Banking on security innovation to beat the hackers

Banks are being targeted by cybercriminals, and that looks likely to continue in a world with more data and devices. The question is– are banks being innovative enough with information security to ward off the threats?

Banks are being targeted by cybercriminals, and that looks likely to continue in a world with more data and devices. Are banks being innovative enough with information security to ward off the threats?

From chip-and-pin fraud and distributed-denial-of-service (DDoS) attacks to malware and nation-state APTs, cybercrime has become a big problem for banks across the world.

In the last year alone, we’ve seen the emergence of Carbanak, the Russian gang which stole $1 billion from more than 100 banks across 30 countries, as well as high-profile data breaches at JP Morgan Chase, HSBC, Halifax and Barclays. JP Morgan subsequently pledged to spend $500 million on security following its breach in late 2014, a trend adopted by many other companies post-breach. Indeed, PwC predicts that US financial services companies will increase their cyber security budgets by $2 billion by 2017.

Banks more open to attack

This spending, and increased focus on information security, is hardly surprising. Banks are being asked to be more open, digital, and customer-focused through the advance of newer technologies like mobile payments, biometrics and wearable devices. Even additional security, such as two-factor authentication and password management, must be done with user experience in mind.

This is, however, putting an enormous strain on bank security teams, supply chains and compliance, as outlined by UBS CIO Oliver Bussmann in a recent blog post.

“[The] digitization of services means data privacy becomes an even more important issue than it already is for every financial services institution. Recent malware incidents show how fast changing cyber-security threats are and how important it is for any new technology to place data protection above everything else. 

“The regulatory landscape is also becoming tougher and any new developments must be integrated. Consequently IT systems need to have the flexibility and agility to respond to new demands from financial authorities. This is challenging, particularly for smaller entrants to the market, because resources are finite,” said Bussmann, adding skills is another ‘major’ challenge in light of the advance of new technologies. 

Alex Van Someren, managing partner of the Early Stage Funds at Amadeus

Commentators, subsequently, say that banks now have to innovative to satisfy customer ‘wants’, rather than needs, with YBS Group head of information security and risk, Mike Jolley, saying customer-centric strategies are emerging.

“Strategic trends are around a customer-first digital strategy. A year or so ago it was digital first,” he told CSO Online.


Alex Van Someren, managing partner of the Early Stage Funds at Amadeus and director of the Cylon London start-up accelerator, believes banks must think like hackers.

“The most advanced banks take a pro-active approach to cyber-security. They think like hackers: conduct external penetration testing against themselves, mine the dark web for their own information leakage, apply data classification products to prevent data loss (DLP). They do not rely on major product vendors alone, but experiment with leading-edge technologies from start-ups to evolve their defenses.”

Troels Oerting is Global CISO at Barclays Bank, which has been working with numerous security start-ups, partnered with Europol on sharing threat intelligence, and even ‘hacked’ its own systems to ensure they are secure. The international bank is reportedly boosting its security spend by 20 percent.

Speaking to CSO after delivering his latest cyber-security strategy to the board, Oerting detailed how important start-ups are to the bank.

Oerting, formerly of Europol’s European Cybercrime Centre, is mentoring a handful of start-ups in New York, Tel Aviv, Cape Town and Mumbai – and is leading accelerator programs in New York and London.

“We’re increasing our footprint on the accelerator program and on innovation too. We want to see if I can find companies that provide us with things that we want to be researching and developing. It could be blockchain technology, the replacement of the password, increasing endpoint security, the elimination of anti-virus, or DNS security.

“Privacy and security protection is such a big part of what a bank sells – because a bank sells trust. So, instead of waiting for security companies to deliver something when they see fit, we thought why not identify how we could improve the security by design in our own applications, platforms and endpoints…and maybe assisting customers too.”

Oerting says it is important to first identify the bank’s vulnerabilities before asking for help from security start-ups. The start-ups he now mentors includes one that tracks Bitcoins and other digital currencies on Blockchain, another which uses Blockchain to secure diamonds, and a third which provides interactive security awareness training online using virtual reality and 3D glasses.

The Barclays chief admits that all this won’t stop the bank being breached – so instead he is prioritizing the bank’s incident response through red teaming which tests internal applications, perimeter defense and staff against phishing attacks.

“If we get penetrated, we want to make sure we react very fast. It’s about shortening the time from detection to reaction. We acknowledge we probably will be penetrated, but we need to detect it, and isolate or kick them out as soon as they are in.”

“The aim is to make it too costly for a criminal gang to steal our money. Any criminal gang looks at risk, investment and profit and if that doesn’t match up, they will go elsewhere”.

He says there are numerous ways of ‘kicking out’ the hackers, while Van Someren says that most forward-thinking banks are now considering honeypots and dummy data sources.

Jitender Arora, another CISO in the financial services sector, agrees that response is now pivotal.

“Organizations are now looking at improving their detection and response capability to ensure they have a better chance of detecting early and responding effectively to contain the damage.”

Cloud concerns remain

Barclays is, of course, not the only bank trialing new security measures. In recent months, Citibank, UBS and others have experimented with Bitcoin, Halifax has been trialing heartbeat authentication and Credit Agricole has tested Blockchain. Citi Ventures has been investing significant money in security start-ups including Pindrop, vArmour and Illusive.

There is significantly less interest in security in the cloud, however. Jolley says that vendor moves, the collapse of Safe Harbor and the incoming EU General Data Protection legislation, have put banks off.

Nik Whitfield, CEO of UK cybersecurity start-up Panaseer - which works with investment banks, agrees: “If you ask [CISOs] ‘would you put security in the cloud?’ they would say no way. Certainly, we don’t see any of the big guys moving security data wholesale into something like AWS.”

Arora disputes the view that banks are innovating at all: “Most organizations are quite static when it comes to their standard business services and technology stack,” he says.

“Imagine an organization with 20,000+ servers, 1,000+ applications, 100,000+ end points and variety of technology flavors; it’s a complex landscape which makes it expensive and difficult to make drastic changes.”

Big data

Instead, some suggest that banks continue to face age-old problems, such as compliance and data storage, in the face of the mass collection of data.

Whitfield says there is now too much data for CISOs to derive any insight, with SOC teams also overrun with threat intelligence alerts.

“They realize they’ve only got very limited visibility of what is going on,” says Whitfield, adding that new technology solutions are often siloed and thus don’t talk to each other. Other experts say threat intelligence sharing issues remain.

“A CISO wants to get a broad picture of what is happening…but it’s simply not possible at the moment.”

Join the CSO newsletter!

Error: Please check your email address.

More about AWSCSODLPEUEuropolHSBCJP MorganMorganPanaseer

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by By Doug Drinkwater

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place