Risks from external and internal threats have evolved and cybercriminals have become increasingly sophisticated. How is the financial services industry keeping its head above water? The answer lies in empowering the frontline, says Brendan Goode
While Deutsche Bank and other banks were not impacted, the fact that it happened at all underlines the scale of the threat and serves as a reminder that as business has digitalised, it has become more vulnerable. Cybercrime is now estimated to cost the global economy more than US$400bn a year and is expected to rise to US$2.1trn by 2019. i
US$400bn a year
Current cost of cybercrime (Lloyds of London)
“There will be a before and after Bangladesh… this is a big deal and goes to the heart of banking,” Liebrandt said. He called for the industry to work together with SWIFT “to reinforce the security of our entire financial system”. He challenged the banks: “SWIFT is not all-powerful, we are not a regulator, and we are not a policeman; success here depends on all the stakeholders in and around the industry. The security of our network remains our key priority; the security of their own environments has to remain (and for some become) banks’ priority.”
“Many breaches are already preventable with good practices.”
The evolving landscape
Attack sophistication is still growing. Perpetrators are increasingly well trained, highly professional and equipped with all relevant resources such as computing capacity, exploitation and masking tools. In response, the financial industry has to keep the right balance between security and the need for allowing the market to operate. This is a continuous challenge – many transactions are processed in real time and manually inspecting each one is not a feasible option.
While there is no 100% security, many breaches are already preventable with good practices. Ronald Dick, Chief of the National Infrastructure Protection Centre (NIPC) said that 80% of the issues the NIPC responds to could have been prevented if system administrators had been able to download a patch and repair their systems. Studies from cybersecurity product provider Symantec show that more than a third of data breaches are caused by negligence or human error.
“There will be a before and after Bangladesh... this is a big deal and goes to the heart of banking.”
Gottfried Liebrandt, CEO, SWIFT
Kill Chain of attacks and Defense in Depth
Figure 1 sets out a summary of a typical cyber attack structure called the ‘Kill Chain’, overlaid with controls at each point. The Kill Chain describes the phases of a successful cyber attack, from ‘Reconnaissance’ to ‘Action on Objectives’. The overlaid controls provide a representation of how security can be layered in ‘Defense in Depth’ throughout IT systems to deter, detect and disrupt the attacker from accomplishing its goals. To mitigate threats, controls should be implemented strategically at each stage of the Kill Chain – so even if one control fails to stop the attacker, the next control can successfully mitigate an attack.
The first target of an attack is often still the end user. All too often, human error represents the weakest link in many IT systems and threat actors continue to target these users through phishing and spam campaigns as way of gaining initial entry into an organisation. These tactics continue to be successful and many advanced cyberattacks have used them to gain a foothold into an organisation. In response, significant efforts and attention have been placed by governments, security groups, media and private sector organisations to raise awareness.
However, even as defences and awareness have improved, threat actors have adapted their techniques and increased their sophistication. To continue improving defences against these attacks, companies must continue to invest in raising user awareness and begin to transform users into becoming the company’s strongest link by making them an active part of an organisation’s defences. iii
Some successful user awareness programmes try to drive a ‘do this’ rather than a ‘don’t do this’ approach. If a user sees something suspicious they should send it to the Information Security Specialists straightaway, so they can get it analysed – sometimes a user will be the first person to encounter a threat. Even if a malware campaign gets past the anti-virus products on the first day, its effectiveness can be significantly reduced or mitigated the second day if users are vigilant. Through doing this, the users can become an important part of the security lifecycle.
Another issue is that the bad guys are not limited by jurisdictional boundaries and in fact they use this to their advantage.
Attacks are often launched in jurisdictions with weaker cyber laws and often against a target in another country. This should not deter an organisation’s ability to defend against the threat, but it does complicate law enforcement actions once attribution is established.
To improve collaboration, Deutsche Bank cooperates with other members of the financial industry, the technology sector, regulators and law enforcement across the globe to support the collective effort to combat cybercrime. The bank is actively involved in global and regional sharing initiatives such as the FS-ISAC, the Cyber Defence Alliance in the UK and the Cyber Security Sharing & Analytics in Germany, to name just a few. Through these relationships, we strive to improve overall awareness of ongoing threats and to be better prepared to more quickly respond when there are attempted large breaches.
As we move forward, the financial industry may need to continue to evolve its defences to safeguard its environment and to protect their assets. However, this cannot be done in isolation. There needs to be a collective effort to combat cybercrime. We all need to maintain good security hygiene and to continue to educate our users to make them the strongest link.
Brendan Goode is Deutsche Bank’s Head of Information Security Operations and the Regional Chief Information Security Officer for the UK and Ireland
i See http://bit.ly/2vLCEq3 at forbes.com
ii See http://bit.ly/2vPqvkE at weforum.org
iii See Janine Durbin’s practical points on cybersecurity management at http://bit.ly/2vBeFcH
Tell us about your interests and we’ll email you relevant news, insights and information as soon as they’re published