How should financial services future proof systems ahead of a cyber security threat?
The Financial Conduct Authority (FCA) has announced that as of August 2018, all high street lenders offering business or current accounts will be forced to publish details of major operational and security incidents. The move by the UK banking regulator is designed to provide consumers with more transparency, enabling them to easily compare services offered by Financial Services (FS) providers and to drive greater competition in the marketplace.
The report published by the FCA does not specify how much detail FS providers will be forced to go into. However, a major incident is classed as one that prevents customers from using banking services. In January 2017 Lloyds Banking Group suffered a 48-hour online cyberattack saw hackers send millions of fake requests to the Groups’ servers in order to grind systems to a complete halt. The ‘denial of service’ (DOS) attack was ‘geo-blocked’ by Lloyds IT security experts effectively blocking access to the server. However, this also blocked legitimate requests from consumers. The information that FS organisations hold is hugely sensitive, and therefore when an attack like this happens they are held to a higher account by consumers than other organisations.
The incident came just months after the Tesco Bank cyberattack that saw an unprecedented loss of £2.5 million from 9,000 accounts. The threat to the UK’s financial infrastructure has meant that FS is under scrutiny, with a higher need for accountability directed at them from consumers whose trust has inarguably been eroded.
Outdated legacy software is allowing cyber criminals to target everyone – from the C-Suite to everyday consumers in their own homes. Legacy programming language is not being taught to today’s engineers with middle and back office systems only able to report transaction failures and risk triggers after the fact.
All companies that hold credit card details, particularly retailers, have to be compliant to a piece of regulations which have been drawn up by FS companies, such as Visa. The fact that FS organisations have drawn up standards for other sectors, and yet remain so prone to attack is ironic and perhaps worrying.
The lack of transparency within organisations is also an issue. This has meant that the C-suite cannot see the build-up of risky positions or business practices, simply because they are either not aware or do not understand it.
This, coupled with the fact that Business Email Compromise (BEC) targets specific individuals within companies impersonating C-level exec emails, rather than a mass phishing approach, means that it’s far harder to differentiate between the real messages and the fake ones, meaning that scams are more likely to be successful and are far harder to prevent.
The ‘internal threat’ or rather the internal infrastructure and the employees, are the biggest problem within organisations whose security controls are not sophisticated enough to match the threat. With legacy or simply ‘poor’ coding in place, as well as merged technology adding to the complexity of decaying infrastructure, less refined threats like SLQ injection and XXS are still able to get through.
However, with regulations such as Sarbannes-Oxley and GDPR in place, the onus is now very much at board level. In recent years the rise of the Chief Information Security Officer (CISO) has emerged as an integral one for FS, both in terms of performance and consumer trust. More than just a technical IT role, the CISO has become a ‘digital vanguard’ for organisations by understanding the risks associated with the commercial impact of systems, people and processes, from the top down – breaking down silos across FS data portfolios.
As cyber security attacks in FS increase and with safeguarding regulations becoming more stringent, the key to success is ensuring that IT security is depicted properly across the organisation. The previously isolated role, offered purely technical and practical support and whereas there still is a need for this, the role of the CISO should be far reaching across an organisation, where they are increasingly operating in a dynamic digital environment with the growth of online processing and cloud services.
Ahead of the FCA deadline, assessing operationally resilience will be key, and FS companies need to understand its assets and be constantly evaluating where they are vulnerable through rigorous testing.
Red and blue team testing, as favoured by military and government organisations, uses role-play testing to simulate dummy cyber-attacks in order to allow FS organisations where its weaknesses lie and where to neutralise threats. With each IT team playing the role of attacker and defender, they get to practise both how to identify an attack and how to deal with it.
Having a response prepared ahead of a cyber-attack is also critical and by using software analytics and forensic techniques such as reverse malware engineering, host-based intrusion and detection and network analysis, helps to define the breach vector and how it took place. This information will in turn help the CISO determine the aims and impact on FS and report back at board level.
FS has no choice but to consider the people behind the data because once the FCA rules are enforced, any FS found wanting will find that its customers will be doing the talking with their feet. Therefore, cyber vulnerabilities need to be the top priority for companies rather than an afterthought, or even worse, when disaster has struck.
Find out how you can stay one step ahead with a real-time view of your organisation’s digital risk with tailored cyber threat intelligence.