Finance Monthly hears from Jay Floyd, Senior Principal Financial Crime Consultant at ACI Worldwide, on the threat faced by banks and countermeasures they can employ against it.

Fraudsters are natural opportunists and extremely innovative with their methods. Whether through authorised push payment (APP) fraud scams, phishing attacks or even targeting vulnerable people during the COVID-19 crisis, they will always find new ways to make money with no remorse.

Making the task of protecting consumers and companies from fraudsters relentless activities an increasingly challenging one for banks. Especially during a time of global crisis and uncertainty along with growing payment channels through Open Banking.

However, by thinking seriously about how they (banks) can embrace strategic anti-fraud technologies and ensuring that their Open Banking platforms are secure by engaging with QTSPs (Qualified Trust Service Providers), banks can protect their customers against fraudsters both today and tomorrow.

Fraud is constantly evolving and growing

A decade ago, deploying malware was the easiest and most common method of getting into someone’s account. But as banks have strengthened their technical defences, fraudsters have increasingly turned to social engineering. Whether via email or telephone, many criminal gangs now impersonate a victim’s bank or other authorities like the police, persuading the victim to hand over account authentication codes or even make fraudulent transactions themselves.

Taking this one step further, some fraudsters are even combining remote access trojans with social engineering. Persuading victims to install malicious software on their device so they can carry out their fraudulent activity without needing to engage with the victim in the future. With such scams constantly evolving, it is increasingly difficult for banks to combat fraud.

Fraudsters are natural opportunists and extremely innovative with their methods.

As such, instant payments fraud is growing at an alarming speed. And while it should be acknowledged instant payments have revolutionised banking – in an era of pandemics, it’s no exaggeration to say we are dealing with a payments pandemic.

Recent figures from UK Finance add stark colour to this picture. Card fraud (both debit and credit) accounted for £288 million in the first half of 2020 – an 8% decrease compared to the same period in 2019. However, cases of remote banking fraud and APP fraud both increased – by 59% and 15% respectively. When combined, this amounts to £287.5 million lost to remote banking and APP fraud in the first half of 2020 – almost on par with card fraud. Though there are industry initiatives such as ‘Confirmation of Payee’, in the very near future, it is expected that remote banking and APP fraud will overtake card fraud across Europe and UK. And this is worrying.

Engage with QTSPs to mitigate fraud

The rise in remote banking fraud may further be accentuated by the proliferation of open banking services. But despite the fact fraudsters will look to exploit weakness in Open Banking, this relatively new service should be embraced. Its benefits cannot be underestimated or denied. In fact, recent OBIE data suggests 50% of UK small businesses now use open banking services to see their accounts in real time, forecast their cashflow and issue paperless invoices to clients. But banks do need to think seriously about weakness and loop holes and how they protect customers from fraud in the coming months and years.

Fraudsters are already exploiting the vulnerabilities around open banking, especially when it comes to Account Information Service Providers (AISPs). Authorised to retrieve account data provided by banks and financial institutions, AISPs are a critical piece of the open banking infrastructure jigsaw. However, it is believed criminals are starting to create fake AISPs. In some cases, pretending to be legitimate AISPs, much like doxing, to gain access and data to customers’ accounts.

[ymal]

To mitigate this risk, banks need to think seriously about how they engage with Qualified Trust Service Providers (QTSPs) to certify and validate AISPs and PISPs. QTSPs provide banks the digital certificate for AISPs and PISPs, and are themselves regulated under the eIDAS directive. But while they have been around since early 2019, QTSPs still remain largely invisible in the financial community.  Banks must configure their anti-fraud technology to monitor AISP and PISP activities and also establish a process to validate eIDAS certificates via QTSP’s to ensure that they only release access to customers’ accounts to the right people. Not only will this help banks mitigate the risk of fraudulent AISPs and PISP’s or man in the middle attacks, it will also enable them to meet a range of other electronic security requirements as well.

Real time payments bring a sense of urgency for both the fraudster and the victim of the bank. And while instant payments and open banking have undoubtedly brought countless benefits, the rising levels of fraud are real cause for concern. Fraudsters will always find new ways to make money illegally. But by ensuring they have the right fraud technology and aligning that technology to integrate with Open Banking messages and with QTSPs, banks can put themselves in the best position to detect fraudulent AISPs / PISP’s and prevent as much fraud as possible.

A number of the world’s biggest private equity firms, including Silver Lake Partners LP, Thoma Bravo LP and Blackstone Group Inc, have seen their stakes in software firms greatly devalued following a wide-reaching hack on software provider SolarWinds Corp.

SolarWinds stock has slid 20.8% from last week’s close after reporting on Sunday that suspected Russian hackers had inserted malicious code into software used by the company to carry out updates, allowing the operatives to access sensitive systems undetected.

The “Sunburst” operation, remarkable for its size and sophistication, constitutes the biggest cyberattack against the US government in more than five years. Around 300,000 companies and agencies use systems provided by SolarWinds, with around 18,000 believed to have used compromised versions of its software since the attack began in March.

SolarWinds’ customers include most US Fortune 500 companies, all of the top 10 US telecom providers, the US military and various other government branches. The UK government and the NHS are also listed among the company’s clients.

Silver Lakes holds a stake of nearly 40% in SilverWinds. Following the plunge in the value of its shares, this stake is now worth $2.3 billion, and Thoma Bravo’s 33% stake is now worth $1.9 billion.

Blackstone’s $400 million November donation in cybersecurity firm FireEye Inc also suffered from the hack, as the company’s shares fell 11% after hackers stole a collection of hacking tools used to test clients’ cyber defences. FireEye, which has contracts across the US national security sector and with its allies, uncovered the SolarWinds breach while probing this attack.

[ymal]

Regulatory filings showed that, following the theft of its tools, FireEye amended its deal with Blackstone and co-investor ClearSky to make it more favourable to the private equity companies. The firm opted to convert the FireEye-preferred shares that the investors stood to receive to common stock at $17.25 rather than the initially agreed $18.

FireEye shares traded at around $13.58 on Tuesday afternoon.

Rob May, Managing Director and founder of ramsac, looks at some emerging trends in cybercrime and how firms can  best defend themselves.

Security, for financial clients, has had to adapt to many forms in the last decade. The most recent, and urgent, line of defence has come in response to the unexpected, novel threat of a global pandemic. But as more clients onboard their operations to digital platforms, that risk grows and becomes ever complicated. Remote operations, for example, opens a place of business to both insider attacks and outside ones.

While the financial service industry has always been one of the “most-breached sectors” (accounting for 35% of all data breaches), cyberattacks have become even more widespread and sophisticated during the global pandemic. This is, arguably, because operations have had to quickly onboard their business digitally. And, with new digital models, there are troubled spots, or weaknesses.

With more financial companies seeking to create new digital customer experiences, investing in a wealth of technology innovations, and working remotely, this could result in a new wave of extreme cyberattack scenarios leaving companies vulnerable to serious data breaches or worse.

To gain deeper insights and help guide financial companies in their decision-making when it comes to cybersecurity, we’ve rounded-up the emerging cyber threats, how they could evolve in the future, and solutions to address them during these challenging times.

Be Watchful of Malware

Cyber-risk management should be watchful and vigilant of the most common cyber-risks. Malware will  breach systems and ransom, corrupt, or steal data. Even though it’s common, over the years, several US states and counties (including Texas) have observed a growing intelligence about how these attacks are delivered. One scenario noticed several malicious ransomware attacks at once, effectively a multiparty attack, reaching across jurisdictional boundaries to result in the first cybercrime event of its kind.

Cyber-risk management should be watchful and vigilant of the most common cyber-risks.

The solution, a suitable line of cyber-defence, would include early planning and preventive measures for multiparty attacks and disruptive threats. Oftentimes awareness is a helpful starting point. But defence and security measures alike need to anticipate more complicated, organized cybercrime as it becomes increasingly sophisticated.

For those in finance, a defence plan could include trial simulations to measure internal response times and mock scenarios to help security teams shape their reactions for real future attacks. Likewise, building cross-sector peers and contacts, can be helpful in organising a defence to a larger cyber-risk.

Misinformation Can Deceive

This has been one of the largest threats throughout COVID-19 and has rallied a shared, collective attempt to cull the flow of misinformation online. Many known bodies, including NASDAQ, have predicted a possible spike in market manipulation on the heels of COVID-19, where attention is split between a global pandemic response and economic recovery.

Misinformation can conflate what seems like harmless advice on stock investments, but is actually driving malicious activity. These disruptive attacks tend to prey on market volatility and flagging economic confidence. In the past, these attacks have been known to use fraudulence as sleight of hand to conflate stock values.

A reasoned solution to this issue would require financial firms to conduct extra due diligence and caution when navigating the market and instructing their clients on financial manoeuvres. As surface information could be corrupted, extra research and investigation can steer financial decisions away from malicious foul play.

Data Manipulations Are Disruptive

Traditionally, data was duplicated or destroyed. Whilst this was harmful to firms, the next evolutionary stage of cyber-crime, since the latter half of 2019, has moved onto data manipulation. There have been scenarios where data hacks can be twisted to manipulate or encrypt it. This has led to increased scrutiny for cloud security, which has known vulnerabilities.

[ymal]

Before onboarding new digital solutions for your business, ensure it can be securely bridged. New technologies can be helpful in expanding a business’s productivity, but this should be approached cautiously.

There are a range of emergent threats that result from cyber-risks. The best, more reasoned, solution is to prepare for cybercrime by having a prepared line of defence and the right security tools. The booming of digital businesses, and those migrating online, creates a greater urgency than ever to prepare security to handle a new universe of threats.

Bitglass recently released its 2019 Financial Breach Report: The Financial Matrix.

This year’s study found that only 6% of all breaches in 2019 were suffered by financial services firms. However, these breaches compromised significantly more records than those that occurred in other industries.

In total, more than 60% of all leaked records in 2019 were exposed by financial services organisations. This is at least partially due to the Capital One mega breach, which compromised more than 100 million records. Despite this outlier, average breaches in financial services companies still tend to be larger and more detrimental than other sectors’ breaches. Fortunately, they do occur less often.

“Given that organisations in the financial services industry are entrusted with highly valuable, personally identifiable information (PII), they represent an attractive target for cybercriminals,” said Anurag Kahol, CTO of Bitglass. “Hacking and malware are leading the charge against financial services and the costs associated with breaches are growing. Financial services organisations must get a handle on data breaches and adopt a proactive security strategy if they are to properly protect data from an evolving variety of threats.”

Hacking and Malware remain the primary cause of data breaches in financial services at 74.5% (up slightly from 73.5% in 2018). Insider Threats grew from 2.9% in 2018 to 5.5% today, while Accidental Disclosures increased from 14.7% to 18.2%.

The cost per average breached record in financial services ($210) has increased over the last few years and exceeds the per-breached-record cost of all other industries except healthcare ($429).

For mega breaches, which affect approximately 100M or more individuals, the cost per breached record in financial services is now $388 – up from $350 in 2018.

Many financial services organisations are still not taking proper steps to secure data in our modern cloud and BYOD environment. Consequently, they are suffering from recurring breaches. For example, Capital One and Discover each experienced their fourth significant data breach in 2019.

The top three breaches of financial services firms in 2019 were suffered by Capital One Financial Corporation (106 million individuals), Centerstone Insurance and Financial Services (111,589), and Nassau Educators Federal Credit Union (86,773).

However, not all crime is conducted directly online. Some people are tricked into giving away details over the phone or are told to use their banking app to transfer money into a safe account. This multi-channel approach means that at every touchpoint, an organization must be aware that their customers could be at risk; they need to put systems and processes in place to mitigate cybercrime. 

According to a report by McAfee, the European economy is one of the worst affected areas in the world. The statistics suggest that 0.84% of Europe's GDP is affected. Looking at the UK specifically, it is estimated that the cost of cyber-crime to the UK economy is £27bn – and it is growing.

GDPR and Customer Data Breaches

One of the latest and most high-profile risks that have come to people's attention over the past 18 months are customer data breaches. Customers are increasingly aware that organizations hold a lot of their personal data and they want to be sure that it is safe. The General Data Protection Regulation was brought into place to ensure that organizations are acting responsibly when it comes to processing and storing customer data.

The financial impact of not following these guidelines, or for not having the correct systems in place, has been significant. Just months after the new regulation came into place, British Airways were one of the first companies to fall foul when 500,000 pieces of customer data were stolen, which resulted in them receiving a £183m fine.

The Financial Fallout of Cyber Crime

Before any cyber-crime has taken place, there is a significant cost to businesses that need to purchase software, implement new processes and training, and even employ new cybersecurity teams to deal with threats. For global organizations, there may also be a need to hire consultants to advise on what they need to do to keep themselves and their customers safe.

One of the consequences of cybercrime that will affect every business is the direct costs. This could be money lost by the business or by consumers. It could also be the loss of reputation to a brand. If a bank suffers a cyberattack and customers lose money, they are likely to lose confidence, which can have a huge knock-on impact on business performance and profits.

Following on from an attack, there may also be payments that need to be made. On top of losing money in an attack a business, may also need to pay out compensation, fines, and legal costs. Depending on the type and severity of the attack and the data that was lost, this can amount to millions of pounds, as demonstrated by the British Airways case.

Refinitiv, one of the world’s largest providers of financial markets data and infrastructure, has published its second annual financial crime report today. Innovation and the fight against financial crime: How data and technology can turn the tide highlights that almost three-quarters (72%) of organisations have been victims of financial crime over the past 12 months with a lax approach to due diligence checks when onboarding new customers, suppliers and partners cited as creating an environment in which criminal activity can thrive. This wake-up call has led to 59% of companies adopting new technologies to plug compliance gaps.

In its 2018 report, Refinitiv outlined that $1.45 trillion of aggregate turnover is lost as a result of financial crime. This year’s report shows that the cost could indeed be much greater. Only 62% of the 3,000 compliance managers Refinitiv surveyed across 24 geographies claimed that financial crimes were reported internally, and just 60% said that they were reported to the relevant external organization.

Over the next year, companies are intending to spend on average 51% more to mitigate the crisis. The increased investment emphasises the priority placed on fighting financial crime in 2019 and reflects the amount of pressure respondents are under to be more innovative to both reduce risk and costs.

According to the report, an overwhelming majority of respondents (97%) believe that technology can significantly help with financial crime prevention with cloud-based data and technology the top choice, followed by AI and Machine Learning tools. Technology-driven solutions, such as Artificial Intelligence and Machine Learning, are already allowing businesses to implement processes and check up to millions of customer and third-party relationships, more quickly and efficiently.

Phil Cotter, Managing Director of the Risk business at Refinitiv, said the results showed that businesses need to do more to invest in technology to address the problem: “It is clear from the results of this report that businesses exposed to financial crime threats need to maximize their use of technology and future collaboration could prove key to realising the potential of innovation, particularly between tech companies, governments and financial institutions.

“Significant advancements in technology, facilitated by innovations such as AI, ML and cloud computing, are already under way. These technologies are enabling intelligence to be gathered from vast and often disparate data sets which together with rapid advances in data science, are transforming the approach to compliance, streamlining processes such as Know Your Customer (KYC) and helping to uncover previously hidden patterns and networks of potential financial crime activity.”

While the report focuses on the many emerging technologies coming on stream in the fight against financial crime, it also urges organisations not to overlook another vital form of innovation – collaboration. Just over eight in 10 (81%) respondents said that there is some sort of existing partnership or taskforce  in their country to combat financial crime. 86% believe that the benefits of sharing information within such a partnership organization outweighs any possible risks.

In 2018, Refinitiv partnered with the World Economic Forum and Europol to form a global Coalition to Fight Financial Crime. The Coalition is working with law enforcement agencies, advocacy groups, and NGOs to address the societal costs and risks that financial crime poses to the integrity of the global financial system.

While the sheer number of credentials exposed in these leaks are astounding, it’s not surprising, as it only added to the billion plus passwords we already knew were floating around on the dark web. Below Andrew Shikiar, chief marketing officer of the FIDO Alliance, explains why the classic password is on the down.

What is surprising is the continued reliance of traditional username/password authentication, despite knowing it is easily breached and susceptible for compromise via credential stuffing attacks.

The problem of authentication has indeed risen to the forefront in recent years as a vast majority of publicised high-profile data breaches have been traced back to weak and shared credentials; usually a username and password combination stored in easily exposed, central databases that hackers can easily infiltrate. Even among IT professionals, who should lead the way when it comes to secure authentication, 69 percent share passwords with colleagues, and over half reuse an average of five passwords across business and personal accounts, according to a recent survey. With nearly 50% of shopping cart abandonment being due to password issues (per a Visa study) and a large proportion of costly IT support calls within enterprises related to passwords, weak authentication is also becoming an economic burden for many businesses.

The good news is that the tide is turning. Rather than encouraging users to change all of their online passwords – which more often than not results in easy-to-remember passwords being recycled across different accounts – website and app developers can now look to new web standards from FIDO Alliance and W3C for strong authentication that will enhance security while improving the user experience.  As service providers start to turn on these capabilities, we’ll begin to see an accelerating shift away from passwords – which in time will consign credential leaks such as Collection #1-5 to history.

Mobile devices, PCs and web browsers are now shipping with the capabilities for strong authentication – combining cryptographic protection of user authentication credentials, which can’t be phished and in fact needn’t ever leave the user’s device, with a low-friction user. By building applications and websites that support new web standards for strong cryptographic authentication, developers can now leverage these authentication mechanisms that are literally already in their users’ hands — from fingerprint, iris, face or voice recognition in PCs and mobile devices to portable hardware security keys — to improve security for their businesses and their users.

As 2019 progresses we are surely going to see biometrics and other embedded authentication sources continue to contribute to an enhanced customer experience. The new version of 3D Secure, for example, will be optimised for mobile devices and enable the implementation of secure biometric user verification. Biometrics are likely to impact the financial services industry as well, given their potential to enhance organisational and consumer demand for transaction convenience, while ensuring compliance with regulations such as the Second Payment Services Directive (PSD2)

While this development is welcomed, the industry needs to continue to commit to creating and implementing technical standards and established best practices, which can also inform emerging government regulation around this technology. Organisations may not be able to eliminate all passwords immediately, but 2019 should be the year that dependency on them begins to decline, as companies look to improve processes and aim to eliminate the burden of managing them -- setting the stage for broader enablement of password-free online experiences as we head into the next decade.

Jumping straight into the top predictions for the security industry in 2019, below Reuven Harrison, CTO at Tufin, provides his thoughts on hacking, cybersecurity, and new technologies this year.

1. The changing face of the firewall

In 2019, we will see new cloud solutions providing security for public cloud coming from the traditional firewall vendors, following up on recent acquisitions of public cloud security companies. This trend is twofold. First, it is a response to the increasing shift of enterprises towards the cloud and their need for security in these environments. Second, the firewall vendors are also realizing the potential of the cloud as a superior platform for software development and big-data analytics.

In 2019, we’ll see the ongoing evolution of next-gen firewalls as they continue to absorb the functionalities of traditional network security solutions to include capabilities such as URL filtering
and other advanced security capabilities.

2. Data Breaches - Don’t speak too soon…or at all

We will see an increase in breaches that use virtual assistants for privilege escalation or distribution of sensitive information. These attacks will manipulate people into inadvertently giving voice commands or playing audio on their computer, prompting a sequence of events that leads to information on company performance or to further gather network information to ease an attack.

3. Kubernetes will become the new data centre operating system

The main factor behind the success of Kubernetes is how it simplifies and speeds up software development and deployment. For example, it enables "immutable infrastructure" which means that instead of deploying incremental changes to update your applications, you create a new version for every change – whether it’s in the application code or in the infrastructure. This concept brings tremendous benefits to the way we develop, deploy and operate applications (and how we secure them).

Another advantage of the microservices architecture is its ability to parallelise development. By decoupling application functions using microservices, large complex development projects can be broken up into smaller, independent teams, speeding up overall development.

In all respects, Kubernetes is driving an IT revolution.

4. The new year brings nothing new

2019 will be the Year of Lessons Not Learned: we’ll see the same security issues and the maturity of technologies that already exist.

In 2018, many organisations undertook their first steps to container security – which translated to vulnerability scanning – getting more data and false positives than they know what to do with and rendering security as a checkbox process. Vulnerable containers will still exist and remain accessible, and organisations can’t take action because they’re inundated with so much data.

Regarding security in the cloud, history is likely to repeat itself, and as the move to the cloud continues, we’ll inevitably see organisations spin up openly accessible servers and data in the cloud. This risk cannot be remediated with traditional security processes that are incompatible with DevOps CI/CD processes.

5. “Automation first” must happen

In 2019, we’ll see more emphasis on security in cloud-native organisations. Many are talking about it; this will be the year that they take action.

To do this, there will be an emphasis on automation. There’s no way that DevOps teams can get security into their environments without automation. To secure cloud-native environments, you must approach it from an automation-first perspective.

6. Hacking the hacker

In 2019, we’ll see cyber turf wars in which hacking groups attack each other to reap the bounty of their adversaries’ resources. Previously established botnets mining cryptocurrency will be targeted over companies with financial data as the ease of exchange and redemption of this decentralised currency is much more readily accomplished.

7. A look back at 2018

Last year, we predicted that automation will reach the tipping point. This came true in the sense that organisations now understand they must adopt automation. What has slowed the process of full adoption is the cultural challenges. In 2019, we’ll see an acceleration of automation across the industry.

In the last few years we have seen the frequency and severity of third-party cyberattacks against global financial institutions continue to increase. According to Tom Turner, CEO at BitSight, there is a growing need for more effective risk management firms in the financial services sector.

One of the biggest reported attacks against financial organisations occurred in early 2016, when $81 million was taken from accounts at Bangladesh Bank. Unknown hackers used SWIFT credentials of Bangladesh Central Bank employees to send more than three dozen fraudulent money transfer requests to the Federal Reserve Bank of New York asking the bank to transfer millions of the Bangladesh Bank's funds to bank accounts in the Philippines, Sri Lanka and other parts of Asia. The Bangladesh Bank managed to halt $850 million in other transactions, and a typo made by the hackers raised suspicions that prevented them from stealing the full $1 billion they were after.

Landscape

The Financial Conduct Authority (FCA) reported 69 attacks in 2017 compared to 38 reported in 2016, a rise of more than 80% in the last year. We saw two main trends last year. First, there was a continuation of cyberattacks targeting systems running SWIFT — a fundamental part of the world’s financial ecosystem. Because SWIFT software is unified and used by almost all the major players in the financial market, attackers were able to use malware to manipulate applications responsible for cross-border transactions, making it possible to withdraw money from any financial organisation in the world. Victims of these attacks included several banks in more than 10 countries around the world. Second, we saw the range of financial organisations that cybercriminals have been trying to penetrate expand significantly. Different cybercriminal groups attacked bank infrastructure, e-money systems, cryptocurrency exchanges and capital management funds. Their main goal was to withdraw very large sums of money.

With the evolving risk landscape and the challenges of new potential risks including third party risks, companies within financial services need a set of management procedures and a framework for identifying, assessing and mitigating the risks these challenges present. Effective risk management offers sound judgement in making decisions about what is the appropriate resource allocation to minimise and mitigate risk exposure.

Risk management lifecycle

The basic principle of a risk management lifecycle is to mitigate risk, transfer risk and accept/monitor risk. This involves identification, assessment, treatment, monitoring and reporting.

In order to mitigate risk, an organisation must measure cyber risk performance and incentivise critical third-party vendors to address security issues through vendor collaboration.

In terms of identification, you can’t manage your risks if you don’t know what they are, or if they exist. The first step is to uncover the risks and define them in a detailed, structured format. You need to identify the potential events that would most influence your ability to achieve your objectives, then define them and assign ownership.

Once the risks are identified they need to be examined in terms of likelihood and impact, also known as assessment. It is important to assess the probability of a risk, and its consequences. This will help identify which risks are priorities and require the most attention. You need to have some way of comparing risks relative to each other and deciding which are acceptable and which require further management. In this way you establish your organisation’s risk appetite.

To transfer risk, an organisation is advised to influence vendors to purchase cyber insurance to transfer risk in the event of a cyber event.

Once the risk has been assessed, an approach for treatment of each risk must now be defined. After assessment, some risks may require no action, to only be continuously monitored, but those that are seen as not acceptable will require an action or mitigation plan to prevent, reduce, or transfer that risk.

To accept and monitor risk, the organisation must understand potential security gaps and may need to accept certain risks due to business drivers or resource scarcity.

Once the risk is identified, assessed and a treatment process defined, it must be continuously monitored. Risk is evolutionary and can always change. The review process is essential for proactive risk management.

Reporting at each stage is a core part of driving decision-making in effective risk management. Therefore, the reporting framework should be defined at an early point in the risk management process, by focusing on report content, format and frequency of production.

Managing with risk transfer

Risk transfer is a strategy that enterprises are considering more and more. It mitigates potential risks and complies with cyber security standards. As cybercrime rises, an insurer’s view of cybersecurity has changed from being a pure IT risk to one that requires board-level attention. Insurance is now viewed as fundamental in offsetting the effects of a cyberattack on a financial institution. However, insurers will want to know that appropriate and audited measures are in place to prevent an attack in the first place and respond correctly when cybersecurity does fail. An organisation’s risk management responsibility now extends down the supply chain and insurers will want to know the organisation’s strategies to monitor and mitigate third party vendor risk.

Simplifying risk management and the transfer of risk can also be accomplished by measuring your organisation’s security rating. This is a similar approach to credit ratings for calculating risk. Ratings provide insight into the security posture of third parties as well as your own organisation. The measurement of ratings offers cost saving, transparency, validation and governance to organisations willing to undertake this model.

The benefits of security ratings will be as critical as credit ratings and other factors considered in business partnership decisions in the very near future. The ratings model within risk management can help organisations collaborate and have productive data-driven conversations with regards to risk and security, where they may not have been able to previously.

Long term potential

This year we will see a continuation of third-party cyberattacks targeting systems running SWIFT, allowing attackers to use malware in financial institutions to manipulate applications responsible for cross-border transactions across the world. Banks generally have more robust cyber defences than other sectors, because of the sensitive nature of their industry and to meet regulatory requirements. However, once breached, financial services organisations’ greatest fear is copycat attacks. This is where an effective risk management strategy can enable better cost management and risk visibility related to business operational activities. This leads to better management of market place, competitive and economic conditions, and increases leverage and consolidation of different risk management functions.

You’ve seen a lot of content, articles, warning and advice on cybersecurity, with hundreds of firms trying to sell you next level cyber protection. So, before you do anything else, you need to know what exactly it is you’re protecting yourself against. Below Suid Adeyanju, Managing Director of RiverSafe, lists 10 threats you need to be aware of.

In early July IBM Security and the Ponemon Institute released a new report titled ‘Cost of a Data Breach Study’. In this study it was reported that that the global average cost of a data breach and the average cost for lost or stolen information both increased. The former is up 6.4% to £2.94 million while the latter increased by 4.8% year over year to $112.57. This shows that cyberattacks on enterprises continue to rise. In particular over the last two years there has been a continual stream of concerning data security breaches.

One of the ways that organisations can defend against attacks is to ensure staff understand and are educated about the cyber threat landscape.

Understanding Threats to your Business

Getting the right technology, services, and security professionals is only a part of tackling the cyber security problem. It is also important that companies get a clear understanding of the cyber threat landscape. This means knowing where these types of attacks can come from and in turn, who is leading the attack (whether it be an individual or group). Often, knowing the answer to these types of questions leads to an understanding of the motive and makes countering the attacks easier. So, in this article, I wanted to highlight the areas of the cyber threat landscape that enterprises should be aware of.

1. Nation State: This kind of hacking is often government versus government. It is often functionally indistinguishable from cyber terrorism, but the defining trait is that the attack is officially sanctioned by a country’s government. These attacks can involve not only hacking but the use of more traditional spying as well.
2. Insider Threat: This is one area where many businesses least expect a threat to come from: inside the business itself. A reportfrom A10 Networks revealed that employee negligence is a major cause of cyber attacks. Employees unknowingly allowing hackers into the business through unauthorised apps. And, on the very rare occasion, a disgruntled employee could try and bring the business down in revenge, so it is always important to investigate who could have access because there is every chance that the threat could come from the inside.
3. Individual Attackers: When you think of the stereotypical hacker most thoughts turn to a hooded youth sitting alone in their room. This is the individual attacker and their motives are often more one of curiosity and learning. They want to see if they can hack a system rather than attempt anything malicious. This is the most neutral cyber threat.
4. Industrial Espionage: Sometimes an unrelated group and other times a rival business, cyber threats that deal with industrial espionage have the motive of creating problems for your business. The most common reason for industrial espionage is to discover the secrets of a rival business, often through spying. However, it could also involve destroying valuable data or, with some IoT devices, physically breaking the technology. Anything that can push a business over a competitor.
5. Cybercriminals: Much like the individual attackers, cybercriminals are an all-encompassing cyber threat. Almost all hackers are criminals in some way and the motives can vary from demanding money, to setting up crypto-mining, to damaging company property. Whatever they do it won’t be a good thing.
6. Phishing and Ransomware: These are some of the most common types of attacks you’ll find cyber criminals performing. These attacks are motivated purely by financials and exist to either scam a business out of money or hold valuable company data at ransom. Sometimes this can be a distraction to hide something more nefarious. Therefore, organisations need to make sure they are prepared for any escalation.
7. Ethical Hackers: An ethical hacker is the opposite of a cybercriminal, as the term ‘ethical’ implies. These types of threats are often undertaken for the sake of a company, and often have been paid for by the business to see if it can hack into its own servers. These hackers test the security resilience of a business and locate areas that are vulnerable, before an ‘unethical’ hacker comes along.
8. Hacktivists: A hacktivist is a sub-set of cybercriminals whose motives are more ideological. As the name references, a hacktivist is essentially a cyber activist. They are using hacking purely to push an agenda, whether political, religious, or otherwise, rather than a financial motive. A hacktivist attack can be something as simple as changing the text on a company website to a more nefarious act that interferes with the day to day running of the business.
9. Cyber Terrorism: While hacktivists don’t always cause damage, a cyber-terrorist will. Just like real terrorism, cyber terrorism exists to bring terror to your business, country and customers. Examples include the attacks on the NHSlast year which aimed to bring systems down in hospitals and cause chaos and fear.

By understanding all the different types of attacks in the cyber threat landscape it can help you build your cyber defence by identifying a motive and being able to trace what kind of opponent your business is facing, as well as if this is an attack aimed primarily at an individual, an organisation or a national-level threat where the solution would be to work with other companies to stop the attack as a team.

Rising fears of cybercrime are prompting financial services firms to increase their spend on security, according to new research from Lloyds Bank Commercial Banking, which canvassed the views of the world’s largest financial institutions.

The research found that six out of seven (85%) financial services firms have spent more on tackling cyber risks in the past 12 months, with one in seven (14%) having significantly increased their spend.

Over the same period, almost nine in 10 (87%) have become more concerned about cyber-risks, with nearly a quarter (23%) becoming significantly more concerned.

Priorities and risks

When asked about what they wanted to achieve from their technology investment in the coming year, one in seven (14%) financial firms cited improved cyber-security as their top priority. It was the third highest priority area flagged behind reducing operating costs (17%) and revenue growth (26%).

The picture was similar when firms were asked about risks to their UK operations for 2018. Respondents said cyber security was one of the most significant risks, alongside increased market competition and geopolitical uncertainty, but behind macro factors such as the effects of Brexit and economic uncertainty.

Robina Barker Bennett, Managing Director, Head of Financial Institutions, Lloyds Bank Commercial Banking, said: “The pace of technological advancement continues to offer tremendous opportunities to financial institutions, but this has been mirrored by the rising threat of attacks from increasingly sophisticated cyber criminals. As a Group, we work closely with businesses across the UK to help build their digital skills, so it’s encouraging to see the UK’s financial sector is alive to the issue and responding with increased investment.”

Preparing for the worst

Despite firms prioritising investment in new technology to safeguard against cybercrime for the year ahead, one in 10 (10%) are still not insured against a cyber-attack.

A similar number (nine%) said they have taken no steps to arrange contingency funding, and seven% have made no contingency arrangements with banking providers, such as to guarantee payments, for example.

However, almost all (95%) firms questioned did say they were confident their finance and treasury functions were suitably prepared to recover from an attack, with one in five (20%) saying they were very confident.

Robina Barker Bennett added: “While reassuring overall, there are still a small minority of organisations that aren’t mitigating risk with insurance or contingency measures.

“The financial and reputational impact of a successful cyber-attack is becoming more severe. Investment in proactive, preventative cyber security measures should go hand-in-hand with robust planning for the worst-case scenario.”

(Source: Lloyds Bank Commercial Banking)

A recent survey shows 64% of organisations have deployed some level of IoT technology, and another 20% plan to do so within the next 12 months. This is an astonishing fact when you consider the lack of basic security on these devices, or any established security standards. Many companies are turning a blind eye to security issues, swayed by the potential benefits that IoT can bring. Here Ian Kilpatrick, EVP Cyber Security at the Nuvias Group, provides 10 key facts on IoT.

1. IoT - a cybercriminal’s dream

Any device or sensor with an IP address connected to a corporate network is an entry point for hackers and other cybercriminals – like leaving your front door wide open for thieves.

Managing endpoints is already a challenge, but the IoT will usher in a raft of new network-connected devices that threaten to overwhelm the IT department charged with securing them – a thankless task considering the lack of basic safeguards in place on the devices.

Of particular concern is that many IoT devices are not designed to be secured or updated after deployment. Any vulnerabilities discovered post deployment cannot be protected against in the device; and corrupted devices cannot be cleansed.

2. IT or OT

IT professionals are more used to securing PCs, laptops and other devices, but they will now be expected to become experts in areas such as smart lighting, heating and air conditioning systems, security cameras and integrated facilities management systems.

A lack of experience in this Operating Technology (OT) is a cause for concern. It is seen as operational rather than strategic, so deployment and management is often shifted well away from Board awareness and oversight.

Nevertheless, the majority of organisations are deploying IoT technology with minimal regard to the risk profile or the tactical requirements needed to secure them against unforeseen consequences.

3. Increase in DDoS attacks

DDoS (Distributed Denial of Service) attacks are on the rise, with 41% of UK organisations saying they have experienced one.

IoT devices are a perfect vehicle for criminals to access a company’s network. 2016’s high-profile Mirai attack used IoT devices to mount wide-scale DDoS attacks that disrupted internet service for more than 900,000 Deutsche Telekom customers in Germany, and infected almost 2,400 TalkTalk routers in the UK.

4. ... and ransomware attacks

There has been an almost 2000% jump in ransomware detections since 2015. In 2017, WannaCry targeted more than 200,000 computers across 150 countries, with damages ranging from hundreds to billions of dollars.

While most ransomware attacks currently infiltrate an organisation via email, IoT presents a new delivery system for both mass and targeted attacks.

5. Increasing intensity and sophistication of attacks

The sophistication of attacks targeting organisations is accelerating at an unprecedented rate, with criminals leveraging the disruptive opportunities the IoT brings.

According to Fortinet’s latest Quarterly Threat Landscape report, three of the top twenty attacks identified in Q4 2017 were IoT botnets. But unlike previous attacks, which focused on a single vulnerability, new IoT botnets such as Reaper and Hajime target multiple vulnerabilities simultaneously, which is much harder to combat.

Wi-Fi cameras were targeted by criminals, with more than four times the number of exploit attempts detected over Q3 2017.

6. The effects of an attack

The aftermath of a cyberattack can be devastating for any company, leading to huge financial losses, compounded by regulatory fines for data breaches, and plummeting market share or job losses. At best, a company could suffer irreparable reputational damage and loss of customer loyalty.

On top of that, IoT devices have the potential to create organisational and infrastructure risks, and even pose a threat to human life, if attacked. We have already seen the impact of nation-state attack tools being used as nation state weapons, then getting out and being used in commercial criminal activity.

7. Profit over security

It’s crazy to think that devices with the potential to enable so much damage to homes, businesses and even entire cities often lack basic security design, implementation and testing. In the main this is because device manufacturers are pushing through their products to get them to market as quickly as possible, to cash in on the current buzz around IoT.

Lawrence Munro, vice president SpiderLabs at Trustwave agrees IoT manufacturers are sidestepping security fundamentals: “We are seeing lack of familiarity with secure coding concepts resulting in vulnerabilities, some of them a decade old, incorporated into final designs,” he notes.

8. Can you see the problem?

Another huge problem is that once a network in attacked, it’s much easier for subsequent attacks to occur.

Yet, recent data shows just half of IT decision makers feel confident they have full visibility and control of all devices with network access. The same%age believe they have full visibility of the access level of all third parties, who frequently have access to networks; and only 54% say they have full visibility and control of all employees.

9. Turning a blind eye

Despite security concerns often cited as the number one barrier to greater IoT adoption, Trustwave research shows sixty-one% of firms who have deployed some level of IoT technology have had to deal with a security incident related to IoT, and 55% believe an attack will occur sometime during the next two years. Only 28% of organisations surveyed consider that their IoT security strategy is ‘very important’ when compared to other cybersecurity priorities.

10. Efforts to standardise

In the UK, the government’s five-year National Cyber Security Programme (NCSP) is looking to work with the IT industry to build security into IoT devices through its ‘Secure by Default’ initiative. The group published a review earlier this month that proposes a draft Code of Practice for IoT manufacturers and developers.

While there seems to be some light at the end of the tunnel, it may not be enough. Regulators won’t force device manufacturers to introduce the necessary security regulations and practices before thousands of businesses fall victim to attacks. Turning a blind eye to the IoT security risks could leave your organisation permanently paralysed.