Banking has long been recognised as one of the sectors with the most mature and collaborative approaches to cyber security. But it also remains constantly under threat, as hackers rapidly adopt emerging technologies to find new ways to breach defences.
According to Bill Borden, corporate vice-president of worldwide financial services for Microsoft, this presents financial companies with a unique challenge: “Creating high-friction experiences for cybercriminals, fraudsters and money launderers while delivering low-friction customer experiences.”
Banks, in particular, have found themselves more exposed to hackers in recent years — despite being part of most countries’ critical infrastructure — because of their digital transformation and moves to cloud computing, which bring a reliance on a web of third-, fourth- or even fifth-party suppliers.
Not only must they protect their own assets and data from both criminal groups and nation-state hackers, they must also protect their clients from falling foul of scams or identity theft, for example. Given the amount of sensitive personal information they hold on customers, as well as their funds, they remain a prime target — ever bombarded by attacks.
Norges Bank Investment Management, the sovereign wealth fund, last year said that it suffers about 100,000 cyber attacks a year, of which it classifies more than 1,000 as serious — with chief executive Nicolai Tangen labelling cyber security as its biggest concern, above tumultuous markets.
Michael Sentonas, president at cyber security group CrowdStrike, says cyber adversaries are “continually increasing the sophistication of their tactics and exploits, while decreasing the breakout time for intrusion activity, or the time it takes for them to move laterally within a network”.
CrowdStrike found a 50 per cent increase in “hands-on” attacks — in which the perpetrator uses a keyboard to break into the host network — between 2021 and 2022, with financial services being the second most targeted sector, after technology. Financial services is also among the top 10 sectors targeted by access brokers, who trade in or abuse stolen credentials, Sentonas says.
Similarly, an analysis of attacks by the Financial Services Information Sharing and Analysis Center — an industry wide-alert system — found the finance and insurance industry is the third most targeted sector by ransomware criminals.
And the stakes are high, particularly when it comes to reputational risk. “A cyber attack on a bank would have a significant impact and effect [on] that share price and that trust between the bank and the clients, which could have a much more significant impact than other sectors,” says Stuart McKenzie, head of consulting for Europe, the Middle East and Africa at Google’s cyber security business, Mandiant.
In response, experts recommend that banks focus on enabling multi-factor authentication, robust access and identity management procedures, and enhanced data governance. In addition, banks should draw up incident response plans and simulate attacks to practise their response.
Steve Soukup, chief executive of cyber security company DefenseStorm says banks are increasingly taking a proactive approach and treating cyber security “more like a risk management discipline”, by having policies and controls in place that are regularly tested and measured.
However, he finds that many smaller banks and credit unions still spend more time managing the risk of their small business lending portfolio than they do on cyber security — even if, from a financial standpoint, their exposure is “just as profound”.
Longer term, technologies are being developed that will further test the cyber security strategies of financial institutions. Firstly, banks will have to weigh how to defend against, and make use of, artificial intelligence, given its potential to automate attacks at scale, and its ability to adapt to targets.
“I think we’ll see attackers use generative AI to craft much better phishing,” says McKenzie, referring to AI that can generate text and images in response to human inputs.
Fabio Colombo, global lead for financial services security at consultancy Accenture, agrees: “On the one side, it could mean the attackers have access to a very fast way of engineering new malware, new code, new threats.” This might mean companies will have to move faster to patch, or upgrade, their systems as hackers are able to exploit vulnerabilities more quickly. But, Colombo adds, AI will also increasingly be used by banks to detect attacks and automate their cyber defences.
Some are upbeat about other developments that affect the industry. Microsoft’s Borden points to a new privacy-enhancing technology known as “confidential computing” that allows cloud providers to process encrypted data without being able to access or alter it.
“Confidential computing provides the missing piece for full data protection at rest, in transit, and now in use,” he says.
At the same time, Colombo notes that financial services is one of the sectors “most impacted” by quantum computing — a technology so theoretically powerful that experts fear it will be able to crack the encryption that is typically used to secure user data.
“Many global banks and global insurance companies are looking forward for let’s say, three to five years, to understand what could be the threat if some of the algorithms or encryption will be broken,” Colombo says, urging banks to assess where they might be vulnerable and how they might be able to address any potential compromises.
Borden adds that companies — and particularly their boards — will also need new training in how to handle a crisis. “They need to be prepared for the unknown, the black swan,” he warns.
Source link
