Cyber security - Finance Monthly | Personal Finance. Money. Investing

Securing the Financial Future

Insights from IBM on Battling Cyber Threats in an Evolving Landscape

Corey Hamilton

Global Financial Services Leader & Partner, IBM Security Services

As the Global Financial Services Leader at IBM Security Services, could you share your insights on cybersecurity in the financial industry?

The financial services sector is undergoing a period of prolonged and far-reaching change – a digital transformation that has been in progress for some time but which was accelerated by the pandemic. The wide-spread adoption of hybrid working, often supported by the implementation of cloud-based systems, reduced or constricted budgets, daunting technical debt are just some of the more obvious developments; adaptations that are uncovering new vulnerabilities and opening up new routes of attack for cybercriminals and hostile states.

In recent years, we have seen increased cyber threats targeting the financial sector, including state-sponsored threats. What are some emerging trends or techniques that cybercriminals employ, and how can financial institutions stay ahead of these threats?

One of the most worrying trends is the rise of increasingly sophisticated ransomware attacks. The days of simply locking someone’s data and then demanding a payment in return for the encryption key are long gone. Attackers have largely replaced that model with a more damaging two-step approach that simultaneously paralyses a target’s system while surreptitiously extracting its data.

Cybercriminals are always looking for the next development. As a result, things are about to get even more complicated: triple extortion has arrived. This takes the two-step approach and adds in ransom demands directed at a victim’s supply chain, a common source of vulnerability as the security maturity of each part of a supplier network won’t necessarily be the same.

How does IBM Security Services help financial organisations develop robust cybersecurity strategies? Are there any specific frameworks or methodologies that you follow?

The financial services sector needs to take a ‘zero trust’ approach to security – a methodology that abandons the idea that you can trust anyone as far as security is concerned. Everyone needs to be re-evaluated and re-authenticated and then given the lowest set of system privileges required for them to operate.

This approach also assumes the worst – that a breach is happening – it’s about spotting it rather than thinking, ‘I can’t see an attack, I’m therefore okay’. Zero trust argues that every organisation is under attack – it’s just a matter of how bad it might be.

Data breaches and data privacy are major concerns for financial institutions. What steps should organisations take to ensure the security of customer data and comply with regulatory requirements and avoid being hacked in the first place?

The burgeoning digitisation of the financial services industry, including the widespread adoption of hybrid cloud, has rightly attracted the attention of regulators and policy makers. As a result, financial institutions need to balance innovation with increasingly stringent compliance and security requirements. For example, the Bank of England is looking at ways to facilitate greater resilience and the adoption of cloud-based services and other new technologies – an approach that combines support for innovation with regulatory oversight.

With the rise of cloud computing and remote work, how can financial institutions effectively manage cybersecurity risks in these environments? What are some best practices for securing cloud-based systems and remote access?

Financial institutions are among the top targets for cybercriminals because of the wealth of valuable data they hold, which make them a very attractive to cybercriminals. This hasn’t gone unnoticed – businesses are waking up to the notion that standard security measures are not enough in the cloud. To keep customers and proprietary data secure and private, enterprise-grade security innovations, such as confidential computing, are essential.

Of course, security in the digital domain isn’t new; protecting internet communication with HTTPS is well established, as is the use of SSL, which was initially applied to credit card transactions but has since become ubiquitous. Confidential computing has the potential to become equally as pervasive due, in part, to the widespread adoption of cloud technology.

By ensuring that data is processed in a shielded environment confidential computing makes it possible to securely collaborate with partners without divulging proprietary information. It makes it possible for different organisations to amalgamate data sets for analysis – such as fraud detection – without getting to see each other’s information.

Artificial intelligence and machine learning are being increasingly used in cybersecurity. How is IBM incorporating these technologies into its security solutions, and what benefits do they offer regarding threat detection and prevention?

IBM Cloud for Financial Services is designed to help clients mitigate risk and accelerate cloud adoption for even their most sensitive workloads. Security controls are built into the IBM Cloud to enable financial institutions to automate their security and compliance behaviours and make it easier for clients to simplify their risk management and demonstrate regulatory observance.

The IBM X-Force Protection Platform augments our cyber security experts with AI and automation at global scale, resulting in more effective, efficient and resilient security operations. We have successfully helped clients proactively identify, protect, detect, respond and recover faster from attacks due to the unique capabilities of the platform. Our platform’s AI is used on top of what vendors provide within their off-the-shelf tools. The platform learns and incorporates the intelligence from 100s of analysts across thousands of our clients. It provides guidance on policy recommendations and reduces the noise, so critical items can be addressed immediately.

The services platform promotes effective, efficient, and resilient security operations, at global scale, connecting workflows across our different services. It provides a method for integrating all of an organization’s security technologies cohesively within our open ecosystem. What this means is that the services platform is IBM’s end-to-end integrated approach to Security Services. This includes a combination of software, services and methodologies which are integrated in a centralized platform providing the clients with a unified experience. IBM’s services platform integrates across people, processes and tools using open standards and best practices.

Looking ahead, what do you see as the future of cybersecurity in the financial industry? Are there any emerging technologies or trends that will significantly impact how financial institutions approach cybersecurity?

Highly regulated industries are feeling pressure to transform with an ever-increasing rate and pace. However, they must not lose focus on security, resiliency and compliance on their mission to modernise. This is especially important for financial services where regulations are rapidly changing and exposure to cyber threats has escalated to unprecedented levels. And it’s about to get even more complex.

Financial institutions need AI tools that are accurate, scalable and adaptable can keep up with the evolving threat landscape. IBM has been a leader in the work of foundation models – and watsonx is part of IBM’s push to put state-of-the-art foundation models in the hands of businesses. Furthermore, IBM is thinking bigger – building and applying foundation models for entirely unexplored business domains such as geospatial intelligence, code and IT operations.

Financial institutions also need to be crypto-agile in order to protect themselves from attack by quantum computers. Quantum and crypto agility can help financial institutions to improve their cybersecurity posture. The aim is to combine the performance of current processes that use classical and AI solutions in fraud management, risk management and customer experience, with that of the latest quantum technology, with the goal of achieving a quantum advantage.

This is where AI comes in. It can help cybersecurity teams by automating protection, prevention, detection and response processes. Paired with human intelligence, financial services companies can extend their visibility across a rapidly expanding digital landscape of applications and endpoints.

Many people who are new to all of this are not fully aware of how to make their digital transactions secure, what part of the internet is secure and what is not. Such people make easy prey for hackers and attackers who want to take control over people’s sensitive information. If you are someone who has not much experience of digital platforms and how to use them securely for transactions then here are some tips that can help you to secure digital transactions:

Be Cautious With Public WiFi Networks

Many users are attracted by easy and fast access to the internet that is available through the public Wi-Fi networks in places such as airports, restaurants, coffee shops, railway stations but users aren’t aware of the security risks that come with public Wi-Fi networks. Hackers are usually looking for people with weak security on such insecure Wi-Fi networks and looking to take advantage of them. While users are accessing the internet through a public Wi-Fi network, they need to keep a few things in mind. Hackers often set up their own Wi-Fi network with almost similar or the same SSID name as that of the WiFi network that you are connecting to. This is a way to trick users into believing that there are two such networks available and they can connect to any of the networks. Hackers can then track all the communications and data being shared across the dubious network. So, it is never safe to use WiFi networks that are not protected by a password and certainly, it is not a wise decision to make digital transactions over such unsafe networks.

Enable OTP For Digital Transactions

Whenever you are making online transactions, whether it is the use of credit card, debit card, you should enable the option for OTP so, the next time when you will be making an online transaction using a credit card or debit card then you will receive an OTP on your registered email address / mobile number.

It will be a unique one-time password (OTP) that will be valid for the current transaction. So, paying and making a transaction through an OTP is a much safer option because even if your information were to be compromised, no transaction can be made without the OTP that you will get on your email address / mobile number.

Use A VPN

Using a VPN or Virtual Private Network to make digital transactions is a much secure and safer option. A VPN not only bypasses the geographical restrictions placed on online content but also adds an additional layer of security to your network by rerouting the network through a secure tunnel so that your data and online activity cannot be tracked by anyone, even your ISP. VPNs are widely used over the world as a tool to secure browsing sessions by both enterprises and individuals. It is also used by many people when making digital transactions as VPNs make the transactions secure. A VPN can be installed on your smartphone and you can also set it on your WiFi network by visiting the admin interface of the router through the default gateway address of the router i.e 192.168.0.1. 192.168.1.2 or 192.168.1.1. Most VPNs charge a monthly subscription but some VPNs are free to use, however, paid VPNs are much better to use than free VPNs.

Identify Secure Web Pages

Never respond to the fake emails that you receive in your inbox. Hackers have another trick up their sleeve where they send fake emails, pretending to be from your bank but whenever you receive such an email, always identify one thing and that is whether the webpage that you are visiting is secure or not. Most of the websites depend on security protocols such as HTTPS (HyperText Transfer Protocol Secure) to protect users and keep their transactions secure. These websites can be identified with a green padlock in the browser URL bar and the website address will start with “https” instead of http or www.

These were some of the ways by which you can make your digital transactions secure. Always remember that public WiFi networks are never secure and it is better to use your mobile data than using a public WiFi network since mobile data is encrypted and more secure than a public network.

Also, if you were to use a public WiFi network for performing transactions (which we don’t recommend), make sure to secure your network by using a VPN to avoid having any sorts of problems and always enable the OTP option so, even if your sensitive information gets compromised, no one can perform any transaction without your consent.

Cyber threats are on the rise and are becoming more sophisticated, and there is a need for eCommerce stores to protect themselves. Cybercriminals attack e-commerce sites looking to exploit information and steal money. Understanding the security threats your e-commerce store faces is essential in figuring out the protective measures to take. Here is a list of the most common eCommerce security threats.

1. DoS and DDoS attacks

Several online stireshave incurred losses due to disruptions in their sites and sales because of DoS and DDoS attacks. Your online receives an overwhelming amount of requests from several untraceable IP addresses, which makes it crash, making it unavailable to site visitors.

2. Phishing

Phishing is one of the main ways that hackers use to compromise eCommerce stores. This type of social engineering entails stealing login and password details by sending out spam emails under the disguise of a well-known person or organization. They can even create a phishing profile that resembles the login page of your payment processor or e-commerce site and send you a message to log in to fix an error. Once you fall for this and try to log in, they capture your login details and use them to log into the real e-commerce or payment processor sites.

SQL injections

E-commerce sites that use an SQL database are at a high risk of an SQL attack. The hackers inject malicious SQL commands into the sites’ scripts, which changes how your site reads data, allowing the hackers access to certain commands on your site.

SQL injections target query submission forms as their way of penetrating your website database. They then inject malicious codes on your site, allowing them to add, collect, change, or delete data on your website at will.

4. Malware

Malware results in revenue loss to the eCommerce business. Hackers may target the site server or computers of key people with advanced level access to the site using malware. The malware allows the hackers to control the server and execute commands on the eCommerce site. It allows hackers access to data in the server and access to hijack traffic to your site.

5. Spam emails

Spam email is a major way through which some cyberattacks like malware and phishing are carried out. The spammers usually hack individual or organizational email accounts that you know to send spam emails to make you believe the spam email is legitimate. The emails are linked to infected and phishing sites that compromise the computer's security and compromise the store.

6. Credit and debit card fraud

Identity theft fraud through credit and debit cards fraud is a serious threat, with an estimated loss of $24 billion annually. This happens when someone steals credit or debit card details from unsuspecting victims and then uses those details to make purchases from e-commerce stores. The store goes ahead and processes the order, not knowing the card details are stolen, resulting in lost revenue from a chargeback.

2021 has seen most businesses transition from offline to online operation modes, which translates to increased safety issues. An online business is only as safe as its cybersecurity strategy is. Invest in robust and premium cyber security assistance that fits your needs and budget.

Adam Vincent, Co-Founder and CEO of ThreatConnect, explores the increasing risk of cyber attacks and the serious financial damage they can cause.

Recent high-profile incidents, including the ransomware attacks against the Colonial Pipeline system and JBS USA, the world’s largest meat processor, demonstrate the urgent need for critical infrastructure owners and operators to adopt a risk-led cyber security program. It is becoming clearer by the day that these major firms are not having the proper risk conversations between their cyber security experts and business executives.

Cyber security must be treated and communicated to executives the same way as other critical business risks. “Cyber security is now a critical enabler for most businesses to continue operating,” said Michael Daniel, President & CEO of Cyber Threat Alliance, in a recent interview. “And it needs to be framed in that way. And I think that’s very much the place that we need to move is putting it in those business terms, framing it in those risk terms.”

Organisations should be quantifying risk – including cyber risk – based on potential financial and operational impact. The process of doing so creates a common goal that unifies security teams and business leaders. My firm, ThreatConnect, recently conducted a survey and found that 70% of security professionals received “medium to high levels of pressure to produce cyber risk quantification data for their business.” A more telling aspect of the survey, however, showed that half of the respondents said they lack confidence in their ability to communicate and report the financial impact of cyber risks, prioritise vulnerabilities and security alerts, and justify their future investments to mitigate those risks. The reason for this is two-fold:

41% of respondents said they do not have a formalised process in place to evaluate and rank cyber risks.
25% said they do not have cyber risk quantification technology deployed at their company.

Unfortunately, the only way to completely eliminate risk is to cease operations. Understanding that there’s always going to be some residual risk, the question then becomes; what is the risk appetite of the business? A good way to determine this is to zero in on your organisation’s key value proposition and then think about the mechanisms by which a cyber incident could undermine those business metrics. Automated cyber risk quantification (CRQ) enables enterprises to quickly model changes in their security posture to understand the financial and operational impact of a cyber incident. ‘What-if’ analysis allows business leaders to answer the tough questions using real-world analysis to show the cyber risks associated with:

The addition of new entities (either through merger and acquisition or other activity) would do to the business
The increased financial risk associated with rolling out applications without adequate protections
Financial risk that granting a security waiver (or exception) to an application does to the business

Automated outputs are generated in just hours for reporting that is more current and relevant. By automating risk modelling, businesses get a fast start and can then critique, or tune models over time, instead of having to create their own.

Armed with metrics like business interruption, reputational damage, and legal fines, security leaders can better communicate and justify their security initiatives. Attaching a financial impact to potential threats can help your various stakeholders see what deserves priority, estimate the net financial loss if an attack is successful, ascertain whether the organisation has proper controls in place, and determine whether future technology investments are necessary.

The growing pace and sophistication of nation-state attacks, coupled with an ever-expanding attack surface, makes our ability to accurately quantify and prioritise cyber risks within the context of our individual businesses an urgent priority. But when business networks and systems can be compromised in a way that disrupts or halts industrial operations, that points to a clear failure to identify, understand, prioritise and remediate the most critical cyber risks facing one’s organisation.

Bridging the gap between cyber security and business, however, remains an aspirational goal for many who struggle to understand where to begin. We cannot allow this situation to continue in the critical infrastructure space. Our critical infrastructures need a risk-informed decision and operational support platform that can help them prioritise and focus on the risks that matter most and can leverage threat intelligence to drive orchestrated response. It is our single best chance of improving cyber security outcomes and protecting our businesses from harm.

With businesses embracing big data, new tech and digital media, the role of traditional CFO is evolving from financial expert to strategic partner, data analyst, talent curator and more. With the support of several data streams, James Booth, Chief Financial Officer at Instant Offices explains for Finance Monthly what this new era of the multidiscipline strategist means and how there is more potential than ever for CFOs to be the architects of change within business.

Five Factors Keeping CFOs Up at Night

Brexit

Around 75% of CFOs worry Brexit could have a negative impact on business in the long-term, compared to just 9% who don’t, according to Deloitte. Along with Brexit risks, weak demand and the prospect of tighter monetary policies are ranked as the top worries for CFOs in 2018. Despite high levels of uncertainty across the board, research shows CFOs are still highly focused on growth plans, and the level of desire to expand business over the next year is at its highest since 2009.

Skills Shortages

According to research, 44% of CFOs have reported recruitment difficulties and skills shortages in 2018. To add to the challenge, The Open University Business Barometer revealed a massive 91% of UK organisations say they have had difficulties hiring skilled employees in the last 12 months.

Rising Stress Levels

78% of UK CFOs believe stress levels are set to rise in the next two years as workloads increase, business expectations grow, and companies face a lack of staff, according to Robert Half. Research also shows CFOs expect their finance teams’ workloads to increase, while 52% are planning to hire interim staff as a short-term solution.

Big Data

Research firm IDC predicts that by 2025, we’ll see 163 trillion gigabytes of data output every year. And a recent study by Accenture suggests that by 2020, 90% of a CFO’s time and efforts will be spent on working with data scientists to turn data into actionable insights that organisations can use for strategic decision-making.

Increased Cyber Security Threats

Studies from Verizon show that 59% of cybercriminals are motivated by financial gain and are likely to target finance and HR – areas which fall into the CFO realm – suggesting CFOs are going to be expected to take a proactive approach to cybersecurity.

Top Five CFO Priorities for the Upcoming Year

In Q2 of 2018, CFOs listed the following as strong priorities for business in the following 12 months:

49% say increasing cash flow is the top priority
47% say reducing costs
37% say introducing new products and services and expanding into new markets
18% say expanding by acquisition is a priority
14% say raising dividend or share buybacks

What Skills will CFOs Need by 2020?

The CFO Must Become a Leader of Innovation: New tech, including AI, will become a core part of the innovation strategy within businesses looking to remain competitive, and CFOs will be required to understand the opportunities presented by new tech to drive growth. By 2020, 48% of CFOs are set to be using AI to improve performance.

CFOs Must Embrace Big Data: According to a report by the ACCA and IMA, the CFO and finance team is set to be at the heart of the data revolution. In order to make sense of the large volumes of data the world will be generating by 2020, CFOs will need to be able to accurately interpret data to generate quality, actionable insights for CEOs and board-level decisions.

The CFO Must Manage Risk Under Scrutiny: As tech grows and presents more complex risks to business, expectations on the CFO will be high. They’ll be required to implement and manage cutting-edge risk management processes within the finance department and business as a whole. A proactive approach towards threats will be key. One report by NJAMHA showed four in ten finance chiefs currently own or co-own cybersecurity responsibility within their organisations.

The CFO Must Prepare Talent for the Future: Prepping talent for a finance role was once the domain of HR, but in order to prepare new employees for the future of finance, CFOs are going to be required to increase involvement to ensure new employees can multitask, show technical competence and handle business strategy. Around 42% of CFOs are also prioritising soft skills as a key element for future hires.

The CFO Must Be a Leader in a Rapidly Changing Workplace: With the consumerisation of real estate becoming a global trend, more businesses are choosing an agile approach to office space to expand into new markets, reduce costs, increase networking opportunities and improve staff happiness. Tied into this, the modern CFO will need to develop leadership skills to not only manage talent but also implement development strategies that work across remote teams with geographic and language differences.

Today, the role of the CFO has evolved from financial expert to a multidiscipline strategist. In addition to traditional accounting and finance responsibilities, by 2020 research shows the top priority for CFOs will be keeping pace with technology and harnessing big data.

Nowadays, CEOs expect CFOs to have an impact on business direction and strategy more than ever before. And while the question of who owns analytics is still an open question across sectors, according to a report by Deloitte, finance is the area most often found to invest in analytics at 79%, and CFOs can use it to bridge the gap between strategic and operational decision-making.

Stephen Ufford, Founder and CEO of Trulioo, discusses how mobile can offer increasing protection against modern fraud.

In a world where interaction is increasingly made through screens rather than face-to-face, it is often difficult for companies to tell exactly who their customers are online, which poses a serious risk to security and compliance.

This threat is doubled by increasing legislative pressure. A host of new regulations passed at the end of 2017 mean that companies have to focus more and more on knowing exactly who their customers are.

The end of January was the final deadline for financial services firms to register ‘ultimate beneficial owners’ so that the individuals behind every account, and those who benefit from it, are clearer. The Fourth Anti-Money Laundering Directive (4AMLD) stipulates that companies need to be aware of the ultimate identity of business entities. Prevents the development of shell companies for tax evasion and money laundering, among other financial crimes.

Under the Second Payment Services Directive (PSD2), which also passed in January, any transaction above 30€ needs to be subject to a two-factor authentication process, which verifies the identity of the customer through two separate pieces of information.

This can be based on something they know, such as a password; something intrinsic about them, such as biometric data like fingerprints or facial appearance; or something they possess, such as specific documentation.

In a digital age, this is easier said than done. Gone are the days when customers walk into a branch to set up their bank account in person. The vast majority of financial interactions nowadays are carried out simply through the click of a mouse or, more recently, the swipe of a phone. The number of mobile phone users in the world is expected to surpass the 5 billion mark by next year.[1] Last year, mobile transactions overtook those made online and in branches – according to data by Visa. [2]

But this increasing shift to mobile devices can provide a KYC opportunity, offering another item that customers possess, and can use to identify themselves. With access to Mobile Network Operators (MNOs), financial services firms can access another form of identification – possession of a specific handheld device.

This usually involves an SMS text message being sent with a verification code to the user’s mobile. The code can then be used to authenticate that the account being accessed is by the owner of the phone, verifying identity through possession of the device. MNOs already have access to extensive identity information on their subscription holders, as they are also expected to meet stringent KYC requirements. Financial Services firms can use this vital layer of identification and compare it against other pieces of evidence, such as document and passwords, for the benefit of all parties.

Another useful function of handheld devices is their capacity to record biometric data. The majority of smartphones include a front-facing camera that can be used to take a photo, capturing inherent data about a person’s appearance.

As technology on phones improves, this opens up opportunities for further layers of authentication. Many iPhones have the capacity to register fingerprints, as well as the facial recognition capacity extensively advertised in the iPhone X.

At the moment, these innovations are limited to higher-end devices. However, as this capability becomes more widespread amongst devices, using further biometric data proofs for customers will become increasingly feasible.

Additionally, the ability of mobile devices to verify identity has a wider potential for citizens of the world. Vast numbers of the global population are unbanked, not included in the financial system, and without a financial identity. But the extreme reach of mobile technology could change this.

In Mexico, for instance, only 40 percent of adults have a bank account, yet there are 80 phone subscriptions for every 100 people. Being unconnected to any formal bank can leave many people financially disempowered, unable to access any kind of financial services, which leaves their funds insecure and without growth potential. The ability to verify identity through mobiles means that previously unbanked individuals can be provided with access to financial services in the future.

In an increasingly globalised world, borders are becoming more fluid. The global population is more mobile than ever, with many people moving between borders for work or shopping in foreign countries over the internet. Cross-border e-commerce, for instance, is growing at 25 percent annually.[3] As individuals and money routinely travel increasing distances between geographical and legislative areas, this makes securing identity and tracing transactions more difficult than ever.

But mobile devices can be taken across borders and connected to their original MNO via other local networks. In a growingly interconnected world, as fraud threats become more sophisticated and regulation more stringent, mobiles and their networks can provide a consistent proof of identity that brings security and increased access to financial services for everyone.

[1] https://www.statista.com/statistics/274774/forecast-of-mobile-phone-users-worldwide/

[2] https://www.visaeurope.com/media/pdf/40172.pdf

[3] http://www.dhl.com/en/press/releases/releases_2017/all/express/cross_border_ecommerce_is_one_of_the_fastest_growth_opportunities_in_retail_according_to_dhl_report.html

Paul Taylor, Partner and UK Head of Cyber Security at KPMG discusses why a shift in thinking is needed in the way we think about the role of cyber in business risk planning.

In the race to improve efficiency, increase productivity and outstrip rivals, the adoption of new technologies is now a permanent characteristic of the business landscape. The prospect of rapid productivity gains and breakthrough opportunities is driving organisations to automate processes, connect systems and leverage new kinds of infrastructure before the competition can. However, the reliance on competiveness through technological adoption has blurred the boundaries between devices, systems and employees, creating new vulnerabilities that are increasingly exploited by cyber criminals and nation-state backed groups.

In today’s digital landscape, connected medical devices provide physicians with faster and more accurate patient diagnoses, whilst retrofitted smart sensors allow production equipment to automatically signal to other devices once a process is complete and when the next processes need to begin, speeding up manufacturing time and efficiency. At the other end of Industry 4.0, rail providers adopt real-time cab signalling and traffic management systems, which have the potential to add time to train pathways and avoid the need for extra lines of track by increasing capacity on existing lines. In the public sphere, vehicle manufacturers race to deploy driverless cars with the latest automated control systems and sensory equipment, designed to help identify safe navigation paths, obstacles and traffic light systems.

The unrelenting pursuit of better, faster and more efficient ways of deploying and creating technology has driven innovation in our businesses and across our economy, ensuring the UK is a world leader in a multitude of industries. Yet this position at the top of the leader board has to an extent come at the cost of security. The current nature of cyberspace means it is far easier and simpler for malicious actors to carry out vulnerability-based attacks over targeted hacking campaigns. Taking full advantage of the constantly evolving technological landscape, hostile individuals and criminal groups invest their time researching digital infrastructures and devices in order to design attack software that exploits vulnerabilities and weak points.

This kind of exploit-based hacking was seen when criminals took advantage of an overlooked vulnerability in Sony’s computer systems, which gave them full access to the company’s wider network. The alleged group behind the attack crippled the company network before they released sensitive corporate data, including four unreleased films, business plans, contracts and the personal emails of senior staff – having a huge impact on the business. Such attacks are not only restricted to large company networks. Advances in the UK’s rail signalling system to upgrade to a ‘connected network’ have also been shown to be vulnerable to hackers who could use software to tell a train that it’s speeding up when it is slowing down or even give a false location. These fears were almost realised last year when it was revealed the UK rail network had been compromised in four major ‘exploratory’ cyber-attacks. In Finland, hackers hit a building management system with a distributed denial of service (DDoS) attack that left residents with no central heating and in 2015, Chrysler was forced to recall 1.4 million cars after security researchers revealed that the vehicle’s internet-connected entertainment system could be hacked. To add the icing on top, at last year’s cyber security contest DEF CON, contestants found 47 vulnerabilities in 23 IoT devices, including smart door locks, refrigerators, and solar panel arrays.

Whether it’s increased connectivity, automating systems or upgrading networks, organisations – both public and private – are finding themselves dependent on new technological capabilities long before they have even begun to consider how they are leaving them open to cyber-attacks.

Many businesses are taking steps to begin to deploy things like RegTech (Regulatory Technology) as part of preparation for regulations such as GDPR and MiFiD II, possibly taking this more seriously due to the fact that the cost of non-compliance is clear and outlined, however the impact and cost of a cyber hack could be just as bad, so there needs to be a shift in thinking – a cyber hack is not just a cyber hack, it’s a risk to the whole business.

The impact that these kinds of attacks can include lost revenue, losses to intellectual property and customer loyalty and reputational damage. The practice of innovation at the expense of security cannot therefore be maintained, and leaders need to start to think of a lack of security for what it really is – a risk to the whole business.

As outlined in a recent white paper on cyber security business risk by information security professionals body (ISC)² titled, ‘What Every Business Leader Should Know About Cyber Risk’ organisations must ultimately incorporate cyber into the wider risk plan of the business. Within this, key operational dependencies that are being overhauled, upgraded or introduced must be identified and any critical technology that needs protection must be prioritised. This could be your organisation’s server network, the website upon which your customer’s financial trades take place or even individual devices. Bringing the CISO into risk evaluation discussions should also be made compulsory going forward.

Technological transformation is an inherent part of the world in which businesses operate, but in order to mitigate the threat, accepting cyber security as a business risk is paramount. Cyber attacks are only going to increase and businesses are offering hackers an open door by failing to incorporate cyber security within the risk register. If the uptake in new capabilities by businesses is to be maintained securely, then cyber security must come become a deciding factor in the implementation of any technology.

With the worldwide number of robots in smart factories now topping a million, Ross Thomson cites a lack of awareness as the reason most operators haven’t tackled the threat.

“Many firms believe hackers only want personal or financial data, but there is a credible risk to industrial robots,” says Mr Thomson, Principal Consultant at Amethyst Risk Management, which advises government and industry on cyber security.

He points out the risk is growing as robots, like other devices, are increasingly connected to wider networks and the internet. That gives hackers more ways in, and the consequences are potentially disastrous.

In one example, attackers locked up a robotic assembly plant in Mexico and demanded a ransom from the operators. Mr Thomson also highlights the safety risk for human factory operatives if a robot were to be hacked.

Lack of awareness and preparedness for a cyber-attack extends to robot makers. Mr Thomson points to an experiment where researchers hacked a robotic arm and forced it to mis-perform, compelling its manufacturer to plug the security hole.

Nightmare scenarios

The threat might come from disgruntled employees, criminals, recreational hackers or nation states.

One kind of attack would inject faults or defects in the production process, or lock it down completely as in the Mexican incident, leading to loss of production and revenue. If defective products make it to market, they can cause reputational damage, a potential advantage that could motivate an attack by unscrupulous competitors.

By manipulating safety protocols, hackers could cause the robot to injure human operators, or to damage itself or the factory environment. Alternatively, attackers might attempt to steal sensitive data from the machines themselves or the wider company network through remote access.

How easy is it to hack a robot? Ease of access to the software varies, making an inside job more likely in some scenarios. Firmware may be freely available online or retrievable from used robot CPUs, and some manufacturers allow programmers to access code in a simulation environment, creating a potential practice ground for would-be robot hackers.

Hackers have other ways to infiltrate, other than via the internet. They may attack from within the factory, for example connecting to the robot directly through a USB port, or physically accessing its computer controller directly or via remote service.

Once they have penetrated the system, they can potentially alter the controller’s parameters, tamper with calibration programmes or production logic and alter the robot’s perceived state, for example to show it is idle when it is not, or its actual state causing loss of control.

How big a risk?

The scale of the threat could be enormous. It’s estimated there will be 1.3 million robots in factories worldwide by next year (2018) and that 12 per cent of jobs will have been taken over by automated systems within a decade anda half. Robots are operating across almost all industrial sectors from car manufacturing to aviation and food processing.

The UK’s National Cyber Security Centre has highlighted hacking of robotic, unmanned and autonomous systems as a subject for attention, both by itself and by the intelligence organisation GCHQ.

A survey of robotic engineers by Italian academics found three quarters had never properly checked cybersecurity in their infrastructure, a third of robots were internet accessible and half of respondents didn’t see a realistic cyber security threat. To make matters worse, industrial robots often have weak authentication protocols and outdated software running on vulnerable operating systems

Operators need to take the necessary precautions

Mr Thomson urges operators of industrial robots to conduct a professional review of cybersecurity risks, have an incident response plan in place in case of a security breach and ensure that software is regularly updated, especially with security patches. The security review should look at what data robots hold and how they are potentially connected to sensitive data elsewhere on the network.

“Considering the risk to production, people and facilities, it must be taken seriously from board level to operational level,” he says. “An internet-connected robot should be treated with the same security precautions as any computer on the network, including setting long, complex passwords rather than relying on manufacturers’ default. There is a temptation to neglect updates because they may cause production downtime, but it needs to be given a higher priority.”

He advises operators to make security a key factor when sourcing new industrial robots, selecting a manufacturer that shows commitment to the issue and provides frequent software updates with security patches.

“Limiting who has access to robots and segmenting machines from networks where possible can also reduce risk,” he advises.

Ultimately, one of the most effective precautions is also one of the most prosaic, and may comfort those who fear their jobs will be stolen by robots, as Mr Thomson explains: “It’s hard to imagine a time when we dare leave robots to get on with it, so until and unless that day comes, we need humans to keep watch on robots at work.”

(Source: Amethyst Risk)

Following an internal review, SEC Chairman Jay Clayton revealed that the organisation had been the victim of “Malicious attacks”. The revelation came in a 4,000-word statement released on Wednesday and caused concerns among those on the trading floor.

The Securities and Exchange Commission is responsible for handling almost 1.7 million financial market disclosure documents a year through its EDGAR system, which was revealed as the source of the leak. The admission will be a source of embarrassment for the SEC, whose mission statement is to ‘protect investors’. Clayton’s statement confirmed that the leak was discovered and subsequently fixed in 2016. However, last month they discovered that the breach may have resulted in people being able to use the data acquired in the hack to illegally make profits on the stock market.

In addition to the cyber hack, Clayton’s statement also confirmed the use of private e-mails being used to transmit confidential data and that a number of SEC laptops that may contain confidential data are missing.

Wall Street has been suitably dismayed by the leak, given the potential risks that have been thrust upon it by the very organisation that is tasked with policing trades. However, the cyber breach will not come as a surprise to many within the government who have previously raised concerns about the SEC’s security systems in the past, including the Department of Homeland security who reportedly discovered five “critical” weaknesses in their system as recently as the start of 2017.

The US markets are already on edge, following the recent Equifax data breach which resulted in the leak of 143 million consumer records and is the subject of increased scrutiny and at least one Federal investigation.

In a bid to restore faith in the institution, Clayton has given his assurances that the SEC is taking cyber security seriously; he stated that: "The Commission will continue to prioritize its efforts to promote effective cybersecurity practices within the Commission itself and with respect to the markets and market participants it oversees," and that all steps are being taken to ensure there is not a repeat of a leak.

The move is a further indication that large financial companies and institutions are under increasing threat from cyber hacks. The SEC statement did not specify who was behind the breach, but recently countries such as Russia and North Korea have been linked to several high-profile hacks on large organisations.

Clayton and the SEC will need to ensure that it does not fall victim again if it is to rebuild its significantly damaged reputation on Wall Street.

A new report commissioned by Samsung reveals that by 2020 companies which have not opened their borders to competitors, innovators and a new generation of independent freelancers will struggle to prosper in what Samsung calls the 'Open Economy'.

This new Open Economy will be characterised by a deep use of freelance workers, routine embedding of startup driven innovation and a new kind of collaboration between former competitors.

Over the last decade, thanks to the ubiquity of mobile technology, businesses have become more open and collaborative and have a clear understanding of the benefits compared to existing 'closed' business models. However, within just three years, organisations will be operating in a world much less restricted by technical or human boundaries. People, data and ideas will be integrated into current business models more freely, yet it will be crucial for businesses to get to grips with, and fully embrace, the agile technologies and expectations of tomorrow's work culture.

To thrive in this world of new technologies and highly dispersed digital workforces, companies will need to embrace security platforms which will allow them to share information openly but safely. This in turn will force them to fundamentally rethink how they build their business models and the technologies they depend on.

"Finding ways to safely empower new waves of future freelance workers is going to be the number one business challenge. Within three years, it's expected that businesses will have to deal with over 7.3 billion connected devices, whilst a rapidly digitised and changing workforce will evolve to one that will transform businesses in how, where and when they operate," says Nick Dawson, Global Director Knox Strategy.

On the global stage, European companies are leading the way in adopting the infrastructure and human capital that will power the next stage of this digital revolution. This will put them in pole position to harness the open and ultra-flexible workforces and businesses over the next three to ten years, according to research from The Future Laboratory which formed the basis of the report.

Across industries, innovation will emerge from new sources, with reverse innovation tactics of embedding start-ups at the heart of organisations becoming the norm. As this new future develops they will become critical strategic elements and a powerful driving force for innovation in every corner of businesses.

Marcos Eguillor, Founder of BinaryKnowledge and professor at IE Business School, a specialist in digital innovation and transformation, says: "Relying on past certainties will not foster the creativity that business will need to compete in tomorrow's global market place. Companies will need to adopt the technologies that allow them to be fast and flexible enough to spot and understand their next competitive advantages, and recognise when it's time to disengage from the previous one."

Tomorrow's organisations will use AI and machine learning technology to accurately predict - and make better decisions - about their future. It is not just today's devices that present risk. Already new machine intelligences are being widely deployed in the commercial world that are self-organising, self-adapting and capable of far more accurate predictions about the future state of their businesses. Advanced machine intelligence will give those companies which adopt them unprecedented power to plan ahead and optimise their business models.

However, this desire for a more open approach often conflicts with the critical need to maintain high levels of security at all times across a company's entire network of devices and endpoints. Driven by a rapidly evolving threat landscape and enforced by new legislations such as General Data Protection Regulation (GDPR), organisations will face many new challenges as they strive to protect their data across their entire business.

Nick Dawson continues: "Cyber-security platforms that allow businesses to be both technologically open and safe are the key to unlocking the future of the Open Economy." Samsung Knox is such a platform. Today, it is the most powerful defence against mobile security threats in the workplace, thanks to an adaptive, modular design that embeds encryption and security keys in a secure chip-based hardware container. This allows the creation of secure, completely isolated work and personal identities on the same mobile device, ensuring that corporate data is always inaccessible to personal apps and processes and, critically, that personal privacy is always respected and maintained.

(Source: Samsung Electronics)

Financial technology has seen significant growth over the last few years, with organisations seeking to meet customers’ growing demands for more digital and mobile services. FinTech solutions that enable anytime, anywhere and any type of transacting have definitely come a long way but there’s still room to grow.

As we start off 2017, our discussions with customers and prospects, as well as our general observations suggest a few trends for the year.

Digital customer onboarding will be a top priority

Customer onboarding remains one of the few business processes yet to be fully digitised. Some financial organisations have already tried digital onboarding with low value, high volume use cases, but we are now seeing growing interest for mobile onboarding around high value transactions – typically mediated scenarios with more complex workflows. It’s because of the emergence of onboarding platforms like e-signatures that can handle sophisticated workflows and transactions, and provide the ability to connect to popular back-end technology systems, that we are seeing the shift to automate more complex onboarding scenarios.

According to Forrester Research, “Banks like Bank of America, Royal Bank of Canada, and U.S. Bank are now digitally verifying a customer’s identity and using electronic signatures to provide an instant decision on certain retail products within minutes; they are also issuing the account number in real time.”

Cyber security will be at the heart of digital transactions

Recent high-profile data breaches have focused many financial organisations on where their weaknesses lie, especially with regard to security. Organisations are reconsidering the security around each process or transaction they are taking digital. A DDoS attack in October highlighted how fragile digital transacting can be, with security often added after a hack or breach rather than upfront.

As a result, we are going to see a shift to digital processes that is rooted in transaction security. The concept of a digital trust chain that links technologies together to provide a secure transaction from end-to-end will be at the heart of digital transformation.

Mobile-first will finally become mobile-first

Mobile technology is more ubiquitous and secure than ever, and financial organisations are hard pressed to ignore the need to provide services designed primarily with the consumer’s mobile experience in mind. That’s why this will be the year that mobile-first initiatives will actually be put first.

It’s well-documented that mobile device use is on the rise, which is fuelling the need for mobile apps – to date, there are over 5 million apps available that people rely on every day, and according to Yahoo’s Flurry Analytics, 90 percent of a consumer’s mobile time is spent in apps. This staggering statistic is the driving force behind organisations’ development of mobile apps of their websites and web applications.

For financial organisations, offering a mobile-first experience also means errors can be minimized and processes can be compressed from days to single sessions. It’s all about speed, less manual work, tighter compliance and meeting expectations for a modern experience.

Artificial Intelligence will emerge but will not dominate

In its current form, artificial intelligence offers somewhat limited applications for financial services. It can easily deal with queries such as ‘How can I make a transfer between accounts’ and ‘How long does it take to process a payment’ but more detailed queries still require human interaction. However, we can already see some of benefits AI offers, namely efficiency and a more seamless user experience. For example, Swedbank’s web assistant, Nina achieved an average of 30,000 conversations per month and first-contact resolution of 78% in its first three months. Nina can handle over 350 different customer questions and answers. As the technology evolves, AI will take on more functionalities that will broaden its scope.

The rise of artificial intelligence will likely have widespread applications in financial services in future, but for now humans or a hybrid approach between automated and mediated transactions are better designed to provide the best service in most cases, something financial services organizations should remember when considering how to invest in artificial intelligence.

A simplified approach to digital transformation

Digital transformation implies that an organization needs to undertake a massive project, which can be intimidating and a potential roadblock to starting the digitisation process. However, it doesn’t have to be so complicated – digital transformation can be as simple as digitising one process or transaction across one line of business.

The best thing financial organisations can do is choose technology for digital transformation initiatives that can be built as enterprise solutions and reused across all lines of business and processes, essentially a “build once, deploy anywhere” model. This simplified approach allows businesses to take on digital transformation at a pace that works for them.

In November, news broke that Tesco Bank had been hacked and that 20,000 customers fell victim to thefts from their balances. This was just one in a long line of recent high-profile cyber-attacks that also saw the likes of Yahoo!, LinkedIn and Ashley Madison suffer serious breaches.

When it comes to looking at the reasons behind cyber-attacks on businesses, currently the majority of breaches are from database assaults, whilst a smaller but still significant amount (around a quarter) are reportedly due to negligent employees or contractors. Yet these are only two of a number of methods by which hackers can gain entry. Motivations for the attacks can be equally varied, from morally or politically inspired hacks, as with the Ashley Madison breach, or, as is more common, for financial gain or competitive advantage.

According to a UK government report, intellectual property theft is the most damaging form of cyber-crime for businesses in the UK, reportedly costing an estimated £9.2 billion. It is easy to understand, therefore, why cyber-security companies are such hot targets for investment and acquisition. Cyber-security firm Cylance, for instance, recently completed a Series D funding round at a valuation rumoured to be near $1billion.

The effect of a hack on companies can be severe. The 2015 cyber-attack on TalkTalk, in which almost 157,000 customers’ bank details were accessed, reportedly cost the company £42 million and led to a loss of roughly 100,000 customers. Meanwhile, many commentators expect the 2016 Yahoo! attack to negatively impact the proposed $4.8 billion sale of its core business to Verizon. What’s more, the new EU Data Protection Regulation, set to come into force in 2018, empowers regulators to levy fines of up to 4 % of turnover, or €20 million, for each breach.

Yet, regulators are not the only ones watching, potential suitors are, too. For companies seeking investment, a sale or an initial public offering, the negative impact of a successful breach could apply downward pressure on valuations. Even for those companies not actively looking for a significant corporate event, a depressed valuation, and the impact on cash and forecasts, could bring aggressive suitors to the door.

As cyber-attacks become more frequent and more powerful, the sensitivity of potential purchasers to the risks has increased. Targets must expect greater scrutiny of previous breaches and the measures in place to defend against attacks. Whereas it is difficult to control the actions of employees and contractors, companies will not be easily forgiven for failing to implement appropriate cyber-security measures and compliance plans. Conversely, demonstrating that efforts have been made should help reduce the risk of regulator fines and civil action. Having to disclose inadequate policies as part of a due diligence exercise is a potentially damaging action that could be avoided. Similarly, a business’ timely and proportionate reaction to a data breach is essential to instil trust and confidence in customers and suitors alike.

Despite there being a lack of prescriptive standards to adhere to, some best practice tips promoted both by the UK Information Commissioner’s Office and security services include the following:

Implementation of a risk management programme developed across the organisation.
Appointment of a person or persons responsible for data and cyber compliance.
Rolling out updated and enhanced training for all staff.
Using reputable anti-virus software relevant to all business areas.
Insisting that software updates are downloaded upon release.
Ensuring all employees use strong/complex passwords.
Automatic deletion/quarantining of suspicious emails.
Being ready to quickly and effectively respond to reports of a breach.

This is a good starting point for identifying areas of vulnerability that hackers will exploit and also helps provide an insight as to the topics that should be investigated as part of a due diligence process. Of course, the next step is to have sufficient expertise available to assess the commercial and legal strength of the responses.

With the ever-expanding amount of non-physical, commercially sensitive information being stored virtually, combined with the frequency of hacks, the importance of cyber-security will only increase. All companies must ensure a robust security strategy is in place for the sake of their own day-to-day activities and for preserving company value. Nothing brings the strength of these systems into sharper focus than an attack or the probing questions of a sophisticated CTO, technology expert or lawyer as part of an audit or due diligence process.