The financial services industry is used to regulation, but having an effective cyber security strategy is not as simple as ticking the boxes – it needs to constantly evolve. This is especially true when organisations build competitive scale by undertaking mergers, acquisitions and increasing their third-party suppliers. Organisations need to understand the threats, regularly testing their own defences in order to best protect themselves from attack.
The financial services sector is an obvious target for cyber criminals because of the sheer volume of personal data that it holds, as well as the amount of money that it controls. The frequency of these attacks, or at least the reporting of them, seems to be increasing. According to the Financial Conduct Authority (FCA), reported cyber attacks on financial firms increased by 12 fold in 2018 when compared to the previous year1. Retail banking was cited as the most affected sector, with the primary cause of these cyber incidents being attributed to third-party failure, closely followed by hardware and software, and change management.
This high incidence of attacks attributed to third-parties is supported by findings from the Ponemon Institute2. It found that although many financial services organisations still develop their own software, many are becoming reliant on third-party independent vendors to deliver the latest technology. However, according to the same report, many organisations do not require third-parties to adhere to the same cyber security measures as themselves.
But for established organisations to remain competitive, particularly against the challenger banks, they need to update their legacy systems. Investing in new technologies and transforming the customer experience is key to survival and third-party vendors are an important enabler in making this happen. Therefore, these suppliers need to be managed – it’s not enough to transfer the cyber responsibility to them alone.
Understanding the threats
This is also something recognised by the European Supervisory Authorities (ESAs), who provide advice to the European Commission on strengthening EU cyber and IT security regulation in the financial sector3. It highly recommends that the commission should develop an EU oversight framework for third party providers active in financial services, with a particular focus on cloud service providers (CSPs).
But third-parties are not the only risk for cyber security firms. Phishing email rates continue to rise at an alarming rate according to Infoblox, meaning that approximately one out of every 200 emails received by users worldwide is a phishing email4.
And within the financial sector there are also a number of different threat actors who may have different motivations for the attack. For example, state-sponsored attacks may steal financial data to monitor the activities of individuals, governments and industry, whereas cyber criminals could be more interested in financial theft. In addition, insider threats need to be considered – trusted employees could be in it for the long game when the financial rewards can be so large.
Being an attractive target to such a variety of threat actors means that any vulnerabilities will be sought out and exploited to the maximum. But financial institutions need to enable both their employees and clients to access data while maintaining confidentiality at all times. Keeping to these commitments while staving off cyber threats is complex, but, with reputations easily damaged and large fines at stake, it needs to be managed effectively.
The FCA offers a framework of advice to ensure good practice which includes:
- Putting good governance in place so that cyber security is on the executive agenda Identifying what needs to be protected, including third party suppliers Protecting assets appropriately, which includes adopting long-term user education and awareness
- Using good detection systems to tackle the insider threat
- Being aware of emerging threats and issues by sharing intelligence, insights and practices
- Being ready to respond and recover by learning lessons from every incident
- Testing and refining defences
In fact, this last step is vital to ensure that organisations improve their resilience to attack as well as their speed of recovery in the event of a breach. The best way to do this is with ethical hacking.
Hacking to ensure resilience
Ethical hacking is a way for financial organisations to test a particular element of their business and see how resilient it is to attack. Essentially, the ethical hacker will assess the system’s security and report back in terms of what they saw, what they were able to do and how much went unnoticed. Typically, the test will involve web application penetration testing, infrastructure penetration testing or mobile device and mobile application penetration testing.
However, to fully test all areas of the financial organisation, a red team engagement is required which takes things a step further. It doesn’t just focus on the technology elements. A full-attack simulation focuses on all areas of the organisation and could include social engineering, physical access attempts, active reconnaissance and the full suite of technical penetration testing techniques.
A typical engagement is likely to take several months and should include some typical milestones such as an assessment with agreed objectives and safeguards, start and end dates, as well as a time to present the findings to the Executive Board. And if vulnerabilities are detected, it means that the organisation can address them before being exploited by a cyber attack.
In a recent Ponemon report, the financial services industry demonstrates that there needs to be more focus on cyber security as the industry continues to be more dependent on new technologies and systems in order to improve margins and agility5. Over 70 per cent of respondents stated using financial systems and software supplied by a third-party, yet only 31 per cent thought that their organisation was effective in preventing cyber attacks.
This is something which the European Central Bank recognises only too well. Through its banking oversight arm, the Single Supervisory Mechanism (SSM), it is currently pursuing expectations for the cyber resilience of large Eurozone banks. These expectations will have to address a number of challenging issues, including questions about the governance of cyber risk, the expected speed of recovery from cyber breaches, and the information that supervisors expect firms to share with the rest of the market6.
Red teaming is an excellent way to approach these expectations and then address any gaps with the right security protocols and processes. There’s no easy answer though – it’s an ongoing cycle because as technology advances and is used to boost security, it can also be used by attackers to improve attack methods and create new threat vectors.
About the Author
Anthony Young is a Founding Director at Bridewell Consulting, one of the UK’s leading independent cyber security companies. He has been involved in cyber security for more than 16 years, with a background in information security, governance, risk and compliance. Starting his career with a small consulting company, he joined Barclay Simpson to develop its contract information security division. Anthony founded Bridewell Consulting in 2013, and built a world-class cyber security company that focuses on customer satisfaction and long-term relationships.
1. https://www.computing.co.uk/ctg/news/3078272/12-fold-increase-in-cyber- crime-financial-services