Or, to frame those figures another way, 1 in every 61 organisations suffer a cyberattack each week.

The kinds of organisations at risk from cybercrime vary greatly: the Microsoft Digital Defence Report 2021 identified a broad spread of entities at risk from ransomware, with an emphasis on consumer retails, financial services, manufacturing, government, and health care. Despite these risks, however, many businesses are incautious when it comes to cybersecurity. A study commissioned by the Department for Digital, Culture, Media, and Sport polled 956 businesses and found that as many as 50 per cent were not confident in carrying out even one in a series of basic cybersecurity tasks.

Clearly, businesses need a new set of incentives to boost their cybersecurity practices, while the clients and consumers whose data they hold need an extra layer of protection against any losses that might be incurred through cybercrime. By making Cyber Liability Insurance compulsory, both of these goals can be achieved in one simple gesture – and, given the stakes involved, this is an avenue well worth exploring.

It’s not just companies at risk when cybercriminals attack

What, then, do the stakes of cybercrime look like? The right kind of cyberattack can be devastating for businesses – and almost every business is vulnerable. After all, if a company practices anything as simple as email usage, they are open to cybercrime. In a practical sense, there are serious financial implications for businesses that suffer from this kind of attack. Cybercriminals are, for example, capable of stealing financial information, directly stealing money, or disrupting trading and business in ways that are financially detrimental.

The possible repercussions of cybercrime don’t end with the injured organisation itself, however. Businesses also house an extraordinary amount of data pertaining to their own customers or clients – including, potentially, their financial data. As McKinsey noted in a pre-pandemic report, “organisations have more data than ever at their disposal” – and this is, of course, a deliberate move, given the potentially valuable insights that such data can hold. At the same time, however, this new culture of data-hoarding comes with increased risk in the event of a cyberattack – just recently, for example, millions of clients of the computing company Acer have seen their data sold by hackers.

That, in a nutshell, is the problem with cyber laxity in today’s increasingly risk-laden climate. Cyberattacks on businesses start a ripple effect that expands outwards from the initial point of attack, disrupting the lives and finances of a huge array of subsidiary targets.

Fixing the problem with compulsory cyber liability

The answer to this problem is to significantly revamp insurance requirements by making cyber liability mandatory. At present, after all, business insurance requirements are extraordinarily minimal. According to the UK government, the only legally required policy is employers’ liability insurance (EL) which covers businesses in the event that a member of staff claims to suffer illness or injury due to their work. But, as we have seen, the absolute dominance of data and technology in almost every industry – what could be called the ubiquity of cyber vulnerability – means that we need to rethink our insurance priorities to reflect the risks involved in the world of today.

Cyber liability cover can, after all, mitigate not only for cyberattacks, but for data breaches and any damage that such breaches can inflict. The right cyber liability can cover legal claims and compensation costs, protecting those whose data is being held by the company.

While this kind of compensation is a great step, making cyber liability compulsory might bring about an even more powerful benefit in the form of more robust cybersecurity practices. After all, if cyber liability were mandatory, businesses would naturally want to reduce its cost. This would entail proving that they are at low risk of cyberattack – and the only way to reduce exposures would be, of course, to invest in stronger cybersecurity. As such, compulsory cyber liability could do much more than simply compensate for losses – it could spark a new wave of interest and investment in cyber security, lowering the rate of cyberattacks and keeping people, their data, and businesses themselves significantly more secure. 

About the author: Edward Halsey is the COO and co-founder of hubb. 

Here Andy Barratt, UK managing director at international cybersecurity specialist Coalfire, explores how the financial services sector can turn the tide on costly, high-profile cyber missteps.

It’s fair to say that the financial services sector has struggled to secure positive consumer sentiment for itself recently – particularly in relation to cybersecurity. At the end of October, the government’s Treasury Select Committee (TSC) went so far as to say that the number of IT failures at banks and other financial services firms has reached a level it deems “unacceptable”.

The criticism, which highlighted poor IT performance within financial firms and a lack of decisive action from their regulators, comes in the wake of a string of high-profile and costly cyber glitches in recent years. Most notable among those is TSB’s unsuccessful attempt to migrate its systems over to new parent company Banco Sabadell.

Customer details were left easily accessible and vulnerable to fraud attacks, as well as resulting in thousands being unable to access their accounts. But TSB are not the only culprits: Barclays, RBS and VISA are among a raft of other major financial service providers to have suffered serious technical glitches in the past few years.

Why then, with so much at stake, are financial firms lagging behind when it comes to their cyber strategy?

Complex legacy tech infrastructure

The first aspect that makes large firms so susceptible to attacks is that their IT systems are often complex and, significantly, outdated. Hackers can easily find weak spots in the system or, as in TSB’s case, vital information can slip through the cracks.

The first aspect that makes large firms so susceptible to attacks is that their IT systems are often complex and, significantly, outdated. Hackers can easily find weak spots in the system or, as in TSB’s case, vital information can slip through the cracks.

Our inaugural Penetration Risk Report, which took place around the time of TSB’s issues, found that the largest firms are less likely to be prepared to face up to cybercrime than their mid-sized equivalents – despite greater budgets and resources – due to their cumbersome and slow-moving infrastructure.

More recently, we’ve seen those larger businesses close the gap, mostly through the support of in-built cloud security services, but the risks still remain for many. In the financial services sector specifically, this year’s study indicated that the level of external threat has actually increased.

The rush to implement services under a new ‘Digital’ initiative sometimes comes at the cost of addressing the underlying legacy issues too. Whilst the big banks rush to keep up with the online-only challenger banks they re-allocate budget for the new apps and forget the underlying infrastructure they depend on.

‘Yes’ culture

One of the key risks boosting that threat is a habit within large corporate cultures for IT teams or risk managers consistently ‘downgrading’ risks due to lack of understanding or complacency when reporting to those further up the pecking order. This is dangerous and can lead senior figures to the conclusion that everything is ‘ok’ within their organisation when, in reality, an IT crisis is just around the corner. This is particularly true when organised crime groups are targeting financial services with highly sophisticated attacks that are often discounted by management with a throw away ‘nobody would do that’ comment.

Companies should attempt to foster a ‘safe’ environment where staff feel comfortable raising problems they encounter so that solutions can be found before disaster strikes. They should also to remain current with intelligence from their incident response and forensic partners who will see the sophisticated threats when they do cause a breach.

An enhanced understanding of the issues facing the business is less likely to leave senior spokespeople up a creek without a paddle when facing the media. No one would expect a CEO to know all the ins-and-outs of their IT infrastructure, but basic comprehension can go a long way. Knowledge is power.

[ymal]

Weak links in the chain

Due to the nature of the industry and the services they provide, banks and large financial firms are required to interact with third parties on a massive scale. Unfortunately, this isn’t without its drawbacks.

Many third parties – and, by extension, their own supply chain – lack the sophistication and / or the wherewithal to deal with cyberattacks. As such, they are often the first port-of-call for a hacker looking to worm their way into a major system.

An example includes the British Airways data breach in the summer of 2018, when hackers were able to take information directly from the airline’s website thanks to access from a third party.

Often, being subject to this form of intrusion is pure bad luck rather than bad planning. However, large firms must ensure that they’re sufficiently protected and that access for third parties is limited. It’s a simple case of making sure that your back’s covered wherever possible.

Human error

Perhaps the most common error (and the most tangibly addressable) is the human risk inherent within any business. Naturally, the larger your workforce, the greater the risk you face, which is a major issue within the financial services sector.

Phishing, a scam that prompts staff to provide their username and password, is still one of the simplest but most successful ways potential attackers get their foot in the door.

The key to combatting the danger is providing constant training to employees so that they’re fully aware of the threat and the responsibility that they have towards protecting the business.

What’s more, the high-profile cases mentioned above are dangers in themselves: when the glitch or failure makes the news, a sign post is placed for hackers looking to break in. Each headline is an ‘x-marks-the-spot’ for a company’s weak spot, as well as their competitors’.

It’s a brutal world that financial services businesses face as technology advances but, with such large amounts of money at stake, they must be up to the challenge.

The interest in ATM malware and attacks is persistent and poses a threat to financial institutions and ATM manufacturers alike.

Here Amina Bashir, Associate Product Manager at business risk experts Flashpoint, offers Finance Monthly some insight into the underground market for malware designed for use in ATM cash-out schemes.

As giant boxes of cash, it’s understandable that ATMs are magnets for nefarious activity. Like many other forms of financially motivated crime, malicious activity against ATMs is supported by an underground ecosystem of illicit offerings and resources, as evidenced across Flashpoint’s datasets.

For example, information sourced across illicit online communities, encrypted chat services, and paste sites shows threat-actor mentions of ATMs on a par with mentions of distributed denial-of-service (DDoS) tools and attacks, far exceeding mentions of Remote Access Trojans, crypters, botnets, and ransomware. The interest in ATM malware and attacks is persistent and should be on the radar of financial institutions and ATM manufacturers alike.

Here’s a look at some known threats to ATMs:

Skimmers and Shimmers

Skimmers and shimmers are small, physical devices which are inserted into ATMs to steal payment card data. They are a popular commodity among fraudsters, but some criminals favor a more straightforward form of theft: directly stealing cash from the machine.

ATM Jackpotting

Jackpotting is the manipulation of an ATM so it ejects the cash within. It is often carried out with the help of specialised malware sold on illicit online marketplaces. During the past several years, malware-enabled ATM jackpotting attacks have been reported worldwide, from Europe and the U.S., to Latin America and Southeast Asia.

ATM Malware

ATM malware continues to be popular among threat actors operating across various platforms. Analysts have observed that ATM malware appears to be sold by only a few threat actors, some of whom may be associates. This is in contrast to other types of malware, which are sold by a wide range of vendors.

[ymal]

Inside the ATM Malware Market

WinPot, Cutlet Maker, and Yoda are among the most mentioned ATM malware variants. Due to similarities in posts, it is possible that some of these malware families are being created or sold by associated—if not the same—threat actors. Moreover, Flashpoint analysts have noted that many threat actors who advertise ATM malware also peddle other offerings on the cybercrime underground, including carding services and access to compromised bank accounts.

Uniquely among cyber threats, ATM malware attacks inherently require a physical presence at the targeted site. In fact, since most common and popular ATM malware variants are installed via USB, where attackers must physically open the machine’s exterior panel and connect an external device—attacking an ATM is hardly an inconspicuous endeavour.

And while some forms of ATM malware, such as ATMitch, can be administered without physical access to the machine by leveraging a known exploit against a financial institution’s servers, such an attack still requires the threat actor or a money mule to physically retrieve the stolen cash from the machine. As such, jackpotting crews are known to select their targeted sites carefully; ATMs stationed not at banks, but rather at small businesses, shopping centres, gas stations, and other retail locations are the most desirable targets for jackpotting crews.

ATMs stationed not at banks, but rather at small businesses, shopping centres, gas stations, and other retail locations are the most desirable targets for jackpotting crews.

So, in addition to keeping ATMs updated with the latest security software and patches, one of the best ways for operators to avoid being targeted in a malware attack is to noticeably bolster actual and perceived physical security at ATM sites. For example, an outdoor ATM set back from the sidewalk in a poorly-lit area could be a natural target for jackpotting, but the addition of motion-activated floodlights and conspicuous security cameras monitoring the premises from several angles to avoid blindspots could immediately deter threat actors.

In addition to enhancing visibility and surveillance, changing the lock on an ATM’s exterior panel is another simple way to thwart threat actors sniffing out vulnerable ATMs that use a generic, mass-produced key provided by the manufacturer.

Assessment

Despite being controlled by a relatively small number of threat actors, Flashpoint analysts believe the underground market for ATM malware will continue to flourish, serving a global customer base of threat actors and posing a threat to financial institutions and ATM manufacturers worldwide.

Flashpoint analysts have observed wide variance in the price of ATM malware within illicit marketplaces, from as low as $25 USD up to $5,000 USD depending on the malware being offered, in addition to other factors, such the vendor’s reputation and level of customer support, customisation, and bundled services.

44% of requests were processed after detection of an attack during an early stage, saving the client from potentially severe consequences. These are among the main findings of Kaspersky’s latest Incident Response Analytics Report.

It is often assumed that incident response is only needed in cases when damage from a cyberattack  has already occurred and there is a need for further investigation. However, analysis of multiple incident response cases which Kaspersky security specialists participated in during the 2018 shows that this offering can not only serve as investigative, but also as a tool for catching an attack during an earlier stage to prevent damage.

In 2018, 22% of IR cases were initiated after detection of potential malicious activity in the network, and an additional 22% were initiated after a malicious file was found in the network. Without any other signs of a breach, both cases may suggest that there is an ongoing attack. However, not every corporate security team may be able to tell if automated security tools have already detected and stopped malicious activity, or these were just the beginning of a larger, invisible, malicious operation in the network and external specialists are needed. As a result of incorrect assessement, malicious activity evolves into a serious cyberattack with real consequences. In 2018, 26% of investigated “late” cases were caused by infection with encryption malware, while 11% of attacks resulted in monetary theft.19% of “late” cases were a result of detecting spam from a corporate email account, detection of service unavailability or detection of a successful breach.

“This situation indicates that in many companies there is certainly room for improvement of detection methods and incident response procedures. The earlier an organisation catches an attack, the smaller the consequences will be. But based on our experience, companies often do not pay proper attention to artifacts of serious attacks, and our incident response team often is being called when it is already too late to prevent damage. On the other hand, we see that many companies have learned how to assess signs of a serious cyberattack in their network and we were able to prevent what could have been more sever incidents. We call on other organisations to consider this as a successful case study,” said Ayman Shaaban, security expert at Kaspersky

Additional findings of the report include:

• 81% of organisations that provided data for analysis were found to have indicators of malicious activity in their internal network.
• 34% organisations exhibited signs of an advanced targeted attack.
• 54.2% of financial organisatons were found to be attacked by an advanced persistent threat (APT) group or groups.

To effectively respond to incidents, Kaspersky recommends:

• Make sure the company has a dedicated team (at least employee) responsible for IT security issues in company.
• Implement backup systems for critical assets.
• To respond in a timely manner to a cyberattack, combine in-house IR team as a first-line of respond and contractors to escalate more complex incidents.
• Develop an IR plan with detailed guidance and procedures for different types of cyberattacks.
• Introduce awareness training for employees to educate them on digital hygiene and explain how they can recognise and avoid potentially malicious emails or links.
• Implement patch management procedures to have software updated.
• Regularly conduct security assessment of your IT infrastructure.

However, not all crime is conducted directly online. Some people are tricked into giving away details over the phone or are told to use their banking app to transfer money into a safe account. This multi-channel approach means that at every touchpoint, an organization must be aware that their customers could be at risk; they need to put systems and processes in place to mitigate cybercrime. 

According to a report by McAfee, the European economy is one of the worst affected areas in the world. The statistics suggest that 0.84% of Europe's GDP is affected. Looking at the UK specifically, it is estimated that the cost of cyber-crime to the UK economy is £27bn – and it is growing.

GDPR and Customer Data Breaches

One of the latest and most high-profile risks that have come to people's attention over the past 18 months are customer data breaches. Customers are increasingly aware that organizations hold a lot of their personal data and they want to be sure that it is safe. The General Data Protection Regulation was brought into place to ensure that organizations are acting responsibly when it comes to processing and storing customer data.

The financial impact of not following these guidelines, or for not having the correct systems in place, has been significant. Just months after the new regulation came into place, British Airways were one of the first companies to fall foul when 500,000 pieces of customer data were stolen, which resulted in them receiving a £183m fine.

The Financial Fallout of Cyber Crime

Before any cyber-crime has taken place, there is a significant cost to businesses that need to purchase software, implement new processes and training, and even employ new cybersecurity teams to deal with threats. For global organizations, there may also be a need to hire consultants to advise on what they need to do to keep themselves and their customers safe.

One of the consequences of cybercrime that will affect every business is the direct costs. This could be money lost by the business or by consumers. It could also be the loss of reputation to a brand. If a bank suffers a cyberattack and customers lose money, they are likely to lose confidence, which can have a huge knock-on impact on business performance and profits.

Following on from an attack, there may also be payments that need to be made. On top of losing money in an attack a business, may also need to pay out compensation, fines, and legal costs. Depending on the type and severity of the attack and the data that was lost, this can amount to millions of pounds, as demonstrated by the British Airways case.

F-Secure’s Cyber ‘Threat Landscape for the Finance Sector’ shows that the sophistication of adversaries targeting banks, insurance companies, assets managers and similar organizations can range from common script-kiddies to organized criminals and state-sponsored actors. And these attackers have an equally diverse set of motivations for their actions, with many seeing the finance sector as a tempting target due to its importance in national economies.

The report breaks down these motivations into three groups: data theft, data integrity and sabotage, and direct financial theft.

“This is a useful way to think about cyber threats, because it is easy to map attacker motivations across to specific businesses, and subsequently understand to what extent they apply,” says F-Secure Senior Research Analyst George Michael. “Once you understand why various threat actors might target you, then you can more accurately measure your cyber risk, and implement appropriate mitigations.”

Data integrity and sabotage – where systems are tampered with, disrupted or destroyed – is the cyber criminals’ method of choice. Ransomware and distributed denial-of-service attacks (DDoS) are among the more popular techniques used by cyber criminals to perform these attacks.

Similar attacks have been launched by state-sponsored actors in the past. But these are less common and often linked to geopolitical provocations such as public condemnation of foreign regimes, sanctions, or outright warfare.

And while North Korea has the unique distinction of being the only nation-state believed to be responsible for acts of direct financial theft, their tactics, techniques, and procedures (TTPs) have spread to other threat actors.

According to Michael, this is part of larger trend that involves adversaries offering their customizable malware strains or services-for-hire on the dark web, contributing to a rise in the adoption of more modern TTPs by attackers.

“North Korea has been publicly implicated in financially-motivated attacks in over 30 countries within the last three years, so this isn’t really new information,” says Michael, “But their tactics are also being used by cyber criminals, particularly against banks. This is symbolic of a wider trend that we’ve seen in which there is an increasing overlap in the techniques used by state-sponsored groups and cyber criminals.”

In addition, understanding cyber threats relevant to specific organizations is crucial to being able to detect and respond to an attack when it occurs.

“Understanding the threat landscape is expensive and time-consuming,” says Michael. “If you don’t understand the threats to your business, you don’t stand a chance at defending yourself properly. Blindly throwing money at the problem doesn’t solve it either – we continue to see companies suffer from unsophisticated breaches despite having spent millions on security.”

The retail banks were responsible for the highest number of reports (486) – almost 60% of the total. This was followed by wholesale financial markets on 115 reports and retail investment firms on 53.

The root causes for the incidents were attributed to third party failure (21% of reports), hardware/software issues (19%) and change management (18%).

The FCA has recently warned of a significant rise in outages and cyber-attacks affecting financial services firms. It has also called on regulated firms to develop greater cyber resilience to prevent attacks and better operational resilience to recover from disruptions.

According to the new data obtained by RSM, there were 93 cyber-attacks reported in 2018. Over half of these were phishing attacks, while 20% were ransomware attacks.

Commenting on the figures, Steve Snaith, a technology risk assurance partner at RSM said: "While the jump in cyber incidents among financial services firms looks alarming, it's likely that this is due in part to firms being more proactive in reporting incidents to the regulator. It also reflects the increased onus on security and data breach reporting following the GDPR and recent FCA requirements.

"However, we suspect that there is still a high level of under-reporting. Failure to immediately report to the FCA a significant attempted fraud against a firm via cyber-attack could expose the firm to sanctions and penalties from the FCA.

"As the FCA has previously pointed out, eliminating the threat of cyber-attacks is all but impossible. While the financial services sector emerged relatively unscathed from recent well-publicised attacks such as NotPetya, the sector should be wary of complacency given the inherent risk of cyber-attacks that it faces.

"The figures also underline the importance of organisations obtaining third party assurance of their partners' cyber controls. Moreover, the continued high proportion of successful phishing attacks highlights the need to continue to drive cyber risk awareness among staff.

"Interestingly, a high proportion of cyber events were linked to change management, highlighting the risk of changes to IT environments not being managed effectively, leading to consequent loss. The requirements for Privacy Impact Assessments as a formal requirement of GDPR/DPA2018 should hopefully drive a greater level of governance in this area.

"Overall, there remain serious vulnerabilities across some financial services businesses when it comes to the effectiveness of their cyber controls. More needs to be done to embed a cyber resilient culture and ensure effective incident reporting processes are in place."

Fig1: The number of cyber incidents reported to the FCA by regulated firms in 2018 broken down by the sector the incident impacted (source FCA):

Fig2: The root causes of cyber incidents reported to the FCA (source FCA):

Fig3: The breakdown of incidents in 2018 categorised as 'Cyber attacks' (source FCA):

Amidst a large swathe of planned job cuts at Lloyds, at the beginning of November the bank announced that there was a silver lining - a £3 billion investment programme that will see the country’s biggest high-street lender radically transform its digital strategy. While 6,000 existing roles are being cut from a broad range of areas, 8,000 are being created to focus on areas of digital expansion, including in the group transformation unit. And, the CEO of Tectrade Alex Fagioli points out, it’s about time for Lloyds, as it begins to play catch up with an industry that has quietly been revolutionised by high-street banks and start-ups that have gone all-in on digital banking.

Digital banking provides a great deal of benefits to administrators and alike. Customers are given a more flexible way of banking, accessing their accounts and transferring their money without relying on bank hours. Managers have an unprecedented insight into the activity of branches and can offer services to their customers which they had previously been incapable of. However, the challenges and risks that come with digital transformation have led traditionally large financial institutions like Lloyds to poorly implementing such practices to the detriment of all involved.

In April, a routine systems upgrade at TSB went awry and left 1.9 million customers locked out of their accounts for up to a month. Similarly on Friday 1 June, 5.2 million transactions using Visa failed across Europe as a result of one single faulty switch in one of Visa’s data centres. This isn’t just a continental issue; Atlanta-based Sun Trust – a bank with 1,400 bank branches and 2,160 – experienced a significant outage to its online and mobile banking platforms in September due to a botched upgrade. In all of these cases, the outages weren’t the result of cyberattack or weather-related problems. Instead, these outages came as a result of seemingly insignificant technical factors that had been overlooked – and Lloyds would be wise to heed these cautionary tales.

The challenges and risks that come with digital transformation have led traditionally large financial institutions like Lloyds to poorly implementing such practices to the detriment of all involved.

In the first two instances, cause of the outages are very clear– and they were entirely preventable. TSB rushed into an upgrade by hastily initiating the update across its entire system. For a technical reason that we will likely never know, the update tanked the entire bank and left it at a standstill while it tried to pick up the pieces. Even when it managed to get everything back in place, TSB is now permanently scarred by the event, with its reputation still reeling. The prevention for this would have been a gradual rollout, as opposed to a sweeping installation. If the upgrade was initially piloted with non-essential systems, then the bugs would likely have been spotted early, with little fuss and no media spotlight.

Likewise, the Visa incident came as a result of a single faulty switch and that betrays a lack of understanding of its own systems. It is shocking how few companies have carried out any form of disaster recovery testing on their infrastructure. Administrators are incapable of having a full understanding of the systems they are responsible for without testing them in a controlled and simulated environment. With a controlled disaster test, that faulty switch would have been highlighted and those 5.2 million transactions would have been completed. It’s similar to a car – the reason that MOTs are essential is so that any issues can be highlighted well ahead of them having a serious effect on the vehicle’s performance. Banks must carry out a cyber MOT in order to keep their systems in check and to give IT teams a full working knowledge of any potential issues.

But this is all in the case of preventable issues, and in the modern day accepted wisdom is not if, it’s when outages will happen.

Thus far we’ve only addressed routine operations, but cyberattack is of course an omnipresent threat. Ransomware has spent the past couple of years as the ‘big bad’ in cybercrime, and it is an even bigger threat to the financial sector. Over the past 12 months, the financial services and insurance sector was attacked by ransomware more than any other industry, with the number of cyberattacks against financial services companies in particular, rising by more than 80%.  If a bank were to be hit by a ransomware attack, all online systems for banking and insurance transactions will need to be taken offline, rendering that organisation unable to operate. According to a report from Osterman Research, there is a 50% chance of employees in this industry suffering productivity loss, a 30% chance that the financial and insurance services will shut down temporarily, and a 20% chance of revenue loss and adverse effect on customer perception. In cases of ransomware, data recovery can be very difficult as there is a large amount of customer information stored in a variety of disparate systems. As such, many organisations may feel they have no choice but to pay the fee demanded of them to regain access to the data.

Over the past 12 months, the financial services and insurance sector was attacked by ransomware more than any other industry, with the number of cyberattacks against financial services companies in particular, rising by more than 80%.

Equally as unpreventable are environmental factors. Areas like the Southern States of the USA are frequently dominated by hurricanes and tropical storms which can cause large disruptions to everything from schools to banks. Many of these buildings have to be built with this in mind, and network operations should be created with the same mindset. In the UK, by contrast, we don’t have to deal with such extreme weather conditions, but environmental considerations must be made with the potential for freak accidents. A burst pipe in a shared building or road workers drilling through electrical or network cabling, for example, could see a bank offline for an indeterminate period of time outside of its control. One example of this in action was with National Australia Bank, which suffered a power outage that downed ATMs, Eftpos and online banking across the country for five hours in May.

In all of these situations where outages can occur, banks must make sure they have the capacity to get their systems back online and fast. The best way to do this is by adopting a zero-day approach to architecture. Zero-day architecture won’t prevent an outage, but it will mitigate the effects. It allows organisations to minimise downtime and recover from backups without having to worry about lost data.

A zero-day recovery architecture is a service that enables administrators to quickly bring work code or data into operation in the event of any outages, without having to worry about whether the workload is still compromised. An evolution of the 3-2-1 backup rule (three copies of your data stored on two different media and one backup kept offsite), zero-day recovery enables an IT department to partner with the cyber team and create a set of policies which define the architecture for what they want to do with data backups being stored offsite, normally in the cloud. This policy assigns an appropriate storage cost and therefore recovery time to each workload according to its strategic value to the business. It could, for example, mean that a particular workload needs to be brought back into the system within 20 minutes while another workload can wait a couple of days.

Without learning the lessons of the high-profile outages that have come before it from banks that have undergone their own transformations, Lloyds is doomed to repeat the same mistakes.

As it begins its massive investment in digital transformation, Lloyds could very easily sink its budget into exciting features that promise to improve the lives of customers and employees. However, without learning the lessons of the high-profile outages that have come before it from banks that have undergone their own transformations, Lloyds is doomed to repeat the same mistakes. You can promise all the features in the world, but without a solid foundation the bank will essentially be a house of cards, ready to collapse at the slightest sign of danger. All banks, regardless of size, must prioritise the minimisation of downtime by having common sense policies in patch management, full knowledge of a system gained through disaster testing and a recovery strategy in place that enables it to get back online at speed.

https://www.tectrade.com

In light of the recent cyberattacks that TSB and British Airways were faced with, Andy Barratt, UK Managing Director at cybersecurity consultancy Coalfire, delves into the trend for large corporates to be hit harder by IT glitches than their SME peers.

It seems barely a week goes by without the world’s news channels breaking the story of a major cybersecurity incident affecting yet another household-name business. In the last month alone, we’ve seen CEOs fall on their swords, the value of shares plummet and hundreds of thousands of people urged to re-secure their online accounts after IT failures and malicious attacks caused widescale disruption.

In the modern age, no business is safe – either from external threat or from itself. The IT saga that engulfed TSB this summer, and ultimately cost the bank’s CEO Paul Pester his job, is an example of a big business causing itself a monumental headache through poor risk management.

Bank customers were left without access to their digital accounts for weeks as TSB tried to migrate its clients’ account details across from its existing IT platform to that of its new Spanish owner, Sabadell. When IBM was called in to consult on the issue, it quickly became apparent that insufficient testing had been carried out in advance to ensure the transfer process would run smoothly.

Customers, MPs and journalists alike have since accused TSB of having its head in the sand over the incident, failing to get to the root of the issue quickly enough and keeping customers in the dark. The question on the public’s lips was ‘how could this happen to a business with presumably vast security resources?’.

Corporates miss security sweet spot

The answer is that behind the curtain – and contrary to accepted wisdom on cybersecurity – large enterprises are often not the best prepared to protect themselves against cyber risk, despite having bigger budgets and more resources. Coalfire recently conducted its inaugural Penetration Risk Report, which tested the cyber defences of enterprises of various sizes across sectors including financial services, retail, healthcare, and tech and cloud services. The research involved simulating planned cyber-attacks against the businesses – a practice known as penetration testing - to identify weak spots in their security armour.

A financial services organisation fared better that most. But even in this comparatively well-performing sector we found that large enterprises were not the most secure, despite having the most substantial cybersecurity budgets. Instead, it was mid-sized firms that found the sweet spot in terms of protecting their assets and mitigating their security risks.

So why doesn’t bigger spend correlate to improved security?

It’s worth noting at this point that TSB’s issue was not caused by malicious intent or outside interference. However, the incident highlighted a disturbing lack of understanding running throughout the business that is indicative of how large corporations expose themselves to risk.

Culture shocks

Business leaders must become comfortable hearing about problems and technical risk when it comes to IT. Often in large organisations, there is a mindset that the board doesn’t want to know about a problem, so risks are constantly re-framed and cracks painted over.

Consequently, senior executives often don’t have visibility of deeply-rooted issues and, ultimately, make decisions that don’t factor those risks in. This can be particularly unhelpful when businesses are looking to innovate as investment in new technology (mobile banking, rapid deposit taking, etc.) is hamstrung by existing technical challenges.

This mindset where boards are in the dark often occurs in organisations where a culture of blame is prevalent. We must move to a corporate environment where staff feel comfortable elevating issues to management rather than patching them up.

In the worst-case scenario, this disconnection between boardroom and shop floor can leave senior spokespeople fronting up to the media with little understanding of the issues that have embroiled their business in controversy. Highlighting how it should be done was British Airways’ Chief Executive Alex Cruz, who was quick out of the blocks to publicly communicate a detailed understanding of the specifics after the flight operator discovered a malicious breach in September.

Heads will roll

In the immediate aftermath of TSB’s IT failure, the Financial Conduct Authority accused the bank’s leadership of ‘portraying an optimistic view’ and failing to adequately communicate the extent of the issue to the public. The bank apologised unreservedly but the real question remained about its competence and whether TSB’s leadership understood, or was on top of, the job at hand.

While it would be unreasonable to expect the CEO of every UK bank or FTSE 100 business to be an expert on IT and cybersecurity, ultimately the buck stops with them. Given the monumental disruption to reputation and performance, there are a lot of lessons senior leaders can learn from the case of TSB.

Partner networks

Large businesses can also be put at risk due to the security shortcomings of the many partners they work with. This issue was evident when Ticketmaster was subject to a supply chain attack earlier this year. In this case, hackers used code supplied by Ticketmaster’s chatbot operator to extract payment details from its website after the code in question was incorrectly repurposed by Ticketmaster’s in-house team.

Similar activity was likely at play for the British Airways data breach, where data was lifted live from its website most likely via third-party code. BA is a regular participant in industry forums and best practice initiatives, and yet has still been affected, highlighting the risk big businesses face through their extended network of partners. Airlines in particular are at risk of attack because they frequently rely on complex infrastructure and shared services provided by airports, booking agents, aggregators and global distribution systems. Many don’t meet the security compliance rules we set here in the UK.

The same can be said for the financial services industry where there is constant interaction between myriad third parties and their affiliated platforms. For businesses of this size, resilience in the face of an attack is the modern approach. Always assume that someone will find a way in. Responding to that quickly will enable you to minimise loss.

To err is human

It’s also worth considering the somewhat unavoidable risk human threat poses to large institutions given the number of people they employ. It goes without saying that the potential for human error increases exponentially the bigger a work force is.

Our Penetration Risk Report found that people remain companies’ biggest weakness – across all sizes and sectors. Whether through human error or creating opportunities for social engineering hacks, the chances are that your staff will be your cybersecurity Achilles’ heel.

Accountancy giant Deloitte was targeted last year as hackers got hold of confidential data via an administrator’s account which had only single-factor authentication in place. In this case, it’s likely that access was achieved after the account password was exposed through phishing – where hackers pose as a trustworthy entity (usually via email) to obtain sensitive information such as usernames and passwords.

GDPR

Fortunately for the majority of the businesses mentioned in this article, the breaches and failures fell before the arrival of GDPR. British Airways, however, is the first high profile business to experience a major data breach since new rules came into force in April. The new rules outline that a business can be fined as much as 4% of turnover if it has failed to take technical precautions to protect its customers’ data. Unfortunately for BA, if it is found to have failed in that duty of care, then its fine could total £489million.

On top of reputational damage, the proportionate nature of GDPR means that, more than ever, cybersecurity is an issue big businesses can’t afford to get wrong. The days of thinking ‘bigger is always better’ are numbered.

ABOUT COALFIRE

Coalfire is the trusted cybersecurity advisor that helps private and public-sector organisations avert threats, close gaps and effectively manage risk. By providing independent and tailored advice, assessments, technical testing and cyber engineering services, we help clients develop scalable programs that improve their security posture, achieve their business objectives and fuel their continued success. Coalfire has been a cybersecurity thought leader for more than 17 years and has offices throughout the United States and Europe.

For more information, visit Coalfire.com.

ABOUT COALFIRE LABS

The Coalfire Labs team leverages highly skilled penetration testers with focused expertise in helping organisations of all sizes improve their security posture by thinking and acting like an attacker. Coalfire Labs simulates threats, evades your defences, and hunts for active breaches in your environment, and then helps you understand the risk and impact to your organisation.

The Bank of England and the Financial Conduct Authority have informed the financial services sector that they must meet new standards in operational resilience and cybersecurity in the face of a state of near constant cyberattack.

Reflecting on the ‘attack surface’ of the typical financial sector organisation, Dr Simon Wiseman, CTO with UK Cybersecurity firm Deep Secure, looks at the potentially vulnerable areas and suggests ways to mitigate the risks.

Guarding the Gateway

Many of the cybersecurity attacks initiated against organisations in the financial services sector start with an exploit or threat concealed in seemingly innocent business content arriving into the corporate network via the email or Web gateway. Whatever the vector and whatever the precise nature of the threat, time and again it is business content – documents, spreadsheets, presentations and images - that are used to conceal the attacker’s intent.

Traditionally, the job of combatting threats concealed in business content arriving at the email and Web gateways have been given to detection-based cybersecurity defences, as typified by anti-virus and anti-malware products. The problem now is that these defences are proving wholly inadequate in the face of increasingly sophisticated cybercriminals. Attackers are now employing against commercial targets the kind of sophisticated zero-day, stealthy exploits that were hitherto the province of nation-state intelligence entities.

Fortunately, new ways of combatting this type of threat are emerging, and one of the most effective is called Content Threat Removal. Content Threat Removal doesn’t attempt to detect the presence of a threat in business content arriving at the gateway. Instead, it assumes that all content is potentially bad. Using a process called content transformation, it intercepts every document and image, extracts only the valid business information from it, discards the original and creates a brand new, threat-free copy to deliver to the intended recipient. The content transformation process can’t be circumvented or evaded because it is not interested in trying to detect anything untoward that the bad guy has hidden in the content. It simply eliminates the risk, even when new forms of attack are devised.

Portal Problems

We’re in the age of the self-service portal. Prospects and customers alike are encouraged to upload documents (often in the Adobe Portable Document Format or PDF) in support of everything from personal loans and mortgages to motor insurance applications. The problem is that while the PDF is a versatile and incredibly useful file format, it is also highly complex, easy to subvert and is regularly used by cybercriminals to carry malicious payloads.

A typical response to the threat posed by PDFs uploaded from the Internet or other untrusted sources has been to try and mitigate the risk by scanning them with multiple detection-based anti-virus scanners. The problem as we’ve already noted is that detection-based defences like anti-virus routinely fail to pick up the latest threats and zero-day exploits. Here again, the best way to mitigate this risk is to re-evaluate the security and deploy a technology that doesn’t rely on detection but uses content transformation at the portal boundary to ensure that only PDFs that are completely threat-free are delivered into the network.

The demand for customers to interact with financial service providers by uploading documents via portals is only going to increase, and so is the danger of compromise from malware concealed within those documents. Mitigating this risk to an acceptable level necessitates a rethink of the defences and a willingness to move away from a dependence on detection and towards complete elimination.

Combatting the Undetectable Exploit

When is an exploit undetectable? Well, one answer is when there is no evidence of how the valuables were taken - only the certainty that they’ve gone! For all the millions spent on highly sophisticated cybersecurity products, the fact is that undetectable exploits keep on occurring. Although there is little certainty over how this is being achieved, what evidence has been uncovered points to the use of exploits that conceal information in images using a technique called steganography.

Image steganography is the attacker’s dream tool. It can be used to infiltrate malware, exfiltrate large amounts of value and maintain secret command and control (CnC) channels, all concealed in seemingly innocuous images. Images, of course, are everywhere, and from a simple tweet to the corporate logo in an email signature, each one can be subverted using image steganography. No data loss protection tool can detect whether an image is harmless or dangerous because image steganography is undetectable.

In the face of the threat posed by image steganography, organisations can either decide to ignore the risk (many still do) or address it using a transformative approach whereby every image is intercepted at the boundary and re-created anew before being passed to the intended recipient. This approach doesn’t try to detect the exploit; it assumes every image could be compromised and renders them all safe, preventing hidden malware getting in, stopping covert information leaks and blocking stealthy command and control channels.

A Stronger Screen for SWIFT

Thefts via SWIFT have been under the spotlight. SWIFT, the global provider of secure financial messaging services, is the mechanism by which financial organisations exchange financial messages relating to payments, securities, treasury and trade. Since at least 2013, those that use SWIFT within financial organisations have been targets of concerted attack with many banks across world falling victim and incurring sometimes heavy losses. Many of these exploits have involved gaining access to credentials or exploiting vulnerabilities in ageing network equipment. Addressing these issues is obviously good practice, but there are further steps the organisation can take to build a stronger screen for SWIFT users.

There is some evidence that attempts to target SWIFT users may take the form of so-called ‘sideways attacks’. To elaborate, the initial penetration takes place via email or Web at the boundary into the corporate network. With a beachhead established the criminals can orchestrate a multi-part attack, whereby malware is triggered on the corporate network to distract the security team while the real target, users with access to SWIFT, is hit ‘sideways’  from already compromised workstations internally on the network.

As stated earlier, best practice in combatting this type of activity has to be reviewing the boundary defence (email and Web) and deploying cybersecurity technologies that don’t rely on detection to identify malware carried in documents but instead transform the content. While not the only answer to a stronger screen for SWIFT adopting this approach will ensure that the incoming business content is rendered 100% threat free.

Building a Crypto Currency Fortress

It’s really something of a mistake to think that cryptocurrency security is all down to the cryptography. The real security risk you have to consider is how to keep the coins safe when they are in storage. So you have to think about where the coins are held in the same way as you need to think about where conventional cash is kept.

Ultimately, keeping cryptocurrency coins in a properly designed hardware ‘wallet’ that is not connected to the Internet, ensures you have full control over them, but it’s a manual process and not scalable. Allowing the coins to be controlled by a connected system, means that system has to able to repel all current and future cyberattacks. This kind of ‘failure is unthinkable’ protection has previously only been associated with defence and intelligence systems but is becoming increasingly important to online cryptocurrency systems. The providers of these systems are going to have to deploy the latest security mechanisms, guarding the system that hosts the keys to ensure they are not compromised, and trust in the entire eco-system is not undermined.

Organisations in the financial services sector are rightly concerned about the attack surface they present to the attacker. Going forward, they must be prepared to reduce their reliance on detection based cybersecurity defences and adopt new technologies such as content transformation if they are to improve their overall security posture.

Positive Technologies has announced its latest report from its own audits of web application security: Web Application Vulnerabilities in 2017. The results, collated through the security firm’s automated source code analysis through the PT Application Inspector, detected vulnerabilities in every single web application tested in 2017. Among the key findings, 94% of applications had at least one high-severity vulnerability, demonstrating that websites are a critical weakness for organizations.

Breaking down the detected vulnerabilities by severity level, most (65%) were of medium severity, with much of the remainder (27%) consisting of high-severity vulnerabilities.

Leigh-Anne Galloway, Cyber Security Resilience Lead at Positive Technologies said: “Web applications practically have a target painted on their back. A large number of unfixed, exploitable vulnerabilities is a windfall for hackers, who can use these flaws to steal sensitive information or access an internal network. Fortunately, most vulnerabilities can be discovered long before an attack ever happens. The key is to analyze application source code.”

Financial services are at greatest risk

As expected by Positive Technologies experts, finance web applications (46% of all tested web applications) were at the greatest risk, with high-severity vulnerabilities found in 100% of tested banking and finance web applications.

In fact, web applications at banks and other financial institutions, as well as governments, draw the most attention from hackers, as confirmed in a series of Positive Technologies reports.

Denial of service is especially threatening for e-commerce web applications, because any downtime means missed business and lost customers. High-profile e-commerce web applications receive large amounts of daily visits, increasing the motivation for attackers to find vulnerabilities to turn against users.

Attacks targeting users are the most dangerous

Positive Technologies assessed the potential impact of every detected web application vulnerability and compiled a list of the most common security threats. The number-one threat is attacks that target web application users. Alarmingly, 87% of banking web applications and all government web applications tested by Positive Technologies were susceptible to attacks against users. Users of government web applications in particular tend to not be security-savvy, which makes them easy victims for attackers.

The most common vulnerability across the board was Cross-Site Scripting (affecting 82% of tested web applications), which allows attackers to perform phishing attacks against web application users or infect their computers with malware.

Other critical vulnerabilities also find their way into government web applications. For example, security assessment of a web application for a Russian local government revealed SQL Injection, a critical vulnerability that could allow attackers to obtain sensitive information from a database.

(Source: Positive Technologies)

A recent survey shows 64% of organisations have deployed some level of IoT technology, and another 20% plan to do so within the next 12 months. This is an astonishing fact when you consider the lack of basic security on these devices, or any established security standards. Many companies are turning a blind eye to security issues, swayed by the potential benefits that IoT can bring. Here Ian Kilpatrick, EVP Cyber Security at the Nuvias Group, provides 10 key facts on IoT.

1. IoT - a cybercriminal’s dream

Any device or sensor with an IP address connected to a corporate network is an entry point for hackers and other cybercriminals – like leaving your front door wide open for thieves.

Managing endpoints is already a challenge, but the IoT will usher in a raft of new network-connected devices that threaten to overwhelm the IT department charged with securing them – a thankless task considering the lack of basic safeguards in place on the devices.

Of particular concern is that many IoT devices are not designed to be secured or updated after deployment. Any vulnerabilities discovered post deployment cannot be protected against in the device; and corrupted devices cannot be cleansed.

2. IT or OT

IT professionals are more used to securing PCs, laptops and other devices, but they will now be expected to become experts in areas such as smart lighting, heating and air conditioning systems, security cameras and integrated facilities management systems.

A lack of experience in this Operating Technology (OT) is a cause for concern. It is seen as operational rather than strategic, so deployment and management is often shifted well away from Board awareness and oversight.

Nevertheless, the majority of organisations are deploying IoT technology with minimal regard to the risk profile or the tactical requirements needed to secure them against unforeseen consequences.

3. Increase in DDoS attacks

DDoS (Distributed Denial of Service) attacks are on the rise, with 41% of UK organisations saying they have experienced one.

IoT devices are a perfect vehicle for criminals to access a company’s network. 2016’s high-profile Mirai attack used IoT devices to mount wide-scale DDoS attacks that disrupted internet service for more than 900,000 Deutsche Telekom customers in Germany, and infected almost 2,400 TalkTalk routers in the UK.

4. ... and ransomware attacks

There has been an almost 2000% jump in ransomware detections since 2015. In 2017, WannaCry targeted more than 200,000 computers across 150 countries, with damages ranging from hundreds to billions of dollars.

While most ransomware attacks currently infiltrate an organisation via email, IoT presents a new delivery system for both mass and targeted attacks.

5. Increasing intensity and sophistication of attacks

The sophistication of attacks targeting organisations is accelerating at an unprecedented rate, with criminals leveraging the disruptive opportunities the IoT brings.

According to Fortinet’s latest Quarterly Threat Landscape report, three of the top twenty attacks identified in Q4 2017 were IoT botnets. But unlike previous attacks, which focused on a single vulnerability, new IoT botnets such as Reaper and Hajime target multiple vulnerabilities simultaneously, which is much harder to combat.

Wi-Fi cameras were targeted by criminals, with more than four times the number of exploit attempts detected over Q3 2017.

6. The effects of an attack

The aftermath of a cyberattack can be devastating for any company, leading to huge financial losses, compounded by regulatory fines for data breaches, and plummeting market share or job losses. At best, a company could suffer irreparable reputational damage and loss of customer loyalty.

On top of that, IoT devices have the potential to create organisational and infrastructure risks, and even pose a threat to human life, if attacked. We have already seen the impact of nation-state attack tools being used as nation state weapons, then getting out and being used in commercial criminal activity.

7. Profit over security

It’s crazy to think that devices with the potential to enable so much damage to homes, businesses and even entire cities often lack basic security design, implementation and testing. In the main this is because device manufacturers are pushing through their products to get them to market as quickly as possible, to cash in on the current buzz around IoT.

Lawrence Munro, vice president SpiderLabs at Trustwave agrees IoT manufacturers are sidestepping security fundamentals: “We are seeing lack of familiarity with secure coding concepts resulting in vulnerabilities, some of them a decade old, incorporated into final designs,” he notes.

8. Can you see the problem?

Another huge problem is that once a network in attacked, it’s much easier for subsequent attacks to occur.

Yet, recent data shows just half of IT decision makers feel confident they have full visibility and control of all devices with network access. The same%age believe they have full visibility of the access level of all third parties, who frequently have access to networks; and only 54% say they have full visibility and control of all employees.

9. Turning a blind eye

Despite security concerns often cited as the number one barrier to greater IoT adoption, Trustwave research shows sixty-one% of firms who have deployed some level of IoT technology have had to deal with a security incident related to IoT, and 55% believe an attack will occur sometime during the next two years. Only 28% of organisations surveyed consider that their IoT security strategy is ‘very important’ when compared to other cybersecurity priorities.

10. Efforts to standardise

In the UK, the government’s five-year National Cyber Security Programme (NCSP) is looking to work with the IT industry to build security into IoT devices through its ‘Secure by Default’ initiative. The group published a review earlier this month that proposes a draft Code of Practice for IoT manufacturers and developers.

While there seems to be some light at the end of the tunnel, it may not be enough. Regulators won’t force device manufacturers to introduce the necessary security regulations and practices before thousands of businesses fall victim to attacks. Turning a blind eye to the IoT security risks could leave your organisation permanently paralysed.