Banks are being targeted by cybercriminals, and that looks likely to continue in a world with more data and devices. Are banks being innovative enough with information security to ward off the threats?
From chip-and-pin fraud and distributed-denial-of-service (DDoS) attacks to malware and nation-state APTs, cybercrime has become a big problem for banks across the world.
In the last year alone, we’ve seen the emergence of Carbanak, the Russian gang which stole $1 billion from more than 100 banks across 30 countries, as well as high-profile data breaches at JP Morgan Chase, HSBC, Halifax and Barclays. JP Morgan subsequently pledged to spend $500 million on security following its breach in late 2014, a trend adopted by many other companies post-breach. Indeed, PwC predicts that US financial services companies will increase their cyber security budgets by $2 billion by 2017.
Banks more open to attack
This spending, and increased focus on information security, is hardly surprising. Banks are being asked to be more open, digital, and customer-focused through the advance of newer technologies like mobile payments, biometrics and wearable devices. Even additional security, such as two-factor authentication and password management, must be done with user experience in mind.
This is, however, putting an enormous strain on bank security teams, supply chains and compliance, as outlined by UBS CIO Oliver Bussmann in a recent blog post.
“[The] digitization of services means data privacy becomes an even more important issue than it already is for every financial services institution. Recent malware incidents show how fast changing cyber-security threats are and how important it is for any new technology to place data protection above everything else.
“The regulatory landscape is also becoming tougher and any new developments must be integrated. Consequently IT systems need to have the flexibility and agility to respond to new demands from financial authorities. This is challenging, particularly for smaller entrants to the market, because resources are finite,” said Bussmann, adding skills is another ‘major’ challenge in light of the advance of new technologies.
Alex Van Someren, managing partner of the Early Stage Funds at Amadeus
Commentators, subsequently, say that banks now have to innovative to satisfy customer ‘wants’, rather than needs, with YBS Group head of information security and risk, Mike Jolley, saying customer-centric strategies are emerging.
“Strategic trends are around a customer-first digital strategy. A year or so ago it was digital first,” he told CSO Online.
Alex Van Someren, managing partner of the Early Stage Funds at Amadeus and director of the Cylon London start-up accelerator, believes banks must think like hackers.
“The most advanced banks take a pro-active approach to cyber-security. They think like hackers: conduct external penetration testing against themselves, mine the dark web for their own information leakage, apply data classification products to prevent data loss (DLP). They do not rely on major product vendors alone, but experiment with leading-edge technologies from start-ups to evolve their defenses.”
Troels Oerting is Global CISO at Barclays Bank, which has been working with numerous security start-ups, partnered with Europol on sharing threat intelligence, and even ‘hacked’ its own systems to ensure they are secure. The international bank is reportedly boosting its security spend by 20 percent.
Speaking to CSO after delivering his latest cyber-security strategy to the board, Oerting detailed how important start-ups are to the bank.
Oerting, formerly of Europol’s European Cybercrime Centre, is mentoring a handful of start-ups in New York, Tel Aviv, Cape Town and Mumbai – and is leading accelerator programs in New York and London.
“We’re increasing our footprint on the accelerator program and on innovation too. We want to see if I can find companies that provide us with things that we want to be researching and developing. It could be blockchain technology, the replacement of the password, increasing endpoint security, the elimination of anti-virus, or DNS security.
“Privacy and security protection is such a big part of what a bank sells – because a bank sells trust. So, instead of waiting for security companies to deliver something when they see fit, we thought why not identify how we could improve the security by design in our own applications, platforms and endpoints…and maybe assisting customers too.”
Oerting says it is important to first identify the bank’s vulnerabilities before asking for help from security start-ups. The start-ups he now mentors includes one that tracks Bitcoins and other digital currencies on Blockchain, another which uses Blockchain to secure diamonds, and a third which provides interactive security awareness training online using virtual reality and 3D glasses.
The Barclays chief admits that all this won’t stop the bank being breached – so instead he is prioritizing the bank’s incident response through red teaming which tests internal applications, perimeter defense and staff against phishing attacks.
“If we get penetrated, we want to make sure we react very fast. It’s about shortening the time from detection to reaction. We acknowledge we probably will be penetrated, but we need to detect it, and isolate or kick them out as soon as they are in.”
“The aim is to make it too costly for a criminal gang to steal our money. Any criminal gang looks at risk, investment and profit and if that doesn’t match up, they will go elsewhere”.
He says there are numerous ways of ‘kicking out’ the hackers, while Van Someren says that most forward-thinking banks are now considering honeypots and dummy data sources.
Jitender Arora, another CISO in the financial services sector, agrees that response is now pivotal.
“Organizations are now looking at improving their detection and response capability to ensure they have a better chance of detecting early and responding effectively to contain the damage.”
Cloud concerns remain
Barclays is, of course, not the only bank trialing new security measures. In recent months, Citibank, UBS and others have experimented with Bitcoin, Halifax has been trialing heartbeat authentication and Credit Agricole has tested Blockchain. Citi Ventures has been investing significant money in security start-ups including Pindrop, vArmour and Illusive.
There is significantly less interest in security in the cloud, however. Jolley says that vendor moves, the collapse of Safe Harbor and the incoming EU General Data Protection legislation, have put banks off.
Nik Whitfield, CEO of UK cybersecurity start-up Panaseer - which works with investment banks, agrees: “If you ask [CISOs] ‘would you put security in the cloud?’ they would say no way. Certainly, we don’t see any of the big guys moving security data wholesale into something like AWS.”
Arora disputes the view that banks are innovating at all: “Most organizations are quite static when it comes to their standard business services and technology stack,” he says.
“Imagine an organization with 20,000+ servers, 1,000+ applications, 100,000+ end points and variety of technology flavors; it’s a complex landscape which makes it expensive and difficult to make drastic changes.”
Instead, some suggest that banks continue to face age-old problems, such as compliance and data storage, in the face of the mass collection of data.
Whitfield says there is now too much data for CISOs to derive any insight, with SOC teams also overrun with threat intelligence alerts.
“They realize they’ve only got very limited visibility of what is going on,” says Whitfield, adding that new technology solutions are often siloed and thus don’t talk to each other. Other experts say threat intelligence sharing issues remain.
“A CISO wants to get a broad picture of what is happening…but it’s simply not possible at the moment.”