In 2015, I received a full scholarship from Erasmus+ to study journalism in Denmark and the UK. Two years later, in July 2017 I graduated with a joint Erasmus Mundus Masters in Journalism, Media and Globalisation from City, University of London and Aarhus University. The following is the first half of my final dissertation which focused on issues in cybersecurity in the banking and financial industry. In February 2018, this shortened version was published on Publish.org.
Cybercrime is now the second most reported economic crime affecting a third of all organisations. And commercial and retail banks have become the prime target. Is Europe’s financial industry prepared to face another crunch, but this time, in the digital realm?
On a Monday afternoon in November 2016, customers of Tesco Bank, the banking segment of UK’s largest supermarket chain of the same name, received a startling text message: ‘Over the weekend,’ it began, ‘some of our customers current accounts have been subject to online criminal activity.’ It would continue to say that online transactions were suspended as a precaution. As to what kind of criminal activity occurred, they didn’t mention. But by then, they didn’t really have to.
Because over the weekend, British news organisations reported that on Saturday 20,000 accounts at Tesco Bank were compromised and varying amounts were stolen from each. The affected number was then later reduced to 9,000 and the total amount lost was announced to be £2.5 million.
It was an unprecedented ‘systematic, sophisticated attack,’ said the bank’s chief executive, Benny Higgins to the BBC. He pledged that the bank would refund all affected customers, but the UK Parliament and the public demanded an explanation.
In a 2017 report by the Cambridge Centre for Risk Studies, it described a growing threat by ‘malevolent actors’ perpetrating cyberattacks in the global digital economy. The financial industry, in particular, has been a favorite target as 73 percent of breaches are financially motivated according to Verizon’s 2017 Data Breach Investigations Report.
And the trend, security experts unanimously agree, will only get worse. Technology is evolving faster and cyber criminals are getting bolder. The question is whether cybersecurity is too slow to keep up, or are commercial and retail banks not technologically and organisationally equipped to face a threat that isn’t entering from the bank’s front door but from within its walls.
The State of Financial Cybercrime
According to the same Risk Index report by the Cambridge Center, the year 2016 saw numerous ‘record-breaking’ cyberattacks that range from huge volumes of data theft, to large-scale denial-of-service (DOS) attacks, and financial crime attempts.
In fact, according to the latest PwC Global Economic Crime Survey done in 2016, cybercrime has become the second most reported economic crime which now affects 32 percent of organisations. And most companies, the report says, are still not adequately prepared, or even understand the risks they face with only 37 percent of organisations equipped with a cyber incident response plan.
In the last few years, no other industry has been the target of hackers and other malevolent actors more than the banking and finance industry. “It’s the most specific and significant threat that exists today in cybercrime,” says Shane Shook, an independent cybercrime and computer forensics consultant based in San Francisco, California.
According to cybersecurity firm Symantec, 2015 was the year the finance sector became the most targeted industry by hackers and cyber criminals with 34.9 percent of all spear-phishing emails directed at an organisation within the finance sector.
The targets have changed, as well. Cyber criminals have moved on from the familiar modus operandi of attacking private users of online banking and payment systems to large organisations such as banks and payment processing systems, as well as retailers and businesses that use point-of-sale (POS) terminals.
“What we’ve seen is a shift away from high volume and low value crimes — where [cyber criminals] infect a thousand computers and from a hundred of them they’ll take £10 out of each account — to very low volume, sometimes just a single strike, but very high value [crimes],” says James Chappell, founder and chief technology officer at Digital Shadows, a cybersecurity firm based in London.
From the firm’s 39th floor office in Canary Wharf, headquarters of many international banks, one can behold the vast expanse of the City of London in the distance and the hundreds of financial institutions that make it the top-ranked financial center in the EU contributing more than £124bn in gross value added to the UK economy in 2016, 7.2 percent of the country’s total GVA. Here, the threat is even more real. “We’re seeing a much higher capability, and the motivation [for cyber criminals] is for a large sum of money, and the opportunity is that they’re exploiting the bank’s local network.”
And due to the region’s advanced and wealthy economies, and geopolitical positioning, Europe, according to a 2017 report by security firm FireEye, “is a prime target for these attacks” with the financial industry the main focus in countries like Germany, Great Britain, Belgium, Spain, Denmark, Sweden, Norway, and Finland.
And as more consumers go online, the attack surface just gets wider and wider. This was confirmed by James Thompson, head of financial crime policy at the British Bankers Association in London, a trade association with 200 member banks in more than 50 countries: “The scale of cyberattacks is increasing, and there is a need to make systems more secure from a national security perspective.”
Narrowing the Corridor
When speaking to cybersecurity experts and financial crime officers, ‘vulnerability’ is a term that often comes up in conversation — along with ‘risks’ and ‘threats.’ But to understand cybersecurity is to understand the relationship of the three and how organisations analyse and prioritize them.
The first is vulnerabilities; they don’t matter.
“Your business doesn’t care about vulnerabilities,” says Bryce Boland, Asia Pacific chief technology officer at FireEye. “They care about providing services to customers, and protecting the value of the assets that they’re responsible for; there will always be vulnerabilities.” It’s a sweeping statement that, for the layman inexperienced in cybersecurity, is a bit unsettling.
A vulnerability is anything that could be taken as a weakness or a gap in security and protection. A bank’s open door to the high street is physically vulnerable to thieves entering. Online banking is vulnerable to hacking and fraud. But, as Boland and other security experts explain it, by itself, an open door or online access to your account isn’t a concern unless someone attempts to take advantage of it. Those are threats, entities who wish to take advantage of vulnerabilities to secure some kind of asset, whether it’s information, money, or something else. And the intersection of all these is risk.
However, according to the chief technology officer of FireEye, the fact that a vulnerability exists doesn’t mean that an attacker will exploit it and cause mayhem. Banks are more focused on the risks associated with the system and the actors who wish to wreak havoc on it.
According to Thompson of the BBA, there’s an element of proportion involved. “It has to be a risk-based approach. Therefore, an organisation must focus its resources where a potential risk makes the biggest impact. “All you’re trying to do is narrow the corridor in which attacks can happen. So you have to prioritize.”
However, if risks arise from vulnerabilities, it certainly makes more sense to simply address the vulnerabilities, rather than the risks that result from them. To paraphrase the old adage, isn’t an ounce of cyber prevention better than a pound of cyber cure? Is risk-based security, well, risky?
“It’s a business decision,” explains Raj Samani, chief technology officer at Intel Security. “Everybody has risk. But the reality is that you’ve got to try to operate in a business environment.” And the goal for any business is to make a profit and use its available resources wisely to work towards that goal.
The Game Has Changed
The November 2016 events at Tesco Bank have not only raised questions about financial cybersecurity, but also on the response of banks in the event of such a breach and what they have done, if any, to prevent it from happening.
‘There are elements of this that look unprecedented and it is serious, clearly,’ said Andrew Bailey, chief executive of the Financial Conduct Authority, a financial regulatory body in the UK, when he faced the Treasury Select Committee at the House of Commons in November 2016.
“It’s a massive concern to us because it’s a massive concern to our members and to their customers,” says Thompson of the BBA, which counts Tesco Bank as one of its members. But now, more than a year after the hack, there have been no new developments in the investigation.
“The game in security used to be ‘Stop bad things from happening,’” says FireEye’s Boland. “Now the game in security is ‘Stop as much of the bad things from happening as is practical.’” But, he interrupts himself, “Assuming some other things will happen that you can’t stop, how [then] do you limit the impact of that? That is the other part of the game.”
In the 2017 report by FireEye, it revealed that that companies in the European Union ‘take three times longer than the global average to detect a cyber intrusion.’ This is called the ‘dwell time’ or the period of time between the moment an organisation’s systems are compromised and the moment security detects it. The global average dwell time is 146 days; in the EU it’s 469 days, says the report.
‘The notion that hackers are rooting around in companies’ networks undetected for 15 months is sobering, as it allows ample opportunity for lateral movement within IT environments,’ says the FireEye report. But most importantly, ‘dwell times of this length allow hackers the opportunity to develop multiple entry and exit doors.’
Because of this, organisations are now looking at their cybersecurity investment in a different way; they’re shifting from prevention–protect assets as much as they can—to detection and response—protect those that will cause the biggest and most expensive impact.
A hacker may happen to be trawling around inside an organisation’s network for months or years, but if they don’t cause any problem for the business, and the business never feels any impact from it, then, says Boland, “for all intents and purposes, it doesn’t matter.”
“At the moment,” says the BBA’s Thompson, “everything is built pretty much around defense of systems. I don’t think it’s a bad thing. You do wonder if at some point there will be a more aggressive response to attacks on systems.”
In cybersecurity, for every attack that’s successful, there’s a multitude that have been blocked. Are financial institutions focused on the digital threat? Absolutely, says Intel’s Samani. And many are doing everything that they can to address it. But are they stopping it? “You’ll get some people that will say ‘No’ while some [banks] have a huge expenditure on it. But it doesn’t mean that they won’t experience risks being realized; there is no such thing as absolute security.”
While banks have established security teams, not all financial institutions are large or have the same resources. “On top of this,” says David Emm, principal security researcher at Kaspersky Lab, “non-financial organisations now get involved in banking and related areas: given that this may well be outside their area of expertise – as with a retail organisation, for example.” Tesco Bank was formed in 1997 as an offshoot from its primary supermarket business.
When called for a statement, a spokesperson for Tesco Bank said that they “continue to work closely with the authorities and regulators in their investigation of the criminal incident that took place.”
In February 2017, the UK government launched the National Cyber Security Centre (NCSC), which aims to address the increasing threat of cyber security in the UK by working with UK organisations, businesses, and individuals; as well as improving incident response to minimise harm and help in recovery in the event of a breach. The NCSC declined to be interviewed for this article when reached for a comment.
In financial cyber security, the first lesson to learn — albeit a hard one — is that every bank can be breached. “Full stop,” emphasizes FireEye’s Boland. “The bank that gets breached doesn’t necessarily have a problem; they have a problem if they can’t get in control of the breach before there’s a business problem caused by it.” This is the situation financial institutions find themselves in as industries grow more digital – criminals, included.
Back on the 39th floor of the Digital Shadows office in London, James Chappell glances out the floor-to-ceiling windows with a view of the River Thames. In the distance, The Shard – a 95-storey steel and glass spire building – pierces through the horizon looming above the City’s offices and hundreds of local and foreign banks. “We’re becoming more digital in a way that we haven’t seen before so this is natural that some of these things happen,” says the technology officer. “But it seems the rate at which we innovate outstrips the rate at which we secure. And I don’t think that will ever change; that will always be the case.”