Use secure online banking platforms
While online banking may seem inherently secure, there are still ways that criminals can access your information. It is especially important to think carefully about the financial services platforms you use if you hold crypto, given how often major thefts and breaches seem to happen. To help protect your data, only use banks and financial institutions that have a strong online security protocol in place. Additionally, make sure you are only accessing your accounts from secure, trusted devices and networks.
Keep your passwords safe
The first and most important step to keeping your financial data safe online is to keep your passwords safe. That means using strong, unique passwords for every account and never sharing them with anyone.
To create strong, unique passwords, use a password manager like LastPass or 1Password. These tools will generate and manage strong passwords for you, so you don't have to remember them all yourself. Additionally, always ensure you are making use of your bank's 2FA procedures and, despite them being potentially inconvenient, resist the urge to turn them off. 2FA makes a big difference, especially when you understand how many cybersecurity risk factors financial institutions often overlook.
Keep your software up to date
Malware and viruses can be a big problem when it comes to protecting your financial data. However, keeping your antivirus software and anti-malware programs up-to-date will help protect you from these intrusions.
Software publishers regularly release patches and updates because they have found vulnerabilities in their coding that you need to be aware of. Outdated software is one of the most common ways that people's computers get infected with malware, so make sure you are regularly checking for updates and installing them as soon as they are available.
Keep an eye on your credit card transactions
Monitoring your credit card transactions to check for suspicious activity is an essential step in protecting your financial data. Signing up for fraud alerts with your credit card providers, and being on alert for odd or unfamiliar transactions will help you stay on top of any potential issues with your account.
Be mindful of phishing emails
There has been a marked increase in the number of phishing attempts on personal banking information over the past several years. To protect yourself and your data, always be on alert for emails that promise free gifts or other financial incentives if you enter your banking information. Additionally, never share your personal information with any unknown sources online, as they may, in fact, be criminals trying to gain access to your accounts.
Be wary of online shopping sites
While online shopping is convenient, it's important to be cautious when entering your financial information in our cashless economy. Make sure you only shop on sites that are secure, and that you trust. Additionally, always use a credit card for online purchases rather than a debit card, as credit cards offer more protection against fraud.
Don't use open wifi networks
Avoid sending and receiving sensitive financial data while using the internet in places like coffee shops or airports, as these types of public wifi networks are often insecure. If you must use public wifi, make sure you are only accessing websites that are encrypted, and that you trust.
Don't save credit card information online
Many online stores will offer to save your credit card information for easier future shopping. However, this leaves your financial data vulnerable to hackers and other criminals. Instead, only save your information on sites that you trust and that have a good security protocol in place.
Keep an eye out for sketchy apps
With the increasing popularity of mobile banking and shopping, criminals are increasingly trying to find ways to steal your information through apps. To protect yourself, always do a quick search on the app store before downloading any new banking or financial apps, to ensure that they are legitimate and safe.
Get reports from credit monitoring agencies
There are a number of different credit monitoring agencies that you can sign up with in order to stay on top of your credit score and report. This is important not only for protecting your financial data but also for catching any errors or fraudulent activity that may have occurred without your knowledge.
Conclusion
By following these simple tips, you can help protect your financial data from intruders and criminals. Whether you are doing your banking online, or simply shopping online, always be vigilant and thoughtful in how you use the internet to prevent any potential issues with your money or credit score.
Or, to frame those figures another way, 1 in every 61 organisations suffer a cyberattack each week.
The kinds of organisations at risk from cybercrime vary greatly: the Microsoft Digital Defence Report 2021 identified a broad spread of entities at risk from ransomware, with an emphasis on consumer retails, financial services, manufacturing, government, and health care. Despite these risks, however, many businesses are incautious when it comes to cybersecurity. A study commissioned by the Department for Digital, Culture, Media, and Sport polled 956 businesses and found that as many as 50 per cent were not confident in carrying out even one in a series of basic cybersecurity tasks.
Clearly, businesses need a new set of incentives to boost their cybersecurity practices, while the clients and consumers whose data they hold need an extra layer of protection against any losses that might be incurred through cybercrime. By making Cyber Liability Insurance compulsory, both of these goals can be achieved in one simple gesture – and, given the stakes involved, this is an avenue well worth exploring.
It’s not just companies at risk when cybercriminals attack
What, then, do the stakes of cybercrime look like? The right kind of cyberattack can be devastating for businesses – and almost every business is vulnerable. After all, if a company practices anything as simple as email usage, they are open to cybercrime. In a practical sense, there are serious financial implications for businesses that suffer from this kind of attack. Cybercriminals are, for example, capable of stealing financial information, directly stealing money, or disrupting trading and business in ways that are financially detrimental.
The possible repercussions of cybercrime don’t end with the injured organisation itself, however. Businesses also house an extraordinary amount of data pertaining to their own customers or clients – including, potentially, their financial data. As McKinsey noted in a pre-pandemic report, “organisations have more data than ever at their disposal” – and this is, of course, a deliberate move, given the potentially valuable insights that such data can hold. At the same time, however, this new culture of data-hoarding comes with increased risk in the event of a cyberattack – just recently, for example, millions of clients of the computing company Acer have seen their data sold by hackers.
That, in a nutshell, is the problem with cyber laxity in today’s increasingly risk-laden climate. Cyberattacks on businesses start a ripple effect that expands outwards from the initial point of attack, disrupting the lives and finances of a huge array of subsidiary targets.
Fixing the problem with compulsory cyber liability
The answer to this problem is to significantly revamp insurance requirements by making cyber liability mandatory. At present, after all, business insurance requirements are extraordinarily minimal. According to the UK government, the only legally required policy is employers’ liability insurance (EL) which covers businesses in the event that a member of staff claims to suffer illness or injury due to their work. But, as we have seen, the absolute dominance of data and technology in almost every industry – what could be called the ubiquity of cyber vulnerability – means that we need to rethink our insurance priorities to reflect the risks involved in the world of today.
Cyber liability cover can, after all, mitigate not only for cyberattacks, but for data breaches and any damage that such breaches can inflict. The right cyber liability can cover legal claims and compensation costs, protecting those whose data is being held by the company.
While this kind of compensation is a great step, making cyber liability compulsory might bring about an even more powerful benefit in the form of more robust cybersecurity practices. After all, if cyber liability were mandatory, businesses would naturally want to reduce its cost. This would entail proving that they are at low risk of cyberattack – and the only way to reduce exposures would be, of course, to invest in stronger cybersecurity. As such, compulsory cyber liability could do much more than simply compensate for losses – it could spark a new wave of interest and investment in cyber security, lowering the rate of cyberattacks and keeping people, their data, and businesses themselves significantly more secure.
About the author: Edward Halsey is the COO and co-founder of hubb.
The finance sector is extremely vulnerable to the rising number of cyberattacks, with The 2021 Cybersecurity Census Report finding that finance companies in the UK suffered an average of 60 cyberattacks in the last year. The number of these attacks continues to increase, and finance companies need to employ strategies to keep their data and networks secure from attackers.
For obvious reasons, the finance sector is an advantageous target for cybercriminals, due to the wealth of data contained within these organisations and the fact that attacks can target banks processing systems to disrupt critical financial transactions. Nonetheless, the volume and severity of the attacks we’re seeing is cause for immediate action, with mid-sized financial services organisations worldwide spending an average of over $2m recovering from ransomware attacks.
Aside from causing disruptions to financial services capabilities and potentially substantial financial losses, financial services organisations that are victims of a cyberattack also stand to suffer significant reputational damage. For example, recent Mimecast research found that consumers think that brands should be responsible for compensating victims of scams, with 39% of consumers saying that not taking responsibility for potential customers being deceived would put them off the brand. Notably, 65% of UK consumers would stop spending money with their favourite brand if they fell victim to a phishing attack involving that brand. This is increasingly important for the financial sector, as online banking is the second most trusted sector by consumers in the UK, but is the most leveraged sector for cybercrime, with 28% of consumers receiving phishing emails from brands in this sector.
The key here is to move at pace, and employ a security model which helps organisations control access to their networks, applications, and data, enabling the financial services sector to remain secure in the face of sophisticated attacks.
The ‘New And Improved’ Cybercriminal
The pandemic has driven more criminals online, as they have adapted to the new remote/hybrid working world by exploiting improperly secured VPNs, cloud-based services, and unprotected emails. Inevitably, external data breaches are now a matter of when and not if. On top of this, a recent report found that the LockBit 2.0 ransomware gang is actively recruiting corporate insiders to help them breach and encrypt networks.
These criminals invest a lot of time in researching organisations and employees, asking questions such as: has someone been passed over for a promotion? Is someone being underpaid? Has someone received a negative performance review? Using this research, and spam/phishing attacks, criminals identify weaker links for exploitation. Criminals are then in contact with corporate insiders, asking them to install ransomware, collect information, plant malware etc. This is creating a perfect storm for many financial services companies.
The Zero Trust Model
With this combination of internal and external threats and the risks of significant financial and reputational damage increasing, the financial sector might fear it is fighting a losing battle. But there is a model that can be adopted to keep their data and networks secure from attackers: Zero Trust.
The Zero Trust model is founded on a simple idea, “trust no one and nothing,” this essentially means that the zero-trust security framework gets rid of concepts such as trusted devices and trusted users. In practical terms, organisations that adopt the Zero Trust model put policies in place to verify everyone and everything, regardless of whether they are internal or external. The model provides a mechanism to secure new ways of working in the cloud while combating the risk of an insider breach. The application of a Zero Trust model is especially important when it comes to insider threats since it is this trust that hackers seek to exploit.
Zero Trust is a great way to address the challenges caused by the rapid transition to an increase in cloud spend and remote working, as it removes implied trust, with each access request needing to be verified, based upon strong authentication, authorisation, device health, and value of the data being accessed. This is one of the most effective ways for organisations to control access to their networks, applications, and data, leading to more security for the enterprise.
Making It Seamless
One factor that must be taken into account is that, in order to be successful, the integration of zero trust systems must be as seamless as possible, otherwise complexity is re-introduced into the enterprise. Organisations need integrated solutions that optimise their current and future state of security. Avoid solutions that operate in isolation, and instead opt for platforms that integrate to form an ecosystem to improve visibility, enhance control and provide a robust set of orchestration capabilities. Ultimately, zero-trust security is more of a security model than any one tool, making it difficult to implement, especially when the infrastructure it’s being applied to wasn’t designed for new models, as there is no simple way to retrofit some systems for zero trust. For example, as a basic requirement, zero trust relies on multi-factor authentication, which many financial services may not currently have in place.
As well as this, the financial service industry has not fully migrated to cloud solutions and large amounts of technical debt have been incurred over the years of deploying new applications coupled with digitalisation. With more than 90% of the UK’s financial firms still relying on legacy tech, business-critical information is currently continually stored on out of date software. This equipment is often not compatible with up to date software and provides several opportunities for “backdoor” access. Companies that use older legacy applications may have trouble implementing them on zero-trust networks and for this new solution to be effective, companies will also need to invest in employee training. Training for employees alongside new security solutions is the only way to minimise human error, raise awareness and truly increase cyber-hygiene across a whole organisation.
While it's a long process, which may require the replacement of legacy equipment, and which demands inward reflection and internal reshaping, the finance sector needs to make cybersecurity a top priority. Otherwise, there is a real risk that even unsophisticated cyberattacks will cause serious damage and undermine organisations. Using new types of tools and capabilities, such as the zero-trust model, the finance sector can have a safer framework in place to help organisations tackle persistent security challenges, as well as mass remote working, allowing financial services to stay protected regardless of what comes next.
Charlie Roberts, Head of Business Development for the UK, Ireland & EU at IDnow, outlines the need for more effective identity verification in the financial services sector and how it can be achieved.
In 2019, even before COVID-19 struck, the UK fraud prevention service – Cifas - recorded in excess of 223,000 cases on its National Fraud Database, an increase of 18% on the previous year and a 32% rise over the previous five years. And looking ahead, experts predict that by 2021, the damage caused by internet fraud will reach $6 trillion, making cyber fraud one of the world’s fastest growing and most dangerous economic crimes.
Worryingly for the financial services sector, IBM recently revealed that in 2019, it was the most targeted industry for cyber criminals.
It should come as no surprise then, that financial institutions are increasingly being thrust into the spotlight when it comes to digital security and protecting the identities of their customers.
These worrying figures are certainly one driving factor in the UK government’s new Digital Identity Strategy Board, which has developed six principles to strengthen digital identity delivery and policy in the country.
A hybrid approach
We already know the important role technology is playing in the fight against cyber criminality – from biometrics and machine learning to artificial intelligence (AI) – and we recently discussed the significance of supplementing this verification technology with human identification experts. These professionals are able to use their intuition and understanding of human interactions and behaviours to identify when a person is being coerced or dishonest.
Worryingly for the financial services sector, IBM recently revealed that in 2019, it was the most targeted industry for cyber criminals.
However, while these highly skilled and trained identification specialists are playing a vital role in the fight against cyber and identity crime, for some financial institutions, particularly larger banks, they present a barrier.
Bringing the entire verification process inhouse
Working on a SaaS basis, typically, identity software vendors provide financial institutions with the software and technology required for identity verification. However, the final decision on verification rests with the vendor’s algorithms or ident specialists.
However, many banks want to own the entire verification process, from utilising the technology and software to making the ultimate decision on the identity of a person. By handing this level of control over to the bank, institutions can integrate the verification systems within their own infrastructure, enabling the people that know their brand the best to set their own levels of security and determine what is authenticated and what is declined.
Upskilling inhouse teams is critical
While working with a third-party verification specialist is the preferred option for some, for others, the idea of upskilling and training existing compliance teams in identity verification is the priority, empowering the bank to own the process and the risk. In the long term, it will also provide significant cost savings while showcasing a major investment in talent and people, which will undoubtedly help attract and retain customers too.
With the UK seeking to develop a legal framework for digital identity, it is clearly becoming an increasingly important feature on the governmental agenda, not least to ensure that not only can people feel safe online, but also to deliver faster transactions and ultimately add billions to the economy. As such, all eyes will soon be turning to the safeguards the financial sector is putting in place to help protect the online identities of customers.
[ymal]
Arguably, then, now is the time to invest in a robust identity verification system that will not only provide the advanced technology needed to automate the process, but that can help train and upskill inhouse teams to truly deliver an embedded and hybrid approach to identity verification at a time when it is of paramount importance.
According to EveryCloud, cybercriminals netted $445 billion last year alone. What’s even more sobering is that 43% of cybercrimes target small businesses and their finances.
This is a worrying statistic for small businesses. All businesses take a hit if their data is breached, but larger businesses usually have a recovery plan in place. It can be a lot more difficult for smaller businesses to recover because of the costs associated with recovery.
That brings us to the point of this post – how you can protect your business from an attack.
Start with a Recovery Plan
It might seem as though we’re putting the cart in front of the horse here. That said, it’s better to plan ahead with something like this. Have a solid plan in place:
- You want to ensure every device your employees use is protected – especially if they use their personal devices to access your system.
- Consider using a cloud-based solution to keep your system safe. These programs provide real-time online protection. Another advantage is that you’ll also normally have an email scanner included. This means that dodgy emails are quarantined before your employees get a chance to open them.
- Do regular backups.
- Consider insurance. This will ensure that you have the money to recover from an attack.
- Work out a fast recovery strategy. Who do you contact first? How do you proceed step by step in the case of a breach?
Train Your Employees
Human error is the hacker’s best friend. They’re just waiting for you or someone on your staff to make a mistake. Security awareness training conducted on a regular basis is your best defense. This training teaches you about the different threats, how to guard against them, and gives you the best practices to follow to keep your business safe.
Final Notes
If you want to mount the best defense against cybercriminals, adopting a multi-pronged, proactive approach is the best way forward. Start by securing your systems today.
However, not all crime is conducted directly online. Some people are tricked into giving away details over the phone or are told to use their banking app to transfer money into a safe account. This multi-channel approach means that at every touchpoint, an organization must be aware that their customers could be at risk; they need to put systems and processes in place to mitigate cybercrime.
According to a report by McAfee, the European economy is one of the worst affected areas in the world. The statistics suggest that 0.84% of Europe's GDP is affected. Looking at the UK specifically, it is estimated that the cost of cyber-crime to the UK economy is £27bn – and it is growing.
GDPR and Customer Data Breaches
One of the latest and most high-profile risks that have come to people's attention over the past 18 months are customer data breaches. Customers are increasingly aware that organizations hold a lot of their personal data and they want to be sure that it is safe. The General Data Protection Regulation was brought into place to ensure that organizations are acting responsibly when it comes to processing and storing customer data.
The financial impact of not following these guidelines, or for not having the correct systems in place, has been significant. Just months after the new regulation came into place, British Airways were one of the first companies to fall foul when 500,000 pieces of customer data were stolen, which resulted in them receiving a £183m fine.
The Financial Fallout of Cyber Crime
Before any cyber-crime has taken place, there is a significant cost to businesses that need to purchase software, implement new processes and training, and even employ new cybersecurity teams to deal with threats. For global organizations, there may also be a need to hire consultants to advise on what they need to do to keep themselves and their customers safe.
One of the consequences of cybercrime that will affect every business is the direct costs. This could be money lost by the business or by consumers. It could also be the loss of reputation to a brand. If a bank suffers a cyberattack and customers lose money, they are likely to lose confidence, which can have a huge knock-on impact on business performance and profits.
Following on from an attack, there may also be payments that need to be made. On top of losing money in an attack a business, may also need to pay out compensation, fines, and legal costs. Depending on the type and severity of the attack and the data that was lost, this can amount to millions of pounds, as demonstrated by the British Airways case.
Trump vs. China
Back in 1930, the US introduced the Smoot-Hawley Tariff Act, which raised their already high tariffs, triggering a currency war and, as economists argue, exacerbating the Great Depression. With President Donald Trump’s threat to put 10% tariffs on the remaining $300 billion of Chinese imports that aren’t subject to his existing levies, sending markets tumbling from Asia to Europe, the question on everyone’s lips is: Is history about to repeat itself?
In August, in a bid to hit back against Trump’s administration, Beijing allowed the Chinese yuan to plummet past the symbolically important $7 mark. Economists suggest that this currency manipulation is China’s attempt to display dominance and gain the upper hand in the trade war between the two countries as devaluating its currency could help counteract the effects of US’s long list of tariffs on Chinese goods.
As protectionist actions escalate and US-China relations continue deteriorating, investors and markets have been growing increasingly concerned even though Trump has delayed the imposition of his new tariffs until December. A full-blown trade war wouldn’t be good news to anyone and could seriously weaken the global economy, as the IMF has warned, making the world “poorer and more dangerous place”. Both sides are expected to experience losses in economic welfare, while countries on the sidelines could experience collateral damage. Furthermore, if tariffs remain in place, losses in economic output would be permanent, as distorted price signals would prevent the specialisation that maximises global productivity. The one thing that’s certain, no matter how things pan out, is that there will be no winners in this war.
Economists suggest that this currency manipulation is China’s attempt to display dominance and gain the upper hand in the trade war between the two countries as devaluating its currency could help counteract the effects of US’s long list of tariffs on Chinese goods.
Cyberattacks & data fraud
Millions, if not billions, of people’s data has been affected by numerous data breaches in the past couple of years, whilst cyberattacks on both public and private businesses and institutions are becoming a more and more frequent occurrence. With the deepening integration of digital technologies into every aspect of our lives and the dependency we have on them, cybercrime is one of the greatest threats to every company in the world.
Cyberattacks are rapidly increasing in size, sophistication and cost, as cybercrime and data breaches can trigger extensive losses. In 2016, Cybersecurity Ventures predicted that cybercrime will cost the world $6 trillion annually by 2021, up from $3 trillion in 2015. According to them, ”this represents the greatest transfer of economic wealth in history, risks the incentives for innovation and investment, and will be more profitable than the global trade of all major illegal drugs combined”.
Emerging Markets crisis
Since the early 1990s, emerging markets have been a key part of investors’ portfolios, as they have been offering strong returns and faster growth. However, global trade tensions, a stronger US dollar and rising interest rates have hit emerging markets hard. Still far from catching up with the developed world, many supposedly emerging markets are developing at a slower pace, which combined with the threat of a global trade war and higher borrowing costs on the rise, has made investors pull in their horns. Emerging markets are the ones feeling the strain and financial panic has been gripping some of the world’s developing economies.
With political instability, external imbalances and poor policymaking which has led to full-blown currency crises in the two nations, Turkey and Argentina have been at the centre of an emerging market sell-off last year. But they are not the only emerging economies faced with a currency crisis – according to the EIU, some economies which are already in the danger zone and could suffer from the same currency volatility include Brazil, Mexico and South Africa.
Still far from catching up with the developed world, many supposedly emerging markets are developing at a slower pace, which combined with the threat of a global trade war and higher borrowing costs on the rise, has made investors pull in their horns.
If the currency crises in Turkey and Argentina continue and develop into banking crises, analysts predict that investors could abandon emerging markets across the globe. “Market sentiment remains fragile, and pressure on emerging markets as a group could re-emerge if market risk appetite deteriorates further than we currently expect”, the EIU explains.
Climate crisis
In recent months, the media is constantly flooded with reports on the horrifying environmental risks that the climate crisis the Earth is in the midst of poses, but we’re also only starting to come to grips with the potential economic effects that may come with it.
Despite the significant degrees of uncertainty, results of numerous analyses and research vary widely. A US government report from November 2018 raised the prospect that a warmer planet could mean a big hit to GDP. The Stern Review, presented to the British Government in 2006, suggests that this could happen because of climate-related costs such as dealing with increased extreme weather events and stresses to low-lying areas due to sea level rises. These could include the following scenarios:
- Decrease in agricultural areas crop yields due to hotter weather and draught.
- Rebuilding roads that have been destroyed by flooding caused by rising seas and more frequent hurricanes.
- Having to build more efficient power grids because the existing ones are not able to withstand extreme weather conditions.
Due to climate change, low-lying, flood-prone areas are currently at a high risk of becoming uninhabitable, or at least uninsurable. Numerous industries across numerous locations could cease to exist and the map of global agriculture is expected to shift. In an attempt to adapt, people might begin moving to areas which will be affected by a warmer climate in a more favourable way.
A US government report from November 2018 raised the prospect that a warmer planet could mean a big hit to GDP.
All in all, the economic implications of the greatest environmental threat humanity has ever faced range from massive shifts in geography, demographics and technology – with each one affecting the other.
Brexit
Fears that the UK could be on the brink of its first recession in 10 years have been growing after figures showed a 0.2% contraction in the country’s economy between April and June 2019. A weakening global economy and high levels of uncertainty mean the UK’s economic activity was already lagging, but the potential of a no-deal Brexit and the general uncertainty surrounding the UK’s departure from the EU, running down on stock built up before the original 29th March departure date, falling foreign investment and car plant shutdowns have resulted in its GDP decreasing by 0.2% in Q2. This is the first fall in quarterly GDP the country has seen in six and a half years and as the new deadline (31st October) approaches, economists are concerned that it could lead to a second successive quarter of negative growth – which is the dictionary definition of recession.
And whilst the implications of Brexit are mainly expected to be felt in the country itself, the whole Brexit process displays the risks that can come from economic and political fragmentation, illustrating what awaits in an increasingly fractured global economy, e.g. less efficient economic interactions, complicated cross-border financial flows and less resilience and agility. As Mohamed El-Erian explains: “in this context, costly self-insurance will come to replace some of the current system’s pooled-insurance mechanisms. And it will be much harder to maintain global norms and standards, let alone pursue international policy harmonisation and coordination”. Additionally, he goes on to note that tax and regulatory arbitrage are likely to become more common, whilst economy policymaking could become a tool for addressing national security concerns.
“Lastly, there will also be a change in how countries seek to structure their economies”, El-Erian continues. “In the past, Britain and other countries prided themselves as “small open economies” that could leverage their domestic advantages through shrewd and efficient links with Europe and the rest of the world. But now, being a large and relatively closed economy might start to seem more attractive. And for countries that do not have that option – such as smaller economies in east Asia – tightly knit regional blocs might provide a serviceable alternative.”
As reported in the Financial Conduct Authority survey by Which?, the UK banking sector was hit by IT outages on a daily basis in the last nine months of 2018, demonstrating a higher frequency of major banking glitches than previously thought. Barclays alone reported 41 major incidents during those months, followed by Lloyds Bank with 37 IT failures and Halifax/Bank of Scotland with 31. Whilst TSB only reported 16 incidents, their week-long outage last year cost them around £330m as well as the longer-term impact of the clients lost.
Just minutes of downtime can significantly impact the financial sector, which holds the data and funds of millions of customers who are reliant on having access to these services and trust that their assets will be kept safe. To minimise the effects of a disaster and ensure business continuity in case of an IT failure or ransomware attack, businesses must invest in customised disaster recovery services which allow data to be brought back as quickly as possible in case of an outage. Diverting just a small proportion of the cybersecurity budget towards routine IT operations can deliver significant ROI in terms of increased operational resilience. Regular testing and optimisation of backup and recovery systems can deliver big rewards in terms of preventing issues and getting back up and running quickly should disaster strike.
As reported in the Financial Conduct Authority survey by Which?, the UK banking sector was hit by IT outages on a daily basis in the last nine months of 2018, demonstrating a higher frequency of major banking glitches than previously thought.
Safeguarding your data
In the event of an IT failure or a ransomware attack, IT operators need a way to get systems back online and to do so fast. As noted by Gartner, the average cost of IT downtime is £4,400 per minute. The implications of IT failures go far beyond financial losses however, as they also damage the reputation of the business as well as lead to massive amounts of operative time lost. When a cyberattack or an IT outage takes place, it is not the failure or attack itself that causes the most harm but the resulting downtime of operations affecting productivity and credibility of the organisation. To avoid such losses organisations must put appropriate recovery systems in place. But to do so, they must first understand the IT systems they run and know what data they hold.
To stop the nightmare scenario from becoming reality, a solution able to recover business-essential data and get the most crucial systems back online in minutes is needed. A zero-day approach to IT architecture can do just that, as it allows organisations to prioritise workloads, with a planned recovery strategy of making sure the most important systems are brought back to first in case of an outage.
A zero-day recovery architecture is a service that enables operators to quickly bring workloads or data back into operation in the event of an IT failure or cyberattack, without having to worry about whether the workload is compromised. With the so-called 3-2-1 backup rule – meaning three copies of data stored on two different media and one backup kept offsite – zero-day recovery enables an IT department to partner with the cyber team and create a set of policies which define the architecture for what they want to do with data backups being stored offsite, normally in the cloud. This system assigns an appropriate storage cost and therefore recovery time to each workload according to their strategic value to the business, as all data is not created equal in terms of business continuity.
A zero-day recovery architecture is a service that enables operators to quickly bring workloads or data back into operation in the event of an IT failure or cyberattack, without having to worry about whether the workload is compromised.
This recovery system will only prove useful however when set up properly and tested thoroughly and frequently. Approximately 25% of organisations’ nightly backups fail – yet few will be aware of this due to a lack of recovery testing, meaning most businesses will have no idea what data has been lost in the process. With this in mind, operators need to perform disaster recovery testing on their data. Without testing in a controlled and simulated environment, it is impossible for IT and security teams to fully understand their systems’ integrity. Figuring out the data backup and recovery systems have failed after an IT outage has already taken place has no value – this needs to have been done before the worst has a chance to take place.
IT outages in the financial sector are becoming more frequent. In fact, the number of such incidents reported to the Financial Conduct Authority increased by 138% in the first 9 months of 2018, and are showing no signs of slowing down, making them a question of when, not if. With a large portion of the infrastructure in the financial sector relying on IT, minimising outages and limiting threats to this infrastructure should be number one priority to systems operators.
Refinitiv, one of the world’s largest providers of financial markets data and infrastructure, has published its second annual financial crime report today. Innovation and the fight against financial crime: How data and technology can turn the tide highlights that almost three-quarters (72%) of organisations have been victims of financial crime over the past 12 months with a lax approach to due diligence checks when onboarding new customers, suppliers and partners cited as creating an environment in which criminal activity can thrive. This wake-up call has led to 59% of companies adopting new technologies to plug compliance gaps.
In its 2018 report, Refinitiv outlined that $1.45 trillion of aggregate turnover is lost as a result of financial crime. This year’s report shows that the cost could indeed be much greater. Only 62% of the 3,000 compliance managers Refinitiv surveyed across 24 geographies claimed that financial crimes were reported internally, and just 60% said that they were reported to the relevant external organization.
Over the next year, companies are intending to spend on average 51% more to mitigate the crisis. The increased investment emphasises the priority placed on fighting financial crime in 2019 and reflects the amount of pressure respondents are under to be more innovative to both reduce risk and costs.
According to the report, an overwhelming majority of respondents (97%) believe that technology can significantly help with financial crime prevention with cloud-based data and technology the top choice, followed by AI and Machine Learning tools. Technology-driven solutions, such as Artificial Intelligence and Machine Learning, are already allowing businesses to implement processes and check up to millions of customer and third-party relationships, more quickly and efficiently.
Phil Cotter, Managing Director of the Risk business at Refinitiv, said the results showed that businesses need to do more to invest in technology to address the problem: “It is clear from the results of this report that businesses exposed to financial crime threats need to maximize their use of technology and future collaboration could prove key to realising the potential of innovation, particularly between tech companies, governments and financial institutions.
“Significant advancements in technology, facilitated by innovations such as AI, ML and cloud computing, are already under way. These technologies are enabling intelligence to be gathered from vast and often disparate data sets which together with rapid advances in data science, are transforming the approach to compliance, streamlining processes such as Know Your Customer (KYC) and helping to uncover previously hidden patterns and networks of potential financial crime activity.”
While the report focuses on the many emerging technologies coming on stream in the fight against financial crime, it also urges organisations not to overlook another vital form of innovation – collaboration. Just over eight in 10 (81%) respondents said that there is some sort of existing partnership or taskforce in their country to combat financial crime. 86% believe that the benefits of sharing information within such a partnership organization outweighs any possible risks.
In 2018, Refinitiv partnered with the World Economic Forum and Europol to form a global Coalition to Fight Financial Crime. The Coalition is working with law enforcement agencies, advocacy groups, and NGOs to address the societal costs and risks that financial crime poses to the integrity of the global financial system.
Yet according to PwC, this form of fraud is the second-most commonly reported economic crime in the world, ranking above bribery, corruption and even cybercrime. The question is – who should lead counter-fraud efforts? This week Finance Monthly hears from Laurent Colombant, Continuous Controls and Fraud Manager at SAS, to explore the ins and outs of procurement fraud.
Worryingly, businesses seem unclear on the answer. Our latest research report, Unmasking the Enemy Within, found there was no clear leader or common approach to procurement fraud prevention across businesses. Indeed, almost a quarter (23%) of business leaders have no clear owner assigned to the task or can’t say who is responsible.
Finance in the firing line
What’s not in question, however, is who’s held responsible for the damages that fraud inflicts. While CFOs might not be involved in day-to-day anti-fraud operations, they are frequently first in the firing line when procurement fraud is uncovered. In 2014, for example, Sino-Forest Corp CFO David Horsley was fined C$700,000 by regulators for failing to prevent fraud under his watch. Furthermore, he was permanently banned from being a public company officer or corporate director, and was ordered to pay $5.6 million to the company’s investors following a class action settlement.
While they are unlikely to coordinate fraud efforts single-handedly, 31% of companies place ultimate responsibility for fraud in the CFO’s hands - more than any other role. That’s hardly surprising, given that fraud has a direct impact on the bottom line, with over half of businesses (55%) reporting losses of up to €400,000 per year.
While we are not arguing that the finance department should be the command and control centre for anti-fraud efforts, it’s clear that the CFO has a crucial role to play in tackling procurement fraud. They are the ones who guide purchase decisions, who oversee risk management or audits and, ultimately, have the final say in what anti-fraud capabilities a company is equipped with.
Even so, it’s unfair to expect the finance department to shoulder the entire burden themselves. Just as IT security in the organisation is everyone’s responsibility, so too must accountability and responsibility for fraud be embedded throughout the workplace.
Invest for success - modernising the detection process
Yet there is much that the finance department can do to help uncover incidents of fraud – not least conducting regular audits. Around half businesses (46%) claim to hold regular internal audits, but many of these exclude procurement fraud from their remit. More worrying still, more than one in 10 (11%) organisations admit to either doing nothing to audit for procurement fraud or are unable to say what they do. A further fifth (22%) fail to audit for procurement fraud at all.
That one in three companies aren’t actively searching for procurement fraud, or don’t know what processes cover it, suggests a blind spot that potential fraudsters could easily exploit.
Finance needs to look at areas where existing auditing process are letting them down. When we look at how organisations deal with procurement fraud, 29% validate procurement applications manually while a further 30% rely on staff to inform them of any wrongdoing. Both carry a high risk of human error, potentially minimising or masking the true scale of the problem.
Ultimately, the buck stops with the CFO, which is why they should consider a new approach to auditing based on continuous and automated detection. This is only possible with a strong foundation of advanced analytics that assists investigators in pinpointing the needles in the haystack. A company’s ability to identify and prevent fraud rests, to a very great extent, on the good judgment of the CFO in selecting the right systems to prevent fraud from happening in the first place and deterring anyone with ill intentions.
Continuous, data-driven detection represents the best way to fight procurement fraud and identify errors, enabling companies to pre-empt signs of fraudulent activity rather than discover it after it’s taken place. This limits costs, saves time as well as reputation and prevents losses.
Yet only a small minority of organisations are using advanced analytics (14%) and AI (nine%) technologies in their anti-fraud efforts. The most common obstacle to adoption is the perceived cost of the technologies, but this could well be short-term thinking on the part of the CFO. While there is an upfront cost implicit in any implementation, an effective fraud detection tool will quickly make its money back in the losses it prevents and the monies it helps recoup.
The finance department should not be afraid to make the case for investment in the latest advanced analytics and AI solutions. Procurement fraud is too serious and too costly to make short-term capex savings in favour of the long-term ROI offered by analytics-enabled security. After all, the buck stops with them.
Many thought it was too good to be true, but was it? Below Karen Wheeler, Vice President and Country Manager UK at Affinion, gives Finance Monthly the rundown.
YouGov research highlights that 72% of UK adults haven’t heard of Open Banking and according to PwC, only 18% of consumers are currently aware of what it means for them. However, that doesn’t mean the changes aren’t filtering through.
The story so far
The Open Banking Implementation Entity (OBIE) reports there are now 100 regulated providers, of which 17 Third Party Providers (TPPs) are now using Open Banking in the UK. Open Banking technology was used 17.5 million times in November 2018, up from 13.9 million in October and 6.5million in September, with Application Programming Interface (API) calls now having a success rate of 97.7%.
One of the earliest examples was Yolt, by ING Bank. It showcases a customer’s accounts in one place so they can see their spending clearly and budget more effectively. Similarly, Chip aims to help people save more intentionally. Customers give read-only access to their current account and then sophisticated algorithms calculate how much a customer can afford to save, and puts it away automatically into an account with Barclays every few days.
High Street banks have certainly taken inspiration from fintechs. For example, HSBC released an app last year enabling customers to see their current account as well as online savings, mortgages, loans and cards held with any other bank. The app also groups customers’ total spending across 30 categories including grocery shopping and utilities, making it a really helpful budgeting tool.
Perhaps, most advanced of all, Starling Bank allows customers access to its “Marketplace” where they can choose from a range of products and services that can be integrated with their account. The offering currently includes digital mortgage broker Habito, digital pension provider PensionBee, travel insurer Kasko, as well as external integrations such as Moneybox, Yoyo Wallet, Yolt, EMMA and MoneyHub.
Open Banking and GDPR
One key question is whether Open Banking puts the needs of financial services companies over those of the consumer. There is a general cynicism regarding the real reasons for encouraging Open Banking and this is exacerbated when most customers aren’t seeing the benefits.
Also, there is confusion caused by the apparent conflict of interest between Open Banking and GDPR.
In this day and age, do consumers really want more organisations to have access to their data? Can they trust the banks? According to PwC, 48% of retail banking customers cite security as their biggest concern with Open Banking and this is a significant barrier to overcome.
The way forward
It’s hard to overcome cynicism and doubt. Perhaps, once customers begin to enjoy the positives, they will be less sceptical about Open Banking, leading to more opportunities to build longer term customer engagement. For example, if products help them avoid going into debt or nudge them when new mortgage rates are on offer, they will see that banks are using the technology to support wise financial management rather than just serve their own marketing purposes.
It’s also hard to change entrenched consumer habits. To encourage consumers to get in the habit of comparing and switching, financial organisations must create truly compelling propositions. They need to focus on delivering intuitive, useful digital products which make a real difference to customers’ daily lives.
They also need to demonstrate how seriously they take their role in the fight against cybercrime while educating the consumer about how Open Banking works and how to protect their data. For example, many may not realise that one of the key tenets of Open Banking is security. Open Banking uses rigorously tested software and security systems and is stringently regulated by the FCA.
Placing the customer at the centre of their finances and giving them complete control directly increases competition and brings a myriad of everyday benefits to the customer. There is huge opportunity for traditional banks, fintechs and disruptors to use Open Banking to pioneer new products that build longer term customer engagement. However, the current priority is communicating the huge advantages and opportunities that Open Banking brings while reiterating that their data will remain secure.
Great strides have been made in protecting the banking infrastructure from network-based attacks and securing the web and mobile application layer – often the front door into banks through customer interactions. Here Mike Nathan, Senior Director – Solutions Consulting EMEA at ThreatMetrix, A LexisNexis Risk Solutions Company, delves into the ins and outs of cybercrime in the banking sector, offering some insight into the most targeted and vulnerable victims of cybercrime.
Interestingly, fraudsters are not always responding by upping their own technological prowess but turning to con artist style tactics to simply circumvent increasingly sophisticated cybersecurity measures. We have seen a dramatic rise in social engineering attacks, a more analogue approach to hit the banks where it hurts and as a result, customers have now become the new weakest point.
So, what can be done to anticipate or prevent this sort of attack?
Based on my observations, several years ago around 70 percent of attacks against banks involved account takeovers. Accounts can be hacked into using stolen identity credentials, or off the back of a phishing campaign where the customer is tricked into entering their login credentials on a fake site. Once the account has been compromised, the fraudster then accesses their digital banking account and commits the fraud.
Today, however, account takeovers only account for half of the problem due to the rise in social engineering attacks, also known as Authorised Pushed Payments (APP). APPs involve fraudsters contacting account holders directly and tricking them into making a payment. Given that the customer appears to give consent to the transaction, and it is originating from a device that is associated with that user, these attacks tend to be more difficult to detect.
A phone call from a concerned “member” of the fraud team at a bank may make a consumer panic, and instantly put all trust in that person. The consumer might then willingly send all his or her money to a separate account for “safe keeping”. In reality, that money has disappeared and so will the member of the fraud team who made the initial call. This is a simple method of APP attacks used today.
These fraud techniques are especially effective with some of the most vulnerable people in our society, who tend to struggle with the evolution of banking and fintech. Advancements in certain remote access tools that allow the cyber criminals to access and control the customer’s computer are making the job even easier.
If fraudsters are evolving, so must the banking industry. The first step to tackle APP is through education. Ensuring all customers have extensive knowledge on the “dos and don’ts” when it comes to digital and phone banking is of paramount importance. Email alerts reminding customers that their bank would never ask for certain information over the phone, as well as adverts raising awareness on the risks of letting another person access their computer, are but a few options that can be used to ensure customers are protected and well-informed.
It is also imperative for the bank to place protections throughout the customer journey by monitoring user behaviour and spotting anomalies that indicate fraud. Banks must be actively looking for indictors of social engineering and account takeover attacks at crucial customer touchpoints including login, setting up a new beneficiary, and making a payment. By assessing activity in the context of historical activity for that individual, key red flags can emerge to identify suspicious behaviour. An example of this could be a payment from a desktop when the customer traditionally uses the mobile app, or a longer time between login and payment than normal or remote access tools being on the device for the first time.
Once the suspicious behaviour is identified, banks can choose between blocking the transaction or alerting the customer through other means to advise them that something is out of the ordinary. The art here is to strike the delicate balance between maximum protection against fraud – while avoiding blocking or questioning legitimate transactions, which can annoy customers and drain internal resources.
Avoid basing decisions on the typical banking customer but use advanced behavioural analytics to assess how that particular individual typically transacts. By using real-time intelligence on a user’s digital identity and their historical behaviour, banks can deliver security and customer satisfaction without compromise.
Banks implementing protocols like these can help ensure that customers are not placed in harm’s way and that cybercriminals are not entering into bank systems.
It is important to follow the latest fraud trends order to keep ahead of the curve. There will always be new technologies and techniques that increase the threat posed by criminals. However, in the same way technology may sometimes play against us, it also provides us with a number of tools which help us undermine attackers and keep businesses and customers safe.
