The financial services industry has done much to bolster its cyber resiliency in the face of criminals targeting its underlying infrastructures. Security has become a part of the boardroom agenda and many large financial institutions are now better prepared to deal with cyber threats than ever before.
However, while financial institutions have upped the ante in protecting themselves, cyber criminals show no sign of slowing down and are relentlessly trying to outsmart their targets by employing ever more sophisticated tactics.
A recent example is the creation of malicious and harmful services that are then sold to the highest bidder. The technique was first flagged by a Europol Cyber Crime Centre report in 2014. This claimed that criminals, lacking the intellectual capital to do it themselves, were buying ready-made cyber attack packages. Referred to as crime-as-a-service (CaaS), it lowers the barriers of entry for cyber criminals, opening the door to those without the technological expertise to develop the harmful products themselves. It’s flat packed cyber crime – with a price tag.
It used to be that cyber crime was reserved for those with specialist systems or the technical nous – not any more. Crime-in-a-box equips every ‘wannabe’ cyber criminal with a set of tools to commit attacks. A typical crime-in-a-box toolkit includes malicious software, supporting infrastructure, stolen personal and financial data and the means to monetise criminal gains. With every aspect of this toolkit available to purchase or hire, it is relatively easy for cyber crime amateurs to launch devastating cyber attacks not only of a scale that is highly disproportionate to their ability, but at little financial cost to the perpetrator.
This turnkey toolkit enables malicious actors to gather resources quickly and easily. And as soon as authorities discover and take down cyber crime services available online, they pop up elsewhere.
And so while financial services firms have taken significant strides in the right direction, they now need to ensure the security of their networks from this different type of threat. As attackers arm themselves with more sophisticated tools and techniques, the traditional approach to security has become outdated. Compliance processes are out of sync with the new digital age, which is further burdened with an overreliance on legacy systems vulnerable to cyber attacks.
To cap it all, regulators are toughening their stance on companies suffering breaches in their cyber defences and imposing fines for their shortcomings. According to estimates, digital crime costs the world $400 billion every year. With the stakes this high, financial institutions can no longer afford to sleep walk into a disaster.
So here are a number of steps that I feel financial services firms should take to combat the rising security threat:
- Think like a criminal: Financial institutions need to treat cyber criminals the way they treat challenger brands - by understanding and disrupting their business models. So-called ethical hacking is one way to do this. Real life hackers are unpredictable and driven by impulse. Ethical hackers counter this by imitating them, and in doing so test systems, report and fix possible vulnerabilities, helping organisations to stay ahead of the criminals.
- See the opportunity: Bolstering cyber security measures should not be driven by the risk factor alone. Firms should see it as a customer experience and revenue growth opportunity, not just a risk that needs managing. This approach turns cyber preparedness into a competitive advantage, rather than seeing it as an additional cost.
- Raise employee awareness: Training employees within an organisation and encouraging best practice is probably the most effective first step towards improved cyber resilience. Implementing new technology through complex systems uncovers new avenues for cyber criminals to exploit. Regular staff training helps plug the gaps.
- Ask the experts: Working with outsourced solution providers specialising in cyber security is helpful. Keeping their clients ahead of the cyber threat curve is the core activity of these specialist providers. They employ analysts who continually monitor the dark web to gain intelligence that helps firms to anticipate attacks and be aware of new types of threat. Often financial firms are unable to allocate resources for such tasks in-house.
- Choose the right cloud: Moving towards a cloud environment allows easy and secure consumption of internal services and external solutions. Wrapping multiple cloud environments (private, public and hybrid) into one single secure infrastructure, accessed via single managed network helps take control of applications' performance and simultaneously manage individual cloud systems. Most importantly, it reduces the number points of vulnerabilities that cyber criminals seek to expose.
Unfortunately Crime-as-a-Service is going to spread, not least because of how easy and commercially lucrative it can be. As the financial industry becomes ever more complex, it’s imperative that security solutions must keep pace with this development to limit the worst effects of cyber crime.
Luke Beeson, VP Security, UK and Global Banking & Financial Markets, BT
Image source: Shutterstock/Sergey Nivens