Cybersecurity threats that keep the banks up at night
The threat landscape is always changing
In the current climate of major data breaches amidst an ever-shifting cyber threat landscape, the people in charge of vast volumes of valuable financial data are under increasing pressure to keep customer data safe from hackers and fraudsters.
Speaking at the SWIFT Business Forum in London last week, a range of senior security professionals at financial services firms and banks told the audience what keeps them up at night when it comes to cyber security and fraud. Here's what they said:
1. A constantly changing threat landscape
JF Legault, global head of cybersecurity operations at JP Morgan, highlighted the way that the threat landscape has changed over the past few years.
He explained: "In late 2014 we saw the advent of malware targeting wholesale banking platforms. Criminals stopped going after simple, low-value monetary amounts and shifted to high-value payment platforms. The reason they did that was a lot more yield on the crime they committed. We also saw a shift toward business email compromise. We also saw a number of breaches affecting the financial sector that led to fraudulent messages."
His diplomatic answer to what keeps him up at night was simply: "What the business says keeps it up at night. I am there to help the business innovate and look at the different risks they face."
2. False positives
In the fraud space, the biggest issue for banks is "false positives" in its anti-money laundering (AML) monitoring systems. This means issues being flagged that aren't actually fraudulent activities, taking up valuable analyst time.
Anthony Fenwick, global head of treasury and trade solutions and AML compliance at Citi Group said simply: "Our biggest problem in this industry is false positives."
When asked if artificial intelligence technology could help solve this issue, Fenwick said: "The story is why are we producing so many false positives, not 'let's deploy robots to get rid of the false positives'.
"One of the drivers I am trying to change is that the use of electronics and AI have to go hand-in-hand with the best humans. The idea that we remove all human activity from this process misses the point of what we are trying to do, which is marry these two capabilities to tackle the beast of bad data."
3. The big breach
Royce Curtin, managing director of global intelligence at Barclays, said: "It's the big breach that keeps us awake at night. If and when and that ultimate failure to provide the service customers expect and entrust us to keep safe. So we work very hard and take it very seriously the responsibility of building systems and trust for services that people feel comfortable using."
Last year saw the biggest data breach at a bank in UK history. Tesco Bank was hit by an attack which saw 20,000 compromised users lose money from their accounts. The banking wing of the supermarket giant is in the process of paying back £2.5 million to customers who had their accounts compromised.
4. Missing a breach
Brendan Goode, regional CISO for UK and Ireland at Deutsche Bank said he most fears the feeling of "did we miss something? Where you look back at the logs and it is right there."
This failure of the system to alert to a potential breach is a major part of a modern cyber security strategy, and would keep any CISO worth their salt up at night.
As the February 2016 hack of the Bangladesh Central Bank showed, customer accounts can be the most vulnerable point of entry to a bank's systems. The hackers used stolen privileged credentials to steal $81 million before they were caught.
Matt Middleton-Leal, regional vice-president UK, Ireland and Northern Europe at security software vendor CyberArk, said: "Banks fear attacks which hide behind insider privileges because they allow cybercriminals to appear as legitimate users, giving them unprecedented freedom to work their way up to their most valuable financial assets."
Gottfried Leibbrandt, CEO at the financial messaging vendor SWIFT admitted that the bank's customers "will always be the weakest link, but at the same time the response should not be 'let's fix the weakest link' but you have to take an end-to-end view."
"Yes the weak link will always be the customer at the end of the day," he said, "but in retail banking the banks have been able to put in controls after it gets into the bank to respond to suspect logins, fraudulent transactions and do real risk scoring."
6. Ruthless adversaries
Craig Rice, director of security at Payments UK and the CSO at BACS said that the threat shouldn't be considered a technology problem but more like organised crime.
"They are ruthless shadow operations that work outside of a regulatory regime," he said. "They are quicker than you are, they are more ruthless than you are and they are more willing to be pragmatic than you are. That's a really tough competitor you are dealing with, so stop thinking about this as a technology problem."
So, how do the banks confront these issues?
How do the banks deal with this ever-changing threat landscape?
Communication and intelligence
The main theme of the day regarding cyber security and fraud was a shift from a walled-garden approach to a holistic one, and this comes down to better communication and intelligence sharing.
JF Legault at JP Morgan laid out his approach to contending with the new threat landscape: "I am responsible for collecting threat and fraud intelligence to ensure that we know where adversaries are going and what they are going after."
He said this comes down to not just technology, but people and process: "So how do we go from a cyber security analyst that is very much focused on technology and cyber controls, to an analyst that understands the business and can have a conversation with someone in the payments space?"
This approach can also be seen in the language of modern cyber security vendors. Splunk's cyber security tools are all marketed with a focus on intelligence and response, and UK cyber startup Darktrace is making good progress in the enterprise market because it is rooted in this approach.
From perimeter security to multiple layers
Gottfried Leibbrandt from SWIFT highlighted the need for a change in thinking from its clients, "from perimeter security where no one gets inside our walls, to in-depth defence."
"Realising that sooner or later someone will get in and catching them when they get in, seeing what they do and being able to respond by having multiple layers of defence," he said.
Leibbrandt from SWIFT pointed out that the days of banks keeping their cyber strategy a closely guarded secret are over if there is to be any progress in combating today's cyber threats.
He said: "A lot of the threats we see today exploit the ecosystem, they don't look for an individual link in the chain, they look for weak points in the end-to-end chain, so the response means we have to work together as an ecosystem."
Many of the conference attendees mentioned the recently opened National Cyber Security Centre as a positive step for the private sector towards snuffing out cyber threats.
Goode from Deutsche Bank put it best when he said: "As soon as you make it more difficult, as soon as you start sharing and taking away the different avenues to target any bank and increase awareness, you make it a less enticing environment for adversaries to engage in."
Despite many admitting it is a pain, scenario testing and exercises are one of the best ways for organisations to protect themselves from cyber threats, especially when they are conducted across the industry. The Bank of England and Financial Conduct Authority have typically taken a pretty progressive and collaborative approach to resiliency benchmarking in the UK.
Legault from JP Morgan said: "Doing exercises, so getting everyone around the table and you simulate scenarios so you understand where your gaps are and what you do well, you understand what you need to build into your cyber process and your resiliency process. It is essential to do that with everyone within your organisation: legal, cyber, compliance, the business, the operations folks, the technology folks and even your peers."
Banks are increasingly looking to get more actionable insights to not just their security analysts but people within the business units themselves. This means intelligence that can be quickly turned into a response by the most relevant people, especially important in a landscape where breaches can happen in a heartbeat.
Brendan Goode from Deutsche Bank said: "In payments it is important to create intelligence inside the bank and publish it out and disseminate that fast and someone needs to receive it and do something with it, so actionable intelligence. That comes down to speaking a common language. So being able to say: here is a set of accounts and a volume of transactions that you should be mindful of, so that they can set alerts."