more companies are turning away from traditional powerpoint presentations and instead using software or web-based training courses to instill this culture of cyber security within their organisation. 

Cyber Security Regulation and Support

Technology, however, isn’t the only area in which cyber security has rapidly grown. Nations around the globe have realised the importance of securing not only their own government infrastructure, but also the markets and industries that their populations depend on. As such, we are beginning to see an increase in the regulation of how companies protect their systems and their clients’ personal data as well as how governments support them.

On the 25th of May 2018, the European Union’s new General Data Protection Regulation (GDPR) was put into effect with companies situated in the EU being made to comply or risk undergoing data protection audits and receiving stiff fines, depending on which articles of the regulation are violated. The GDPR replaces the EU’s previous Data Protection Directive from 1995 and overall, the regulation is designed to protect the personal data of individuals and govern how companies process this data. The regulation also outlines the rights of the individual to access their data or have it amended or erased as well as the mandatory reporting by EU companies in the event of a data breach or loss13. While other countries, like the USA, have no federal equivalent of the EU GDPR, US based companies that conduct business in the European Union are still made to comply with the GDPR and a framework, titled the EU-US Privacy Shield, has already been put into effect14. Additionally, as of the 10th of December 2018, the EU Cybersecurity Act was agreed on by the European Parliament, the Council, and the European Commission. This act will help to establish an EU framework for the cyber security certification of products, processes, and services15.

Regulations, however, are not the only way in which nations and governments push to secure their cyber security agendas. In 2005, the European Union Agency for Network and Information Security (ENISA) became operational and, along with other objectives, it assists EU businesses in meeting the requirements of EU regulations governing network and information security.  The United Kingdom has followed suit with the creation of its National Cyber Security Centre (NCSC) which went operational in 2016 and serves much of the same purpose. Across the Atlantic, the United States’ Department of Homeland Security has created an Office of Cyber Security & Communications and as of November 2018, the Cybersecurity and Infrastructure Security Agency (CISA). 

Globally, nation-states are embracing the requirement to secure their cyber borders through both regulation and technology, as likewise, companies are implementing new technologies to safeguard their data, and, despite the rising number of cyber attacks worldwide, this bodes well for the future of financial institutions and their clients. 

Similar topics

Security

23rd February 2019 | Mansfield Thomas

Biometrics in Banking: A Hard Look into Iris Scanners and other Authentication Technology

Security

4th July 2019 | Mansfield Thomas

Cyber Awareness 101: Avoiding the Pitfalls of the Information Age

Security

4th July 2019 | Mansfield Thomas

Cyber Awareness 102: Password Hygiene