Financial services firms reported 145 breaches to the Financial Conduct Authority in 2018, an increase of 480% from 2017. Here, cybercrime experts give their thoughts on what firms need to do to protect themselves
Power to the people
Mark Taylor is technical manager, technical innovation, at the Tech Faculty
Cybercrime is an expensive, global problem. In a 2013 report, security firm McAfee and the Center for Strategic International Studies (CSIS) estimated that cybercrime was costing the global economy around $500bn. In a follow-up report released in 2018, The Economic Impact of Cybercrime: No Slowing Down (tinyurl.com/FS-NoSlowing), McAfee and CSIS concluded that the global cost of cybercrime had now reached $600bn.
Cybercrime is well organised and now a commodity. Criminals provide a wide range of services to anyone willing to pay including selling stolen personal information, hacking systems on-demand, and causing crippling network outages.
Many financial services firms struggle to match the technology, power and sophistication of these organised crime gangs. IT has been embedded into financial services firms for many years and so is very complex and often unique. While many safeguards have been added to these legacy systems, they can be costly to maintain and difficult to replace. However, there are a number of defences that organisations of any size can adopt to protect themselves.
Staff are the key first line of defence. Ensuring that they are aware of the threats posed by cybercrime is crucial. Staff who are aware of the need for good data protection need to be supported with well-developed and maintained processes and procedures.
One example is how a firm makes use of personally owned devices. Do staff understand their responsibilities and are there strong procedures and technology in place to allow staff to safely use them?
While staff can be a strong line of defence, they are also introducing a cyber risk. Inadvertent or malicious behaviour could lead to a significant ‘insider threat’. There have been some indications that increased insider threat is linked to wider cultural values. Casual approaches to data usage and unethical approaches to doing business may encourage staff to take a casual approach to information security.
The third element of information security is technology. The need for business agility, mobile device usage, open banking and cloud services has radically affected how technology is used and delivered to clients and it has become increasingly challenging to maintain and update complex systems.
Cyber criminals exploit weaknesses in systems (people, processes and technology), so it is essential to keep them up to date. Additionally, technology can be used to help detect cyber-crime. Data analytics is seen as a key tool to help identify security breaches and detect insider threats.
Recently, we have seen significant fines imposed on organisations for breaches of the Data Protection Act 2018 – the UK’s implementation of the General Data Protection Regulation (GDPR). The record-setting £184m fine imposed on British Airways by the Information Commissioner’s Office in July 2019 is an indication of the value and importance placed on personal information. This fine may be insignificant compared to the result of the forthcoming class action lawsuit. It is virtually impossible to separate personal from business data.
Any data breach is almost certain to include personal data. All organisations should place cyber security on the agenda of every board meeting.
Partners in crime
Narjis Zaidi is technical director, Technology Resilience and Will Hamilton is manager, Technology Resilience at Deloitte
As new types of attacks emerge and hackers become more sophisticated in their methods, joining forces to make attacks more targeted, financial services firms are equally seeing the value of taking a shared, community approach. The rise of ‘crime as a service’ hails a new reality where criminals pool talent across cyber, fraud and money laundering, and jointly make use of analytics, big data and cloud technology to launch digital attacks. The collaboration of different elements can prove devastatingly effective when systematically deploying skills in unison to attack backup and production systems.
Organisations that tend to tackle attackers unilaterally must recognise the value of working with the wider financial services community, including law enforcement and regulators, in order to successfully prepare for new cyber threats and combat more organised and united criminals.
When identifying threats, organisations need to:
- consider how AI or automation can be used to allow your people to focus on priority areas;
- understand the way your technology is bound together to support business services through ‘perform dependency mapping’; and
- strengthen critical and legacy systems as a priority, by identifying vulnerabilities and closing them.
One of the key areas of vulnerability is the increased use of suppliers for software as a service (SaaS) and cloud computing, while also creating potential single points of failure for critical services. The dangers of third-party dependency do not go unnoticed by cyber criminals, who are increasingly using destructive attacks to cover their tracks and distract security teams.
- ensure resilience through diversification and holding suppliers to the same security standards as your own organisation;
- create robust defences that are consistent in all environments, and ensure that investments are prioritised against the most credible threats and significant impacts;
- back up critical infrastructure configurations, applications and related data in an air-gapped off-network vault to counter a worse-case data loss scenario; and
- form reciprocal partnerships with similar financial services organisations to temporarily support customers in the event of a prolonged attack.
Financial services firms can prepare for evolving cyber threats by openly sharing threat information and developing good practice by performing joint simulations.
- go beyond the regulator’s minimum requirements and independently organise simulations with stakeholders, including both suppliers and peers;
- enhance realism in simulations by involving business and technical stakeholders and consider both strategic and operational aspects of your response;
- practice scenarios where other financial services organisations could temporarily continue to serve your customers while you focus on speedy recovery; and
- invest in developing technical tests to prove response effectiveness, which are suitably planned and use a realistic test environment and dummy data.
Organisations that create communities that intelligently share and consume threat information, and work collaboratively in the face of ‘crime as a service’, generally develop a competitive edge over the cyber criminals, not forfeit one.
Tim Rawlins, director and senior adviser at NCC Group
Cyber security is now high on the agenda for boards across every sector. With the introduction of stricter data regulations such as GDPR, all organisations largely understand the need to carry out a careful audit of the data they hold. Data protection is particularly pertinent in the financial services sector. The direct access to money, without the need to sell stolen data, means the industry faces the challenge of being targeted by more sophisticated threat actors.
Regulators increasingly require intelligence-led cyber security testing for financial businesses, regardless of where they are in the world.
This increased scrutiny from both criminals and regulators makes it vital to understand how effective incident response plans are when put into action. Businesses can have a comprehensive cyber incident response plan on paper, but there are only two ways to find out whether it will work seamlessly when the time comes: when a cyber attack happens, or through a simulated and controlled attack test.
To truly understand the resilience of a business, it’s important to audit people, processes and technology.
Training and testing
Training and awareness initiatives can help to mitigate cyber security risks posed by employees. It only takes one click on a carefully crafted phishing email to bring down an entire corporate network.
Simulated attack testing services can help an organisation understand how well its training initiatives and security processes have been understood and successfully adopted by employees. By seeing how they react to targeted attacks, businesses can better grasp what works well and where there may be a need for more awareness and training.
Comprehensive simulated attack testing services that harness techniques used by real cyber criminals can help businesses understand the value of the teams working together every day and how effectively they operate under the pressure of an attack. Communicating quickly and effectively with a wide range of stakeholders in the event of a data breach is vital.
When it comes to both internal and external communications, it’s important to trust there is a fully formed crisis management team ready to react quickly and decisively to communicate what has happened and any action that needs to be taken. Testing this in a simulated scenario can help businesses to understand how they would mitigate potential reputational damage in the event of a cyber attack.
Regardless of how thought-through an organisation’s cyber security plan is, testing is essential in order to truly measure the impact of cyber security investment, and identify key areas for improvement.
Nathan King, director at cyber security consultancy Cyberis
While many companies are doing more to prevent cyber attacks that are compromising their businesses online, many forget about criminals breaking into their premises.
Even for organisations with reasonable levels of security awareness and maturity, it is apparent that the attention given to cyber security has pushed the risks and controls of physical security to one side. It is difficult to quantify how common such breaches are, as they tend to be less well detected, but gaining unauthorised access to a building can be easier than hacking into a network remotely.
While the risks involved with physical security breaches are generally not worth the rewards for casual opportunists, a physical breach can provide a powerful ‘foot in the door’ and onward access to secure systems for organised gangs or a motivated, skilled attacker.
Gaining access to a building does not necessitate an out-of-hours break-in. For every business, there are third-parties who are expected to enter offices and buildings for various purposes: landlord inspections, fire alarm maintenance, health and safety audits, cleaning of drinks dispensers, candidates coming in for interviews or suppliers arranging meetings with purchasers.
The ‘high-vis’ effect is a well-known tactic. Anyone in a high-vis jacket who looks like they know where they are going or claims they have urgent or safety critical business to attend to tends not to be challenged.
Tailgating is another very common tactic. Even for businesses with card-based access control on all doors, it is relatively easy to follow authorised personnel into restricted areas. Sometimes they will even hold the door open for you.
Once through the door, implanting devices within the IT infrastructure to facilitate unauthorised access to systems can take a matter of seconds. Alternatively, a simple small-form wireless access point can be used to re-establish access from outside the building (eg, in the car park). At this point it’s largely game over.
How to prevent a physical breach:
- Monitor internal networks as thoroughly as external networks for anomalies but user awareness is key for protection.
- Encourage robust processes for allowing access to offices and ensuring visitors are properly escorted.
- Employees need to be willing to challenge visitors if they are suspicious and have escalation routes they can use if they are concerned about any strangers in the office.
- A more holistic approach to cyber security and ensuring that all staff are trained and informed can reduce the risk.
Smells like team spirit
David Hartley, group technical director at MWR InfoSecurity
In our experience, the firms most prepared to respond and recover from a cyber attack in the financial services industry are firms employing the following cyber defence strategy:
- Identify the attack paths that an attacker could follow to achieve a specific goal or compromise a critical asset, system or function.
- Assess the effectiveness of each (preventative, detective and responsive) control along each path.
- Improve/deploy controls surgically along the paths to reduce the likelihood of compromise, decrease the impact and increase detection capabilities.
- Use simulators to experience attacks and breaches in a safe and controlled manner.
- Remain aware of emerging and evolving threats by using contextual and relevant Threat Intelligence to prioritise initiatives and seed simulators.
It is important to first understand the firm’s current measure of cyber resilience. One of the ways to obtain this understanding is to undergo a simulated targeted cyber-attack – also known as ‘red team’.
The Bank of England (BoE), as part of a wider supervisory framework and tool set, launched CBEST in June 2014 (see below). This is a threat-led assurance testing approach designed to assess the cyber resilience of firms. You don’t want the first time you experience a cyber attack to be a real attack.
Rob Downie, principal consultant and red team lead at Context Information Security, explains how the Bank of England’s CBEST scheme works
CBEST is the intelligence-led penetration testing framework of the BoE, used for testing critical finance organisations through simulated cyber attack scenarios based on real-world risks.
A typical CBEST exercise lasts around 20 weeks and has four distinct phases. During the initial phase, the BoE and financial regulators, Financial Conduct Authority (FCA) and Prudential Regulation Authority (PRA), agree a scope for the exercise and work with the internal project team that will manage the exercise.
The ‘Threat Intelligence’ phase involves an accredited cyber threat intelligence provider, researching and constructing a detailed report on the background and threats the firm faces. This includes an open-source intelligence gathering exercise to help build attack scenarios.
These simulated attacks against the target organisation normally last about 10 weeks and will involve actual cyber-attacks, testing and report writing. These in-depth reports include a view on what was achievable during the testing along with specific findings and issues identified. The fourth phase is closure. This will involve meetings between all the relevant parties – BoE, regulators, firm and penetration testing provider – to discuss the findings and, most importantly, the remediation plans.
The team performing the exercise have access to sensitive data and potentially operationally critical pieces of infrastructure. So having confidence and trust in them is vital.
The CBEST framework stipulates that the threat intelligence and penetration testing phases are carried out by organisations accredited by the Council of Registered Security Testers (CREST) – a not-for-profit organisation that provides accreditations for penetration testing, cyber incident response, threat intelligence and Security Operations Centre services. There is a register of firms listed on the CREST website (tinyurl.com/FS-CREST).
The use of simulated targeted attacks is not just confined to the world of banking and finance. Increasingly, large and medium-sized organisations are using these techniques to identify and rectify vulnerabilities in their cyber security defences. Penetration testing is used to test individual systems or applications, whereas so-called ‘red teaming’ covers a wider spectrum of attack activities with more general objectives.
Safe learning opportunity
The output of such a simulated exercise provides safe learning opportunity and can seed a program designed to enhance cyber resilience.
Since the launch of CBEST, the security industry and the threats have evolved and there are better tools now available to firms. Colloquially (and slightly tongue-in-cheek), this new collection of tools is referred to as a ‘rainbow team’ as a result of being a combination of red, blue, gold and purple activities:
Prior to commissioning a red team test, firms should consider a threat emulation exercise — also known as purple team — to first understand their people, processes and technology (or, PPT) as they relate to a firm’s critical assets, systems and functions.
A purple team exercise involves mapping all of the paths to a given objective and the route an attacker could take to realise a specific scenario. This allows a firm to gain a deep understanding of their environment, and its controls across the prevent, predict, detect and respond (or, PPDR) domains.
Purple team exercises can also help firms continually enhance their cyber resilience in an evidential manner when run cyclically. In contrast, a red team exercise illustrates only the path of least resistance that an attacker may take.
The cyber defence strategy outlined should be thought of as a perpetual program. Attackers and their tools, techniques and processes (known as TTPs) continually evolve. With each cycle, demonstrable improvements in cyber resilience can be evidenced. But there is no end-secure-state. The firm and its people will get better at defending, but in parallel, attackers will also get better at attacking.
Jonathan Whitley, director for Northern Europe at WatchGuard Technologies
The most recent Verizon Data Breaches Investigations Report suggests that some 90% of breaches start with a phishing or social engineering attack. Yet the most recent investment in cyber security has been focused on securing computers and networks through technical defences. It’s time the focus shifted to make employees smarter.
Good phishing education programmes can reduce click rates on malicious links from 40%-50% down to below 10%. These programmes should intrinsically link technical controls with human behaviour and interaction. Preventing phishing must start with getting in-between the attacker and the victim to remove or neutralise as many malicious links as possible.
No one is suggesting it is easy to spot dodgy links as the level of phishing and social engineering is getting more sophisticated. There is also an increase in so-called CEO fraud where attackers impersonate senior management.
We need to move away from the blame culture, so it’s OK to make a mistake and learn from it. Protection, education, evaluation and reporting all contribute to an effective anti-phishing programme; but it is when they all work together with technology that the outcome becomes greater than the sum of the parts.
One of the other major user problems is stolen or weak passwords. We all struggle with remembering passwords, so on the face of it the use of multi-factor authentication (MFA) is compelling. MFA is simply a security system that requires more than one method of authentication to verify the user’s identity.
But traditional MFA solutions have been too expensive and complex, particularly for SMEs and can be seen as a hassle for end users. The answer may lie in the cloud. Cloud-based MFA requires no on-premises equipment, which cuts down on costly deployment and management activities, while a choice of modern authentication methods, including push notifications, one-time-passwords or QR codes to a mobile device provides good security combined with an improved user experience. If we are to significantly reduce the number of breaches from poor password practice, it’s time for financial services companies to adopt MFA.