Securing your doors is not enough. Go for a multi-layered security strategy.

Cyber-attacks are all over the news! From ransomware to phishing, farmware, malware and cryptojacking up to DoS attacks. It seems as if the internet has been transformed to the Wild West.

Combine this with our ever stronger dependency on the internet for our day-to-day life and it’s clear that cyber-security should be on the top of the agenda of every CEO and CIO. Especially in the banking industry, due to its strong dependency on the internet (online & mobile banking) and the sensitive nature of financial data. The whole banking system is based on trust: one successful cyber-attack can destroy this trust, resulting in enormous financial impacts for the affected bank. Even worse if customers would lose confidence in the security of their bank, this could lead to a Run on a Bank, which in case of a major bank could be catastrophic for the whole financial system.

While most bank CEOs and CIOs are conscious of these impacts, the examples of success ful cyber-attacks in recent year are not hard to find (the rate of breaches, or theft of sensitive data, in the financial services industry has tripled over the past five years):

• In February 2016, hackers attacked the central bank of Bangladesh and issued 35 instructions using the SWIFT messaging system for an amount of $951 million. Fortunately, most of the transfers were blocked, but the cyber-attack did cost the bank $81 million.

• In November 2016, the banking leg of the UK supermarket chain Tesco lost £2.5 million, when half of the 40,000 customer accounts were compromised. The attack resulted in a temporary freeze of all online transactions and in a fine by the FCA in 2018 of £16.4 million.

• In December 2016, Russia’s Central Bank was breached for an amount of $31 million.

• In May 2017, the WannaCry ransomware attack infected 230.000 computers in over 15O countries. In India several ATMs were shut down to avoid further infection (even though the link between the outage of the ATMs and the ransomware is denied by the Indian government).

• In June 2017, the GoldenEye, also known as NotPetya, ransomware blocked thousands of computers worldwide. The impacts were considerable, e.g. the packages at TNT Express were blocked for several days in different European countries. Other major firms being impacts were FedEx, Merck, Cadbury…​ Apart from the National Bank of Ukraine, the impact on banks seems (as far is publicly known) to be limited, but the speed and impact of the outbreak put everyone on high alert.

• In December 2017, the Russian bank Globex was attacked via its SWIFT network. Losses were not considerable (only $100.000), but the complexity of the attack shows the professionalism of certain hacker gangs (like Cobalt, Carbanak, Lazarus…​) specialized in attacking the financial industry.

• In April 2018, 7 UK retail banks, including Santander, Royal Bank of Scotland, Barclays and Tesco Bank, had to limit or shut down their systems after sustained attacks. This cost them hundreds of thousands of pounds to remedy.

• In October 2018 the Mumbai branch of the State Bank of Mauritius was hit by a cyber-attack through a fraudulent SWIFT payment, resulting in a loss of about $14 million.

• In January 2019 state-backed hackers from North Korea infiltrated the Bank of Chile’s ATM network and siphoned off $10 million.

• …​

Unfortunately, this is just the tip of the iceberg as most security breaches are not disclosed by banks, out of fear for reputational damage. Studies have showed that financial services firms are 300 times more frequently attacked than other businesses and that a typical American bank is attacked a staggering 1 billion times per year (which results in more than 30 attacks per second).
Not surprising however when you look at the impressive number of parties wanting to attack banks: state supported hackers (e.g. Russia, North-Korea…​), ethical or politically inspired hackers (hacktivists), financially inspired criminals, hackers attacking for the pride or kick, competitors (industrial espionage) and insiders who are frustrated against their employer.

Furthermore experts predict that the cost for banks of cyber-attacks will increase exponentially in the coming years, as banking becomes even more digitized, new channels like mobile, Open Banking APIs and Internet of Things become more popular and homeworking and new policies like "Bring Your Own Device" become rule rather than exception. With each digital door a bank opens, new vulnerabilities arise.

Combine this with the increased sophistication of the hacking attacks and it should be clear that cyber-security must be one of the main investment areas for banks in the coming years.
Those banks who are not sufficiently aware yet of the importance of this threat will be forced, either by security breaches or by regulators. Recent years regulators have started to introduce directives and frameworks to force banks to increase their security, e.g. PSD2’s Regulatory Technical Standards impose strong security requirements to all payments, GDPR not only imposes strong data security for personal and confidential data, but it also forces companies to publicly report breaches within 72 hours, TIBER-EU is the first European framework to test the resilience of bank against cyber-attacks…​.

But those investments should not all be going to IT solutions, like firewalls and improved authentication techniques. The increased sophistication of the attacks requires a cyber-security strategy, which is holistic for the whole organisation. This means all employees and all procedures are impacted, not just those of IT, as security is only as strong as its weakest link.

This cyber-security strategy should implement and enforce a range of best practices:

• Overall end-to-end awareness of all employees of the risks and methods used in cyber-criminality. This can be done through training (e.g. training on social engineering techniques), information campaigns, customer education and "mystery customer" tests, but also via new methodologies like DevSecOps, which foresees that security is incorporated at any moment of a project implementation.

• Layered approach: implement multiple layers of defense (physical security, firewalls, throttling, risk-based authentication, data encryption, network segmentation, VM/container security…​) to maximize isolation. It also means that making a distinction between trusted, internal systems and external, public systems is outdated. Under the new "Zero Trust" paradigm ("Never trust, always verify") also internal systems should not be trusted.

• Devalorize data: if a hacker can gain access to your data, ensure the data is worth nothing. This can be done by strong encryption of all (sensitive) data.

• Continuous monitoring for breaches (intrusions or abnormal behavior), i.e. audit and monitor all activities on all systems and (automatically) identify abnormal behavior on systems (e.g. user doing actions they normally don’t do, peaks in download/upload traffic or CPU usage…​). This monitoring is a balancing act between identifying all breaches, while avoiding too much "false positives", as those take up valuable analyst time and lead to incident fatigue.

• Automatically reacting to a breach: as soon as a potential breach is identified (through continuous monitoring), automatic actions should be taken to contain the breach. This can be by automatically blocking all access rights of the suspicious user account, shutting down the impacted system and potentially switch to backup systems, disconnecting all connectivity to other systems from the breached system…​ After breach is contained and resolved, the system should automatically return to normal operations as quickly as possible.

• Continuous Security testing: this should include:

  • Static Code analysis: automatic execution of static code analysis, allowing to detect security flaws (e.g. Cigital SecureAssist, Code Dx, IBM Security AppScan, Klocwork…​). This static code analysis should be part of the CI/CD pipeline.

  • A set of automated security tests, executed also as part of the CI/CD pipeline, allowing to identify security breaches automatically before going to production

  • Security tests as part of acceptance testing: include as part of the acceptance criteria of an acceptance testing phase, the successful execution of several security tests. Often these tests (e.g. PEN-tests) are executed by specialized firms.

  • White-hat ethical hackers: employ or temporarily hire a white-hat ethical hacker to find potential security flaws in your systems. This can also be organized in the form of a hackathon or a premium for any security flaw being reported (e.g. check out "Google Vulnerability Reward Program")

  • Continuous Resilience Testing: inject automatically random security attacks in the production system, to continuously validate if the system can properly react (e.g. Security Monkey from Netflix’s open source Simian Army).

• Automatic patching: automatic identification and installation (preferably immediate and without downtime for end-users) of any new patch on libraries/software being used. Achieving this level of maturity might be complex for an organization. An alternative is working as much as possible with cloud-based managed solutions, which take care of all patching for you, without any impact for the user.

• Sharing of information about hacking attacks: due to the strong interconnectivity of banks, a breach in 1 bank will likely also negatively impact another bank. It is therefore imperative to collaborate between banks on cyber-security. This includes defining security standards for data exchange, enforcing third parties connecting with banks to adhere to highest security standards, share best practices on cyber-security, share information on recent cyber-attacks…​

Most of these methods are however costly and often impact negatively the user experience and user productivity. New techniques reduce the need for this compromise, but some negative impacts of tightened security are still to be expected. It is therefore important to compose a good business case of which risk a bank is willing to take to improve usability and productivity. Based on this business case, a deliberate decision can be taken, including the necessary accountability.

Just like most regulations (e.g. MiFID2), cyber-security is mainly considered as cost for a bank, but when correctly implemented, it can also be an opportunity:

• New risk-based authentication methods can not only improve security, but improve usability at the same time

• With all reported data privacy and security issues, having a reliable and secure brand can be a valuable differentiator for attracting customers. The recent transformation of Apple into a "privacy-as-a-service" company(attacking the data-intensive business models of Google and Facebook) shows a need for secure services, which respect customer’s privacy. This differentiator will become even more important, when the bank positions itself as a central distribution platform for different products/services (from competitors and other industries).

• Insurers have huge potential in the cyber-insurance space, not only providing products insuring customers against losses due to cyber-attacks, but also providing value-added services like knowledge sharing, trainings, APIs with cyber-security data, CyberGyms providing a training ground to train cyber-security specialists in responding to attacks…​

This article hopefully demonstrated that cyber-security is a large and complex topic, which will require considerable investments in the coming years, but also provides important opportunities to the financial services industry. Due to the complexity, it is important to collaborate with industry experts and outsource as much as possible the burdens related to cyber-security. A move to a public-cloud like AWS, Azure or GCP seems a contradiction when talking about security, but when the move to the cloud is calculated and well-executed it will likely increase your cyber-security (these cloud players have the best security specialists in-house), while reducing your spending on cyber-security at the same time.

The key message to be retained is that banks should start implementing their cyber-security strategy now and keep an open mind for new innovative solutions which can transform their cyber-security investments into business opportunities.