The IT, business and regulatory landscape in which many large banks are operating is changing […]
The IT, business and regulatory landscape in which many large banks are operating is changing rapidly. The market is challenging, competition is strong and cyberattacks are increasing in number and sophistication. How can you manage cyber security in such a volatile environment and enhance customer trust?
The game has changed
In the old days criminals would come in with a shotgun and rob a bank. Today, cyber criminals or nation states can enter your system via the internet to steal your money or data. Or an angry teenager can hire a botnet (for a few bucks) to disrupt your entire online banking environment with a denial of service attack. Hacking tools and services are easier to obtain and are getting more and more advanced. For instance, powerful hacking tools from the NSA were leaked online last year, and are being sold along with cybercrime services on the Dark Web.
High regulatory pressure and increased competition
Basel IV, GDPR, PSD and other regulatory requirements increase costs. Either through heavier capital requirements (Basel IV), or because of a significant increase of the amount of controls banks have to implement (GDPR and PSD2). Moreover, PSD2 will open up the payments market to new competitors, including nonbanks. Big tech platforms (e.g. Apple Pay and Alibaba) and blockchain start-ups are moving into financial services, and will probably change the game for banks.
How to deal with cyber security in the volatile banking landscape?
- Agile vs. legacy environments: In order to keep up with this volatile (regulatory, cyber and business) landscape, banks are implementing the agile way of working on the (fast moving, innovative) business side. They try to organize themselves along the lines of tech companies such as Google, known for their agility, innovation and rock solid stability. On the other hand they are slowly migrating their core banking (legacy) applications. Therefore, in banking, CISOs need to understand how to manage security both in agile and legacy environments.
- To become best in class, make security a strategic priority: Protecting data is a strategic priority and at the core of Google’s business. Therefore Google can invest much more extensively in security, resources and expertise than others. Security drives its organizational structure, training priorities and hiring processes. If banks want to become best in class, like Google, they have to make security a strategic priority and embed it in everything they do.
- Enhance customer trust: To enhance customer trust, Google is open about how it organizes and uses security. If we apply this to the financial services industry, companies are able to enhance customer trust by delivering secure and customer-friendly services. Being transparent about how you organize security can also help build customer trust, which is important for long-term adoption of technology-based products and services.
- Find out how they get in: As the monetary gain for an attacker can be tremendous, even the most secure banks will be subject to hacking attempts. Therefore it’s important to understand how you can be hacked and how to act when this happens. It all starts with understanding your business, the underlying infrastructure and the possible attack paths. For instance, spear phishing is a popular method for hackers to get in. One of their methods is to send an attractive email mimicking the style of your company. By opening the attachment or URL, software is executed on the user’s system that connects back to the attacker. The attacker will use this software to launch further attacks against e.g. the internal payments systems.
- Prevent, detect and respond: If you are familiar with the various attack scenarios or kill chains, you need to stop, detect and/or remove the attackers as soon as possible. For instance, in order to minimize the impact of spear phishing it is more effective to stop the malware from running than to train all employees in recognizing spear phishing attacks. By balancing preventive, detective and responsive controls across the different attack paths, banks are able to maximize the chance of stopping a threat before it impacts the business. To effectively deal with spear phishing banks could for example implement a combination of internet sandboxing, system hardening, Multi-Factor Authentication (MFA), and targeted threat detection and response.
- Practice, practice, practice: Cyber security is not a one-off activity. Next to having strong defences, banks must constantly train their teams to ensure they are well protected – like the army or firemen. Purple teaming exercises — in which both the monitoring (blue) and attack (red) team work together — can be used to evaluate how well your organization is protected against (targeted) cyberattacks. For example, the red team will use an end-user system to attempt stealing money or data, or disrupt the business. The blue team will then try to detect the attack in time and respond to minimize the impact. Practice makes perfect, so purple teaming exercises are essential. Additionally, working together between the red and blue team provides a radical learning opportunity for detecting an even wider range of attacks.
Security accelerates compliance
Banks have to find the right balance between security and compliance investments. Risk and compliance officers have the tendency (in their enthusiasm) to over-engineer risk and control frameworks, and introduce too many (inefficient) controls. Ideally, effective security accelerates compliance. This can be realized by designing and driving IT (security) risk & compliance programs more from a cyber threat & resilience perspective. This results in a more healthy balance between preventive, detective and responsive measures, and ultimately accelerates compliance.
So going forward, boards should focus on demonstrably improving the level of cyber resilience, sign-off on cyber threat prioritization, and they should educate the regulators on how to effectively balance security & compliance.
TIBER and ECB
Regulators are starting to recognize the importance of performing Threat Intelligence Based Ethical Red Teaming (TIBER). In fact, many regulators are in the process of making these exercises a mandatory requirement to improve the level of cyber resilience for banks. In May 2018, the ECB released its TIBER-EU Framework on how to implement TIBER within the European Union. One of the goals of the TIBER-EU framework is to improve cyber security regulations and the way red teaming is performed across the EU.
The Future of Banking
Since the beginning of 2018 we have been sharing a range of articles with you on the future of banking, based on the ‘seven wicked problems’ we have identified. Embrace digital is one of these ‘problems’. Our research skills and day-to-day experience in working with banks have allowed us to dive into these challenges more deeply. By sharing our insights, we strive to help you with the choices you face in your day-to-day work and with aligning your leadership, culture and organizational structure to a fully digital mindset, optimizing the use of proprietary and external data. Sign up for the email alerts to make sure you won’t miss any of the articles about the latest insights and solutions on the future of banking.