22nd July 2016

The financial sector experiences 300% more cyber attacks than other industries. Businesses should take security action now if a major incident is to be avoided.

The Cyber Crime Assessment 2016 report conducted by the National Crime Agency has identified cyber crime as a real and immediate threat to UK businesses.

The financial sector is particularly vulnerable to both known international cyber criminal groups and emerging home-grown hackers.

Potential long-term impacts of a significant attack include substantial loss of revenue and margin, loss of valuable data and other assets, litigation and other legal costs, fines, reputational damage, executive dismissals and material loss of shareholder value.

The bare fact is that the city is being too slow to realise the true extent and scope of the threats it is facing.

The deadline for compliance with the new EU data protection laws is 2018. But these new standards only represent the most basic security measures businesses should have in place already.

Criminals are way ahead. Evolving malware and ever more sophisticated hacking processes mean businesses are constantly playing catch-up.

Add to this the accelerating pace of technology and development, and it’s easy to see how criminal cyber capability is outpacing the UK’s collective response to cyber crime.

It’s time for the financial sector to take a pro-active approach to cyber security, report every new attack as it’s detected and implement wherever possible new defence technologies and policies. Before a major attack systemically damages the entire sector.  

Why 95% secure isn’t secure enough

The NCA report is not alone in its view that the UK’s financial sector is facing a significant threat from cyber crime.

The Cybercrime Report released in February 2016 by ThreatMetrix used analysis of more than 15 billion transactions throughout 2015. It revealed a 40% rise in cyber criminal activity targeting the financial sector.

A record 21 million fraud attacks and 45 million bot attacks were detected in the last three months of 2015 alone. The data also showed that the financial sector is facing the most organised attacks and multi-channel threats.

Banks have invested millions already in securing their computer networks, but the number of attacks is still increasing. The problem is that, while all this investment has made financial organisations much more secure, it isn’t secure enough.

Last year, as reported in the Financial Times, Sony suffered a significant data breach. This malware deleted important company files and exposed embarrassing corporate emails to public scrutiny.

As an experiment, some of the largest financial institutions in the world ran tests with the Sony code to see what sort of damage it could unleash on their own systems. This exercise showed just how persistent the code was in seeking vulnerabilities across the networks, firing out repeatedly until it finally found a way in.

The experiment proved that having almost completely secure networks is now inadequate protection. If there is even a tiny hole in your security, today’s malware will find it.

Cyber crime bombardment and the challenges of under-reporting

The financial sector experiences 300% more cyber attacks than any other industry. The sheer volume of money moving around in this sector makes it an obvious target in itself for external fraudsters.

In addition, financial services businesses are also used by the criminals themselves as vehicles for moving the funds generated by their crimes.

In 2014, JP Morgan Chase was hacked after it had spent $250 million on cyber security and had a security team of approximately 1,000 people.

The breach revealed contact information of 76 million US households, shaking customer confidence that their mortgage and bank account information was safe. Despite no financial information being stolen on this occasion, the bank’s reputation took a serious knock.

Lloyds of London, the UK’s prominent insurer, has estimated the cost of all cyber attacks to be as much as $400 billion per year. US think-tank, The Centre for Strategic and International Studies, calculated a higher cost of $575 billion to the global economy.

In terms of specific cases, Royal Bank of Scotland reported that in the first nine months of 2015, cyber scams had affected 4,702 of its customers at a cost of almost £26 million. Yet another attack on TalkTalk resulted in the theft of 157,000 customer details and costs of around £35 million.

These high profile cases hit the papers, of course, and are therefore well known. But there is a huge problem with smaller cases of cyber crime going completely unreported.

In 2015, the Office for National Statistics estimated that there were 2.46 million cyber incidents and 2.11 victims of cyber crime in the UK. Only 716,349 cyber incidents in total were reported to Action Fraud during the same period.

Cyber defence techniques are devised to combat known security threats. If crimes go unreported infrastructure security can’t be adapted to combat them. This is largely to blame for criminal activities evolving far more quickly than security strategies.

Key weaknesses in the financial sector and how to strengthen the network

Mergers and acquisition activity worldwide has been high in the financial sector since the 2008 recession. While this activity has helped to overcome the crisis, it has left businesses with patched together IT networks that are often open to attack.

Swapping legacy technology for new defended environments is now recognised by large banks as a critical step in their cyber defence.

Aggressive defence strategies are being adopted increasingly as the likelihood of cyber attack rises. At the centre of these is the recognition that cyber security is not a simple tech issue, but one that runs company-wide.

Multiple-point verification processes, staff training and regular security policy review are as important as a properly protected network. These things have always been important but there has been a relaxed attitude around security that is now, finally, being stepped up.

Regulations are become stricter but aiming to meet these standards is really the least organisations should be doing. Even the new European GDPR is the lowest rung of the data security ladder.

Compliance with standards is often focused on avoiding penalties and buck passing. There is plenty more the financial sector can do to protect itself.

The most important thing for the financial sector to do is take cyber crime extremely seriously and share information of any incidents with relevant crime fighting organisations.

Cyber criminals are getting more sophisticated every day and this threat is only going to get bigger.

Not sure where to go next? Start here:

1. Train your staff. Then train them again.

Austin Berglas, the former deputy chief of the New York FBI’s cyber security unit is quoted as saying: “It’s not enough to build up walls and harden the systems, you need human capital to understand the threat.

Rethink your cyber security training. Are you presenting the policy and protocol in the best way? Is it up to date?

What happens if someone violates the policy? An immediate refresh session is the most effective response in ensuring it doesn't happen again.

2. Are your employees backed up by technology?

​Don’t wait for an attack to penetrate your network and paralyse your business before you look around for network protection. A proactive approach to defence is always best.

Cyber crime is evolving fast. Now is the time to ask an expert third party about next generation security you could implement to combat the threats before they become reality.

New technologies such as micro virtualisation, for instance, isolate tasks so that if malware enters a particular part of the system it can’t spread anywhere else.

3. How secure is your password protocol?

​The JP Morgan Chase breach was particularly embarrassing because there was no requirement for two-step verification, making the hackers’ job very easy.

Even free online services, such as Gmail, require two-step verification. Don’t leave yourself open to attack by omitting the most obvious procedures from your security protocol.

4. Understand the threats your business is facing

The biggest criminal threats to your business will not arrive in the lobby dressed like a burglar, wearing a balaclava and carrying a sack.

Remember that 90% of malicious activity starts with an email containing a harmless looking link that someone clicks. And Edward Snowden downloaded classified data from the National Security Agency using a perfectly ordinary USB drive.