The ongoing challenge
Despite the best efforts of financial organisations, they are still losing millions per year because of fraud and financial crime. Figures released last month by UK Finance1 show that criminals in the first half of this year stole a total of £609.8 million through authorised and unauthorised fraud and scams. And while this figure is down from the record highs seen during the pandemic, the number is still significant.
Cost-of-living crisis set to cause further headaches
New research by global data and analytics company, LexisNexis® Risk Solutions, shows that 43% of financial services organisations expect the cost-of-living crisis to increase the risk of financial crime and fraud over the next 12 months, as scammers target vulnerable consumers struggling with rising bills.
The research also highlighted a concern that criminals are outpacing efforts to protect banks and their customers. A third (30%) of financial services organisations believe anti-fraud and financial crime systems are not developing fast enough to keep up with criminal techniques, whilst a similar number (32%) think fraudsters are spending more time targeting victims.
So, with criminals continuing to look for new ways to exploit potential victims as fraud continues to evolve, it’s more important than ever for financial organisations to advance their risk management solutions.
Helping to prevent fraud
The good news is that the advanced security systems now widely being used by banks prevented just under £584 million from being stolen in the first six months of 20221.
And financial organisations continue to play their role in helping to reduce fraud. In fact, the new study revealed that, on average, financial services providers rely on five external vendors for data sources or solutions to prevent fraud and financial crime across their customer onboarding and lifecycle – with half of these firms (49%) highlighting that having multiple solutions in place helps to increase protection.
In addition, UK Finance’s Information and Intelligence Unit2 helped protect over 2.1 million compromised card numbers in 2020. The industry is also working closely with the government on measures to strengthen the fight against fraud and economic crime, including through the Economic Crime Strategic Board jointly chaired by the home secretary and chancellor.
However, while financial organisations can only do so much, with social engineering for example an increasingly utilised tactic to trick consumers out of their savings, many banks and the wider finance sector are starting to see risk orchestration as the latest weapon in their armoury to tackle the fraudsters.
The move to risk orchestration
To address rising levels of risk, the independent research indicated that seven out of ten (69%) finance organisations say they will invest more in technology over the next 12 months, with six in ten (59%) prioritising the emerging concept of financial crime and fraud risk orchestration.
Orchestration provides an end-to-end solution for customer onboarding and ongoing monitoring, incorporating anti-money laundering screening, transaction monitoring and case management, all within a single platform. It overcomes silos and manual processes to deliver more informed insights that enable quicker and increasingly accurate assessments of risk. Orchestration can help give businesses the flexibility and choice to deploy as many vendors and data sources as needed in their screening and monitoring, without the usual logistical headaches.
The research also indicated that the move to risk orchestration is well underway. The majority of respondents (74%) surveyed were already aware of risk orchestration platforms, identifying the main benefits as being: the ability to automatically track customer transactional behaviour over time and flag anomalies (48%); being able to bring all customer checks into a single, unified, digital platform (46%); and creating risk-based financial crime and fraud screening bespoke to varying risk appetites (41%).
New research by global data and analytics company, LexisNexis® Risk Solutions, shows that 43% of financial services organisations expect the cost-of-living crisis to increase the risk of financial crime and fraud over the next 12 months, as scammers target vulnerable consumers struggling with rising bills.
Risk orchestration in practice – Ikano Bank
Ikano Bank was founded in 1995 by Ingvar Kamprad – part of the family behind global retailer IKEA. The bank offers direct-to-consumer products including loans and store cards. In the UK, the bank opens hundreds of new interest-free loan accounts per day.
The bank considered the biggest risk it was facing was in ID fraud and document verification. With a view of providing efficient, first-class digital onboarding and fraud risk management, they needed a supplier that would give instantaneous decisions.
LexisNexis® Risk Solutions was able to supply Ikano Bank with the orchestration platform, RiskNarrativeÔ, that integrated with their existing data to grant them the ability to run ID and document verification, address checks and internal and external fraud rules. Along with this, the platform provided increased Cifas screening – before, Ikano Bank would only check an applicant address, whereas now they can match additional information such as email addresses, mobile telephone numbers, and sort codes, reducing their false positive rate.
A year on from going live with the RiskNarrative platform delivering their digital transformation, Ikano Bank have onboarded over 70,000 customers.
The financial crime manager at Ikano Bank commented that the automated decisioning has removed many referrals and freed up time for staff. The solution has made a significant difference to what the bank used to see.
RiskNarrative has enabled the bank to be in charge of the fraud rules the organisation sets, so it only sees the referrals it wants to see, with the ones the bank does not want to see, or the ones it declines, taken care of. This has enabled them to have greater control.
Whilst the RiskNarrative platform is currently only used in the UK, Ikano Bank is also looking to introduce the platform across their Sweden branches and beyond.
The future role of risk orchestration
With banks and the wider financial sector leaving no stone unturned in the ongoing battle to beat the fraudsters and reduce crime, risk orchestration is set to play a significant role in tackling fraud while supporting financial organisations with ongoing compliance requirements and customer acquisition targets.
For further information, visit RiskNarrative™ Platform | LexisNexis Risk Solutions.
References
Half-year fraud update 2022.pdf (ukfinance.org.uk)
Fraud The Facts 2021- FINAL.pdf (ukfinance.org.uk)
The cyber risk landscape is becoming more complex every day. However, cybersecurity professionals are overlooking common cybersecurity risk factors. However, these professionals need to give every risk the attention that it deserves. Otherwise, there's a risk of exposing an organisation if some risks get overlooked by these professionals. This article will look into some of the most overlooked cybersecurity risk factors in the financial industry. Here are some of them:
1. Vendor Risks
There's an incredible amount of sensitive data held by financial institutions. This includes social security numbers, credit card information, account credentials, etc. Some people who may access this data include payment processors and point-of-sale providers, usually known as vendors. Most financial institutions don't consider these vendors a threat. Therefore, they focus most of their cybersecurity framework on other risk factors. However, it is essential to monitor all vendors continuously. This will keep you aware of any threats these vendors could pose to your computer security.
2. State-Sponsored Attacks
Financial institutions, like many businesses, put in measures to prevent cybercriminals. What most of them don't realise is that governments can also pose severe threats to them. A foreign government may launch an attack on a financial institution to destabilise a country. The best way to prevent this is to have a robust security framework. It needs to look into the potential of certain governments attacking organisations. This will help them prevent data theft and the spread of fake news about their institution. Overall, good OT security could keep a country and economy stable.
3. Employee Errors
Banks have a thorough hiring procedure for their staff. But then, employees can still pose serious security threats even if they are honest and trustworthy. However, employee errors have increased in recent years. This has increased the number of insider attacks recorded recently. The best way to stop this type of attack is employee training. Another way is to prevent access to suspicious sites by using cybersecurity solutions such as firewalls, proxies, etc. They can also use these solutions to prevent suspicious emails from getting into the business email addresses.
These cybersecurity solutions can boost operational technology security for businesses. In the end, they also act as protective layers to prevent attacks in case employees mess up unknowingly. This makes them worth investing in as a financial institution.
4. Data that has been Manipulated
Cybersecurity professionals usually aim at preventing data theft. However, cybercriminals do not always aim to steal data. They come to manipulate it and hurt reputations and customer trust. Technology security professionals at financial institutions, however, do not realise the changes in data early enough. They continue to work with the same data as it looks unaltered on the surface. For instance, they can make payments to wrong accounts for months without any alarm. Financial institutions realise this too late. By then, they have suffered substantial financial losses. The worst thing is that nothing can be done to recover the loss.
5. Mobile And Web Application Security
Financial institutions are implementing operational technology at a larger scale today. It has become easy for customers to access banking services anywhere from their mobile phones. These institutions continue to increase their budget on mobile application development, but so are the vulnerabilities.These institutions must look into the security of mobile and web applications. Using operating technology, they can easily monitor every transaction on their applications. Besides, they can use technology to check for any security holes in their systems and enhance safety.
6. DDoS Protection
Distributed denial-of-service (DDoS) attacks come with severe impacts on businesses. However, financial institutions haven't taken them with the seriousness they deserve. Attackers use these attacks to blackmail a business or distract its cyber security team and find time to execute more attacks. Many businesses blame downtime on high traffic and other things. But then, they fail to consider a DDoS attack as the potential cause of the lack of service. An excellent solution to DDoS attacks is cloud migration. Using cloud services increases a business's capacity to handle DDoS attacks.
7. Unencrypted Data
As mentioned earlier, financial institutions hold a massive amount of sensitive data. It is this data that cybercriminals target most of the time, hence the need to protect it. One operational technology security strategy to implement for data protection is encrypting it before transmission. With cybercriminals lurking all over the internet, data encryption is vital. These institutions must use cybersecurity solutions like proxies to protect data in transit. Assuming that the data you are sending will get delivered safely is one of the ways to expose an entire institution.
8. Spoofing
Spoofing has been on the rise in recent years. However, financial institutions have also not taken it with the seriousness it deserves. With this attack, criminals impersonate a financial institution's website. They create a parallel site that looks exactly like the institution’s. This is to trap visitors into unknowingly logging in to their accounts. Users then log in as usual but on the fake website, exposing their credentials to the criminals.
The hackers gather as many customer details as possible into a database. They then use them to log into the institution's website as legit users. Before the bank knows it, the attackers have passed all of its security frameworks. The institution may not even realise it until a significant financial loss happens. This is, therefore, a risk factor worth keeping in mind today.
Conclusion
Technology plays a critical role in the successful operation of financial institutions. But then, it also comes with several risks that could expose banks and other businesses in the industry. As mentioned earlier, there are many risk factors, but security professionals give less attention to some.
If you run a bank, your security framework should consider every risk factor. Take your time to assess the cybersecurity threats that you could face as a business. Then, implement the right cybersecurity solutions to protect your operational technology. This article has listed some of those you could forget.
In light of the recent cyberattacks that TSB and British Airways were faced with, Andy Barratt, UK Managing Director at cybersecurity consultancy Coalfire, delves into the trend for large corporates to be hit harder by IT glitches than their SME peers.
It seems barely a week goes by without the world’s news channels breaking the story of a major cybersecurity incident affecting yet another household-name business. In the last month alone, we’ve seen CEOs fall on their swords, the value of shares plummet and hundreds of thousands of people urged to re-secure their online accounts after IT failures and malicious attacks caused widescale disruption.
In the modern age, no business is safe – either from external threat or from itself. The IT saga that engulfed TSB this summer, and ultimately cost the bank’s CEO Paul Pester his job, is an example of a big business causing itself a monumental headache through poor risk management.
Bank customers were left without access to their digital accounts for weeks as TSB tried to migrate its clients’ account details across from its existing IT platform to that of its new Spanish owner, Sabadell. When IBM was called in to consult on the issue, it quickly became apparent that insufficient testing had been carried out in advance to ensure the transfer process would run smoothly.
Customers, MPs and journalists alike have since accused TSB of having its head in the sand over the incident, failing to get to the root of the issue quickly enough and keeping customers in the dark. The question on the public’s lips was ‘how could this happen to a business with presumably vast security resources?’.
Corporates miss security sweet spot
The answer is that behind the curtain – and contrary to accepted wisdom on cybersecurity – large enterprises are often not the best prepared to protect themselves against cyber risk, despite having bigger budgets and more resources. Coalfire recently conducted its inaugural Penetration Risk Report, which tested the cyber defences of enterprises of various sizes across sectors including financial services, retail, healthcare, and tech and cloud services. The research involved simulating planned cyber-attacks against the businesses – a practice known as penetration testing - to identify weak spots in their security armour.
A financial services organisation fared better that most. But even in this comparatively well-performing sector we found that large enterprises were not the most secure, despite having the most substantial cybersecurity budgets. Instead, it was mid-sized firms that found the sweet spot in terms of protecting their assets and mitigating their security risks.
So why doesn’t bigger spend correlate to improved security?
It’s worth noting at this point that TSB’s issue was not caused by malicious intent or outside interference. However, the incident highlighted a disturbing lack of understanding running throughout the business that is indicative of how large corporations expose themselves to risk.
Culture shocks
Business leaders must become comfortable hearing about problems and technical risk when it comes to IT. Often in large organisations, there is a mindset that the board doesn’t want to know about a problem, so risks are constantly re-framed and cracks painted over.
Consequently, senior executives often don’t have visibility of deeply-rooted issues and, ultimately, make decisions that don’t factor those risks in. This can be particularly unhelpful when businesses are looking to innovate as investment in new technology (mobile banking, rapid deposit taking, etc.) is hamstrung by existing technical challenges.
This mindset where boards are in the dark often occurs in organisations where a culture of blame is prevalent. We must move to a corporate environment where staff feel comfortable elevating issues to management rather than patching them up.
In the worst-case scenario, this disconnection between boardroom and shop floor can leave senior spokespeople fronting up to the media with little understanding of the issues that have embroiled their business in controversy. Highlighting how it should be done was British Airways’ Chief Executive Alex Cruz, who was quick out of the blocks to publicly communicate a detailed understanding of the specifics after the flight operator discovered a malicious breach in September.
Heads will roll
In the immediate aftermath of TSB’s IT failure, the Financial Conduct Authority accused the bank’s leadership of ‘portraying an optimistic view’ and failing to adequately communicate the extent of the issue to the public. The bank apologised unreservedly but the real question remained about its competence and whether TSB’s leadership understood, or was on top of, the job at hand.
While it would be unreasonable to expect the CEO of every UK bank or FTSE 100 business to be an expert on IT and cybersecurity, ultimately the buck stops with them. Given the monumental disruption to reputation and performance, there are a lot of lessons senior leaders can learn from the case of TSB.
Partner networks
Large businesses can also be put at risk due to the security shortcomings of the many partners they work with. This issue was evident when Ticketmaster was subject to a supply chain attack earlier this year. In this case, hackers used code supplied by Ticketmaster’s chatbot operator to extract payment details from its website after the code in question was incorrectly repurposed by Ticketmaster’s in-house team.
Similar activity was likely at play for the British Airways data breach, where data was lifted live from its website most likely via third-party code. BA is a regular participant in industry forums and best practice initiatives, and yet has still been affected, highlighting the risk big businesses face through their extended network of partners. Airlines in particular are at risk of attack because they frequently rely on complex infrastructure and shared services provided by airports, booking agents, aggregators and global distribution systems. Many don’t meet the security compliance rules we set here in the UK.
The same can be said for the financial services industry where there is constant interaction between myriad third parties and their affiliated platforms. For businesses of this size, resilience in the face of an attack is the modern approach. Always assume that someone will find a way in. Responding to that quickly will enable you to minimise loss.
To err is human
It’s also worth considering the somewhat unavoidable risk human threat poses to large institutions given the number of people they employ. It goes without saying that the potential for human error increases exponentially the bigger a work force is.
Our Penetration Risk Report found that people remain companies’ biggest weakness – across all sizes and sectors. Whether through human error or creating opportunities for social engineering hacks, the chances are that your staff will be your cybersecurity Achilles’ heel.
Accountancy giant Deloitte was targeted last year as hackers got hold of confidential data via an administrator’s account which had only single-factor authentication in place. In this case, it’s likely that access was achieved after the account password was exposed through phishing – where hackers pose as a trustworthy entity (usually via email) to obtain sensitive information such as usernames and passwords.
GDPR
Fortunately for the majority of the businesses mentioned in this article, the breaches and failures fell before the arrival of GDPR. British Airways, however, is the first high profile business to experience a major data breach since new rules came into force in April. The new rules outline that a business can be fined as much as 4% of turnover if it has failed to take technical precautions to protect its customers’ data. Unfortunately for BA, if it is found to have failed in that duty of care, then its fine could total £489million.
On top of reputational damage, the proportionate nature of GDPR means that, more than ever, cybersecurity is an issue big businesses can’t afford to get wrong. The days of thinking ‘bigger is always better’ are numbered.
ABOUT COALFIRE
Coalfire is the trusted cybersecurity advisor that helps private and public-sector organisations avert threats, close gaps and effectively manage risk. By providing independent and tailored advice, assessments, technical testing and cyber engineering services, we help clients develop scalable programs that improve their security posture, achieve their business objectives and fuel their continued success. Coalfire has been a cybersecurity thought leader for more than 17 years and has offices throughout the United States and Europe.
For more information, visit Coalfire.com.
ABOUT COALFIRE LABS
The Coalfire Labs team leverages highly skilled penetration testers with focused expertise in helping organisations of all sizes improve their security posture by thinking and acting like an attacker. Coalfire Labs simulates threats, evades your defences, and hunts for active breaches in your environment, and then helps you understand the risk and impact to your organisation.
With the worldwide number of robots in smart factories now topping a million, Ross Thomson cites a lack of awareness as the reason most operators haven’t tackled the threat.
“Many firms believe hackers only want personal or financial data, but there is a credible risk to industrial robots,” says Mr Thomson, Principal Consultant at Amethyst Risk Management, which advises government and industry on cyber security.
He points out the risk is growing as robots, like other devices, are increasingly connected to wider networks and the internet. That gives hackers more ways in, and the consequences are potentially disastrous.
In one example, attackers locked up a robotic assembly plant in Mexico and demanded a ransom from the operators. Mr Thomson also highlights the safety risk for human factory operatives if a robot were to be hacked.
Lack of awareness and preparedness for a cyber-attack extends to robot makers. Mr Thomson points to an experiment where researchers hacked a robotic arm and forced it to mis-perform, compelling its manufacturer to plug the security hole.
Nightmare scenarios
The threat might come from disgruntled employees, criminals, recreational hackers or nation states.
One kind of attack would inject faults or defects in the production process, or lock it down completely as in the Mexican incident, leading to loss of production and revenue. If defective products make it to market, they can cause reputational damage, a potential advantage that could motivate an attack by unscrupulous competitors.
By manipulating safety protocols, hackers could cause the robot to injure human operators, or to damage itself or the factory environment. Alternatively, attackers might attempt to steal sensitive data from the machines themselves or the wider company network through remote access.
How easy is it to hack a robot? Ease of access to the software varies, making an inside job more likely in some scenarios. Firmware may be freely available online or retrievable from used robot CPUs, and some manufacturers allow programmers to access code in a simulation environment, creating a potential practice ground for would-be robot hackers.
Hackers have other ways to infiltrate, other than via the internet. They may attack from within the factory, for example connecting to the robot directly through a USB port, or physically accessing its computer controller directly or via remote service.
Once they have penetrated the system, they can potentially alter the controller’s parameters, tamper with calibration programmes or production logic and alter the robot’s perceived state, for example to show it is idle when it is not, or its actual state causing loss of control.
How big a risk?
The scale of the threat could be enormous. It’s estimated there will be 1.3 million robots in factories worldwide by next year (2018) and that 12 per cent of jobs will have been taken over by automated systems within a decade anda half. Robots are operating across almost all industrial sectors from car manufacturing to aviation and food processing.
The UK’s National Cyber Security Centre has highlighted hacking of robotic, unmanned and autonomous systems as a subject for attention, both by itself and by the intelligence organisation GCHQ.
A survey of robotic engineers by Italian academics found three quarters had never properly checked cybersecurity in their infrastructure, a third of robots were internet accessible and half of respondents didn’t see a realistic cyber security threat. To make matters worse, industrial robots often have weak authentication protocols and outdated software running on vulnerable operating systems
Operators need to take the necessary precautions
Mr Thomson urges operators of industrial robots to conduct a professional review of cybersecurity risks, have an incident response plan in place in case of a security breach and ensure that software is regularly updated, especially with security patches. The security review should look at what data robots hold and how they are potentially connected to sensitive data elsewhere on the network.
“Considering the risk to production, people and facilities, it must be taken seriously from board level to operational level,” he says. “An internet-connected robot should be treated with the same security precautions as any computer on the network, including setting long, complex passwords rather than relying on manufacturers’ default. There is a temptation to neglect updates because they may cause production downtime, but it needs to be given a higher priority.”
He advises operators to make security a key factor when sourcing new industrial robots, selecting a manufacturer that shows commitment to the issue and provides frequent software updates with security patches.
“Limiting who has access to robots and segmenting machines from networks where possible can also reduce risk,” he advises.
Ultimately, one of the most effective precautions is also one of the most prosaic, and may comfort those who fear their jobs will be stolen by robots, as Mr Thomson explains: “It’s hard to imagine a time when we dare leave robots to get on with it, so until and unless that day comes, we need humans to keep watch on robots at work.”
(Source: Amethyst Risk)
