This article originally appeared in Future Banking magazine
As hacking and cybercrime becomes increasingly sophisticated, it gets harder for banks to stay on top of developments and protect customers from fraud, a dynamic cyber security strategy is increasingly considered a prerequisite for good business. Oliver Hotham speaks to Richard Horne, partner at PricewaterhouseCoopers, about how banks can stay vigilant, fight major breach attempts, and the importance of educating customers about keeping their data safe.
October 2015 was Cyber Security Month in the USA, a time for business and government partners to make sure that everyone understands the importance of keeping safe online: protecting passwords, setting up two-step authentication processes, the whole gamut of precautions everyone should take to make sure there’s no chance we wake up to find our internet wallet has been emptied. A similar scheme was underway in Britain, the Keep Safe Online campaign.
But it was also the month that, in the UK, a group of hackers made off with £20 million from British bank accounts. In an attack described by the Guardian as “one of the worst cyber attacks ever seen”, infiltrators used a Trojan horse-style malware known as Dridex to break into accounts and slowly siphon off money. It’s believed the Dridex has raised £100 million worldwide for its creators, in a digital heist worthy of the most prolific bank robbers. It was a shocking breach – and there was little the authorities could do about it once it was over.
“Fraudsters are cashing-in online, and are using the internet to commit crimes which they would never have been able to execute in previous decades,” Matt Bradford, head of the National Fraud Intelligence Bureau at the City of London Police, told the press in the aftermath.
To many, it was an indication of the extent to which, in the current climate, many customers are justified in the belief that banks simply aren’t doing enough to keep them safe online and protect accounts from criminals. And the industry is under pressure from other sides, too: in October, Standards & Poor announced that it was considering cutting the ratings of lenders who failed to adequately protect themselves against attacks, or if they experience an exceptional breach of security. The news sent a stark message: invest in cyber security, or face the penalties.
“Since the dawn of time, really, banking has been about confidence,” says Richard Horne, a partner at PricewaterhouseCoopers and an expert in cyber security. “Ask any economist around what matters around banking – it’s about confidence.
“In today’s digital world, security is a key part of trust in your bank and your financial transactions – it’s absolutely fundamental to a bank’s offerings and brand.”
For years Horne worked for Barclays, as a COO for infrastructure and service delivery, as director of electronic protection, and as managing director for cyber security. During this time, he was seconded to the Cabinet Office, developing policy for the British Government, a diversity of experience which means he’s seen the issue from both sides of the fence.
“Clearly having worked in a big global bank I have a good understanding of what the banking environment is and how the processes flow,” he says, when asked what he thinks this broad insight has contributed to his understanding of the environment. “I know what matters and what needs to be focused on from a security perspective.”
He’s now at PWC, having been invited in 2013 to build a national practice for the company specialising in cyber security, a division which now employs roughly 200 experts and does everything from advise clients on strategy and approach to security to helping them build controls and defences against attacks.
“They decided that is an important investment and key part of its whole offering in the market,” he says. “It wasn’t the first time, but it was at a stage where we decided that we really needed to go for it.”
Part of the problem is that the losses incurred by breaches often don’t give enough of an incentive to invest the large sums necessary to really curb these types of issues. In a report for website The Conversation, published in March, Benjamin Dean, a fellow for internet governance and cyber-security at Columbia University’s School of International and Public Affairs, argued just this, making the case that regulators need to step in.
“JP Morgan’s CEO, Jamie Dimon, says his firm spends $250 million each year on cyber security,” he argues. “To put that in perspective, that constitutes 0.35% of the JP Morgan’s annual expenses. If that’s how much a firm whose very existence rests on preventing data breaches, one can only imagine how much the average firm invests in information security.
“In the presence of this market failure, the case for government intervention becomes strong.”
There’s certainly space for collaboration between the state and the private sector, and when finance represents such a significant part of the national infrastructure, there’s a self-evident need for some kind of collaboration.
But the news about Standards and Poor, for many, shows that the financial industry should begin to see cyber security as a major concern – and one which has an impact on profitability – rather than a simple inconvenience. One bank suffering a major breach, for example, can have systematic impact across the sector.
Hackers are smart, however, and keeping track of the constantly changing threats and staying one step ahead can be close to impossible. There are ways of tracking who adversaries are, however, and the techniques used and infrastructure available to them. Also important, argues Horne, is that companies work together to develop joint strategy.
“I think a second area is collaboration between organisations,” he argues. “The more banks can share information around the attacks they’re seeing, the techniques and how they’re evolving, the more they will develop a pack immunity and start to be able to respond to threats, and be better prepared to predict what the attackers might do next.”
It’s also a case of firms increasingly needing to hire people as skilled as the hackers attacking them. There’s a clear desire for specialist skills, and banks must make their recruitment – and retention – approaches more flexible to make sure they can attract and keep hold of the right skills. A key part of cyber security is understanding the infrastructure of a business and where vulnerabilities lie, so blending the technical skills with understanding of finance is essential.
The types of attacks also vary depending on the work that the bank does. In investment banking, there’s potential for extremely destructive breaches, and hackers can interrupt key flows, disrupt information channels, create imbalances in the market, and wipe data. For retail banks, by contrast, the target is usually the customer: breaking into accounts, manipulating and compromising transactions. While there is some activity attacking institutions generally, it’s much more common that individual clients are exploited for their personal data – and this is where customers need to be protected, and learn to protect themselves.
“There’s a range of measures you can take,” says Horne. “Techniques around having secure authentication, helping customers protect their devices, having good intelligence and monitoring capability to detect when clients are behaving in an anomalous way.”
Much of helping customers help themselves comes down to education – hence the importance of Cyber Security Awareness Month and the Keep Safe Online campaign. Banks are increasingly investing in these kinds of projects to help people get more streetwise about the dangers they face, and encouraging others to take the initiative.
So is the message sinking in? Horne is fresh from working on PWC’s Global State of Information Security 2016 report, a worldwide survey of over 10,000 CEOs, CFOs, CIOs, CISOs, CSOs, VPs, and directors of IT and security companies from 127 countries.
“We had respondents all over the world answer quite detailed questions on their security,” says Horne. “In many cases it’s about trends continuing, you’re seeing a steep rise in the number of incidents being detected, and a rise in attacks which companies believe was nation state directed.”
“In some ways there was nothing too surprising but confirming that trends are continuing.”
The results are interesting. While incidents were reported to have increased by 38%, 24% of respondents said they had boosted their information security budgets and that financial losses decreased by 5% year on year. They also listed a number of initiatives taken to improve security and reduce risks: more than half said they used big data analytics, cyber security insurance, risk-based security frameworks, and cloud-based cyber security measures to keep customers safe.
The banking industry is developing in a multitude of ways, all of which, from the increased use of mobile to the expansion of cloud-based services, have complex implications for cyber security and the safety of customers. New technology is a double edged sword: it presents new options for improving controls, but at the same time brings in new vulnerabilities.
“In many ways it really doesn’t matter what the new technology is,” argues Horne. “It’s a constantly evolving environment, and within that environment there are improvements that can be gained and there are going to be new vulnerabilities that need to be managed.
“All this makes it a really changing landscape.”
Richard is a recognised leader in the field of cyber security, with deep industry knowledge and expertise. He is a former MD of cyber security at Barclays, where he was involved in establishing co-operation between banks on the subject. He set up the Virtual Task Force to get banks working with the Met Police. Richard was seconded to the Cabinet Office to bring private sector expertise into the Government and where he initiated the Cyber Security Information Sharing partnership (CISP).