According to a recent report by banking sector association BBA and professional services network PwC, British financial companies spent £700m on cyber security last year. However the financial sector’s current biggest security risk is from lack of employee training and awareness – not from the investment into technology. Your Better Business put forward a few questions to Professor Richard Benham about the pressing issues of cyber security for businesses in the financial sector.
A major breach in any one part of a bank’s critical network infrastructure could cause it to fail, yet it is the growing use of social media hacking that could set in motion a potentially devastating ripple effect throughout the markets. When the Associated Press had its Twitter feed hijacked with a fake tweet reporting the bombing of the White House, within minutes the Dow Jones industrial average plunged 143 points.
Professor Richard Benham who founded The National MBA in Cyber Security in conjunction with the Business School at Coventry University, the UK’s Modern University of the year, recommends that in the same way that governments need to go through cyber security drills, banks must be subject to mandatory cyber security checks to make sure they can pass ‘stress tests’ for financial resilience.
Back in November 2013, a four-hour simulated cyber attack in London called Waking Shark II was conducted to test the city’s cyber security readiness. The report from the test recommended that other sectors in the UK’s finance industry should similarly test their own capabilities. However, Benham argues that whilst system testing is sufficient, not enough is being done to make sure individual employees are fully aware of basic cyber common sense, as employees without proper cyber training represent a significant weak link that could put major organisations at risk. In most cases, only a small number of people in the organisation are sufficiently familiar with cyber security issues and really understand the vulnerabilities of the business.
The way forward is finding a way businesses can secure finances, prevent online security threats and offering the end customer an integrated and secure experience.
What are the main risks facing financial services in the digital age?
With the joint deregulation of financial services and the rise of the Internet in the 1980s, banking became a global industry with many banks setting up across various continents. Moreover, the need to generate profits from selling new products and wholesale investments become a priority.
Selling financial products over the phone was the next step, and with it came many of the challenges we face today when transacting online; namely identification of the customer, disclosure of bank account and credit card details to name a few. This coupled with new faster same-day payments systems (such as CHAPS) meant procedural safeguards were created.
Banks now understand that the selling of products and transaction of bank accounts online is highly cost effective against the traditional model of tills, bank clerks and branches. For personal customers it means real-time banking on smartphones and tablets, and call centres when something is needed. For businesses, the introduction of debit cards and the limited access to cheque books means less cash is taken and the need for a branch is lessened.
It appears we are becoming more comfortable with using less cash, electronic data trails and banks underwriting the use of online banking for fraudulent activity. The customer experience is also enhanced with 24-hour access, websites and help lines.
The downside however is reputational damage should a bank’s IT system be compromised. When we look at recent failures in banks’ IT security and the ripple effect it had on the confidence of the banking sector and the subsequent crash, it should teach us all a lesson to have a plan B.
Where are the threats coming from?
The threats and their motivations mainly come from the following areas:
Criminal gangs Operating anywhere in the world, gangs will steal identities and attempt to extract money through false accounting or blackmail. They are highly organised and very quick to find a vulnerability.
Criminal individuals Highly competent and with industry knowledge, they will usually do a larger one-off attack purely for financial gain.
The malicious outsider A disgruntled customer, former member of staff or activist and their sole purpose is to destroy the reputation or cause distress to an organisation. Banks are easy targets and social media campaigns can be highly effective. The publishing of customer details is a common method although strangely the public seems apathetic to this.
The non-malicious outsider As simple as a national central bank saying one of its banks has failed a stress test. Speculation leads to damage to a whole host of institutions unintentionally.
The malicious insider One of the biggest risks and this hasn’t changed over the years. A disgruntled employee can cause real harm. Armed with a password or a building pass and 5 years plus service, they are almost unstoppable. One of the biggest challenges is the verification of the identity of the person who is employed and the level of trust you allow.
The non-malicious insider Lack of awareness and training can lead to an employee disclosing details in error, losing a laptop, sending emails to a home PC etc.
Nation state attack Almost unlimited resources can be deployed to attack a nation’s infrastructure. However, most Western government and military infrastructures are also well-funded and protected. For this reason the use of embarrassing social media attacks are increasing, as is Economic Cyber Terrorism to create fear and economic damage to businesses.
Aside from loss of financial assets, how can cyber-attacks damage financial providers?
All banks within their risk models allow for the hard costs of repair from an attack. What isn’t covered and is hard to assess, is reputational damage and the loss of current and future business as a result. It is surprising that a bank has not suffered a sustained coordinated attack using malicious insiders, social media and adverse press coverage. I predict this will happen in the next 5 years.
What is the industry currently doing to respond to these threats, on both an individual level, and collectively?
The UK is better placed than most and has responded to the challenge with significant investment. PwC predicts that financial-services companies globally plan to bolster their cyber security budgets by about $2 billion over the next two years. This is true of the banking sector. However the reason I founded The National MBA in Cyber Security and The National Cyber Awareness course was the obvious gap that existed in understanding the business issues and consequences across a whole organisation. Cyber is a cross-departmental issue not just an IT one. This is currently the biggest risk facing the banks today.
I am currently in discussion with The Bank of England to see how these qualifications can be used to reduce this risk.
How are financial institutions working to ensure international capital flows are kept secure?
Banks tend to be privately funded, profit making institutions and the sharing of information regarding cyber breaches is difficult in view of investor and customer confidence. I regularly lecture at the SwiFT conferences and there is much collaboration and investment in ensuring these are secure.
Is the industry doing enough to keep our money safe and what more could be done?
Part of my experience was in cross border policing and there is a need for a defined international body to ensure information is shred confidentially. Both Europol and Cyberpol are seeking to do this, however more collaboration is needed.
How do banks ensure that new technologies that provide greater convenience for customers, such as contactless payments, are secure?
They currently do this by providing small transaction sizes and guarantees for misuse. The big risk is the increasing of the limit. I suspect finger print recognition will be the next step forward.
With new technologies like mobile wallets (it’s estimated that mobile phones will account for 1.5 billion transactions a year by 2020), or even new digital currencies, such as Bitcoin, there has to be concerns for organisations that are playing catch-up to technology, to the customer behaviour it enables, and to criminals.
It’s not all doom and gloom though, digital security may not just a “hygiene factor” for banks & financial providers, it can be a source of an actual competitive advantage. Put simply, it seems to be about finding the right balance between securing the money, preventing attacks and ensuring that you offer customers the seamless and flexible experience that they now expect.