At the time of writing (June 2020) the world is tentatively emerging from the coronavirus lockdown that we have all been living through for the past three months. The cost to human life and health has been unprecedented and beyond that, the global economy is set for a period of turbulence and uncertainty as we look to rebuild and refocus on normal life.
Banking and the wider Financial Services (FS) sector is undoubtedly vulnerable and facing a period of change. During the lockdown itself, banks have faced many challenges: the logistics of most of the workforce suddenly working from home; customers unable to speak face-to-face with advisors; the pressure applied by the overall economic uncertainty and a wave of increased cyber-attacks.
FS cyber security is challenging enough at the best of times. Clearswift research in 2019 revealed that 70% of financial companies had suffered a cyber security incident in the last 12 months. Less than a quarter of the respondents felt they had an adequate level of budget allocated to cyber security within their firm.
What fresh cyber security threats has coronavirus brought along in its wake and how can banks use this pandemic as an opportunity to improve its overall cyber security strategy?
The cyber threat facing banks
The multiple threats that FS firms face can be categorised into two distinct camps – to steal or to disrupt. Stealing personal data that maybe used to compromise customers through their identities being stolen, which in turn can lead to their accounts being ransacked.
Disruption, due to political reasons can disrupt the trading of an FS firm and could result in a loss of revenue. Both types of attacks carry similar consequences: reduced business and reduced customer confidence and the risks of heavy fines if personal data is comprised.
Cyber criminals have not been slow to utilise these threats during the coronavirus crisis and with banks operating in a state of greatly heightened anxiety, are more vulnerable than they might be usually. With people concerned about the current situation, banks are receiving more queries from customers about short-term loans and for general business advice and attacks could come from such a route.
There has also been a spike in coronavirus-based phishing campaigns. These are well-crafted, look authentic to the untrained eye and are designed to trick people into opening them. These campaigns prey on people’s concerns about the current crisis and who are more likely to click on a malicious link now than they usually might be.
Homeworking even when not in the grip of such a crisis has security issues, but with many FS employees working from home during the lockdown, there have been further security concerns. Staff may be tempted to access corporate systems via unauthorised home systems, while other family members might use the employee’s laptop or device at home – kids printing out their homework, checking personal email – and this can be an easy route in for a hacker using phishing or social engineering lures based on coronavirus.
It’s also true that homeworkers lack the usual office-based security measures – no web gateway security, intrusion detection/prevention systems.
Addressing the threat
Part of the problem for banks in mitigating the threat is that the threat landscape is so wide, varied and evolving. Malware, ransomware and phishing are all still widely deployed tactics, while social engineering techniques, weaponised documents and weaponised websites change all the time. Keeping up with what is going on is a major challenge for any FS firm and especially so during the coronavirus, with internal security teams stretched in a number of different directions.
Ideally FS firms will have already prepared for being breached and will review this process regularly. Assuming they’ve not created a breach response playbook there are several things they will need to do. Identify how the attack happened and work to contain the situation so that it doesn’t continue. This may involve taking systems offline to perform a thorough investigation. Once they know how it happened and what was impacted and the risk assessed, the entity can start to work through the process of communicating to customers with a clear message about what has happened and how it’s being dealt with.
If a data breach concerns personal data, then the entity should contact the Information Commissioners Office (ICO) and Financial Conduct Authority (FCA) within 72 hours of becoming aware of the breach. Once the systems have been restored, then it’s a question of reviewing not only how to secure the entity better through technology and process, but also to evaluate any lessons learnt throughout the breach. When a new plan has been finalised then it should be tested through simulation so that staff can learn how to deal with the next one.
What the banking industry can learn from the pandemic
Although the lockdown has been tough for banks, and the uncertain economic future could be even tougher, it can also act as a period of learning and reflection for executives, especially around how they approach cyber security. There is a clear need to take cyber security even more seriously and up the pace of innovation and deployment of effective data protection and threat mitigation strategies. This includes working with the right technology providers and ensuring that staff are using all of the features and measures available to them.
Addressing cyber security effectively should always cover the combination of people, processes and technology, and the current pandemic allows FS organisations to look at where they are with all three. With so many employees working from home, there have had to be quick training exercises taking place to demonstrate best practice in this area and what processes to follow should any employee think they have been the victim of a cyber-attack.
When the lockdown is over it is not unreasonable to think that many more people will now work from home more regularly. All the measures that were put in place to facilitate pandemic home working should remain, but it’s also an opportunity to put in place new measures.
Such times can act as a trigger for a bank to reinforce its cyber security processes and to remind employees of the need for extra vigilance. This should certainly extend to providing advice and technical help to make sure employees are as well-protected working from home as they are from the office. The impact of coronavirus will be with us for a long time and no FS organisation wants the additional headache of a serious security breach.
About the Author
Alyn Hockey is VP of Product Management at Clearswift. Alyn has had an extensive career in cybersecurity, co-developing the MIMEsweeper range of products and working across departments within Clearswift, managing technical support, research and currently product management.
A techie at heart, Alyn spends much of his time talking to customers about the latest technologies and presenting on product lines, gathering information on how to improve those product lines to meet customer demands and the ever-evolving cyber threat.