Nowadays, a bit of online trickery and technology know-how can be all it takes for perpetrators to access private data and money, as opposed to the ‘Bonnie and Clyde way’ of physically breaking into organisations wearing balaclavas and armed with guns. Cyber attacks have been occurring for a while now and whilst clickbaity phishing emails that install malware onto victims’ PCs still occur, people have become less susceptible to them and there are more defences in place against this type of behaviour.
However, the methods for carrying out cyber attacks are becoming increasingly sophisticated, which makes it an overwhelming topic of concern for industry participants. As well as this, it was recently reported that Donald Trump relaxed the US cyber attack rules thus reversing the guidelines that were set in place by Barack Obama, which has heightened concern in the industry.
Additionally, a recent paper from Finextra in association with Equinix, dated from July this year, surveyed 100 financial services professionals, and they were asked to rank seven categories in terms of the level of threat and risk that they expect to pose to their business over the next five years.
Out of the seven categories, cybercrime/fraud was rated as the top threat with 56 percent of participants rating it as a number one priority.
With this as the backdrop, these factors raise the question, how can firm’s protect the organisation against cyber attacks?
Frank Carr, CMO of Financial Risk Solutions, states that firms should have established agreed and documented processes in place, for example, all staff should understand an information security threat or incident and breach management.
Carr also explains that firms should have an information security management process to identify, communicate, respond to and recover from security incidents including cybercrime (including targeted attacks using a range of vectors such as malware or social engineering against organisations or individuals) and business disruption.
For Steve Mann, CMO of Arachnys, the human element is a linchpin for effective cybersecurity and he highlighted the importance of reducing the number of false positives.
He says: “False positives can come from a number of sources. Too much network traffic that’s mistaken as malicious, some network equipment that fails, true-false positives from an intrusion detection system, or a non-malicious alarm of some sort. The problem here is that with all these erroneous alarms, true alarms get lost in all this irrelevant data. The best way to limit false positive is, again have the human talent to develop the code that can weed false positives out.”
Dave Parsons, chief information security officer at Abacus Group, highlights that there is not a one size fits all solution.
Parsons says: “Defense in depth is the philosophy most financial firms take to provide layered protection against malicious activity.”
“A stack of security tools including firewalls, intrusion prevention, data loss prevention, consistently updated policies and procedures, and a well-educated user community that breeds InfoSec vigilance and culture is the best defence against adversity.”
Meanwhile, Jerry Norton, head of strategy, financial services of CGI, notes that a top-down holistic approach is required in order to protect the organisation and it must be a board-level priority.
Norton says: “The way that a company designs and operates their applications has to be looked at differently–we [CGI] would advise what we call, security by design. Applications should be designed to be secure so even if they are hacked, data such as passwords are not compromised.”
Challenging times ahead
Reflecting on the main challenges in the cybersecurity space, Mann said that one challenge is the lack of integration, as with most software stacks.
Mann explains: “If a firm can’t integrate its intelligent gathering mechanisms with the solutions for threat mitigation it poses a major gap in cybersecurity defences. It doesn’t matter that the firm has great technology if that technology cannot be directed against the true threat.”
Parson hails the increasing sophistication of hackers as one of the challenges in the cybersecurity space. Elaborating on this, he said: “Convincing phishing websites combined with social engineering efforts create targeted ‘spear phishing’ campaigns. These are run by teams of professionals with the determination required to elicit the confidential corporate data required to make money on the black market. Ransomware installed as a result of successful spear phishing attacks has been particularly troubling.”
Norton also attributes the sophistication of malware to one of the biggest challenges, he adds: “That malware is allowing people not only to defraud organisations but to cover their tracks after they’ve done so.”
Here, there, and everywhere
With increasing amount of data being shared, the abundance of data is inevitable but will we be able to overcome it?
António Jesus, CTO of Know Your Customer, cited that one of the ways to correlate such diverse and time-agnostic data is to combine machine learning (ML) with semantic correlation and classification of data.
“However, this often does not work. We believe that the next big thing will be to semantically tag all extracted data so it can be directly correlated to other data in real time from the web”, Jesus explains.
“As processing power improves, so do the tools to process the data in near-real time. The way we see it, unstructured live data is the new database, and semantically querying that data is the new search. We’re still a bit far from it, but we’re way closer than yesterday.”
Norton comments: “The difference between authentication and authorisation is important; when an individual has been authenticated through some sort of out-of-bound method, like an SMS message or a biometric, their access to information must still be controlled.”
“There are a number of techniques that allow you to ensure that access to certain data types is restricted to the authorisation granted and who has the data.”
“The abundance of data is effectively controlled by who is allowed to see what and the risk factor that is associated with it. With tokenisation, one individual does not have access to all of the data, merely a portion.”
“Data must have time expiry. There are authorisation protocols, such as the Open Authorisation (OAuth) 2.0, which is typically used in open banking and other open domains which cater for all of these methods. Some security experts believe the OAuth can be compromised, it’s not necessarily the only way of doing it but those types of techniques allow control of data.”
He adds: “Of course end customer consent is also important when accessing data—you’re creating a trust framework with certain people at different levels.”
Parsons comments: “Computer files are dated and can be searched. System administrators must be required to audit data, create appropriate archives, and then destroy active data beyond legal expiration dates.”
Meanwhile, Steve Marshall, managing director, and head of State Street Verus, explains that in order for us to manage data, it’s important to understand that all data isn’t equal, and just because something is knowable, it doesn’t make it valuable.
He says: “The winners in this race will be those who effectively find a way to identify which data is most relevant and the potential impact on them. Those who fall prey to information paralysis will be those who try to gather as much information as possible for its own sake without any clear way to distinguish between the small, valuable bits and the huge amount of irrelevant data.”
Collaborate
In regards to how firms can collaborate around cybercrime prevention, Mann highlighted that firms are inherently cautious about sharing information, most notably technology since it provides such competitive organisations from firm to firm.
“That being said, when there is a common vested interest, organisations can let down their veils of secrecy, to share knowledge, strategy, and implementation details”, Mann adds.
Reflecting on the positives of collaboration, Norton says: “Notwithstanding the health warnings around conflicting responsibilities, sharing some facilities will, in theory, bring all organisations to the same level. The economics of cybercrime apply to the individuals orchestrating the attacks—it can be expensive for them to create attacking software, so it may be ‘tested’ on one organisation before targeting another.”
“If the ‘tested’ organisation shares details of the type and service of the attack, the next potential target can be informed at the same level.”
Adding an example of collaboration, Parsons says: “Threat intelligence consortiums such the Open Threat Exchange managed by Alienvault are a good example of a collaborative defence community designed to produce actionable, community-powered threat data.”
Can AI help?
While artificial intelligence (AI) receives a somewhat mixed reception in the industry, the majority of industry participants seemingly agree that it can play an important role in analysing data for anomalies if leveraged correctly.
Adam Smith, CTO of Picadilly Labs, explained that AI, used with ML, is great at classifying items into groups.
“Models can be trained with vast amounts of transaction data, and derive patterns from those data. These models and patterns can then provide a ‘gut-feel’ recommendation, on a per-transaction basis, and incorporate a variety of data; in this case, the data could be the account holder’s previous transactions, usual locations of the card, and information about the merchant such as their type, location and fraud history.”
However, Smith warns that although machine learning and AI are creeping into everything, it is not a silver bullet and like any technology, it has to be used appropriately.
Agreeing on this point, Mann says that while ML and AI can help automate threat detection and response while easing the pressure on security professionals, the view that AI is the be all and end all, is pure hype.
“In the financial crime space, there is an analytics arms race underway. Financial institutions are using AI and ML to better identify and thwart bad actors trying to launder money, finance terrorism or some other nefarious purpose. At the same time, these bad actors are using the same technologies to improve the velocity, and efficiency of their attacks. The same arms race is underway in the cybersecurity arena. Attackers are also adopting ML technology to thwart cyber defences. Time will tell who will win.”
Chirag Patel, head of research and advisory in Europe, the Middle East and Africa at State Street Global Exchange, says: “As the industry shifts from historically using smaller, structured datasets towards larger, unstructured ‘big data’ sources, the application of AI-driven ML techniques in anomaly detection and bias correction will become key because human analysis of these datasets will become intractable and require a marriage of technological expertise and practitioner insights.”
The role of regulation
“The concept that security of data and systems need to be somehow regulated by an independent party or by the government is generally agreed upon. But the real question is how”, Jesus considers.
“The risks involved are extremely high, and the victims of these attacks are not only big corporations anymore. The General Data Protection Regulation (GDPR) is a major step in regulating data protection in Europe, but it obviously falls short in areas where it does not intend to regulate.”
“That’s where the Network and Information Security Directive comes into play. Some of its measures are extremely important, but they fall short on one essential aspect: prevention. In this matter, regulation is very slow-paced. The pace of technological change is so fast that any framework that gets put in place by traditional regulatory approaches will become useless in no time.”
Parsons comments: “The advantage to regulatory requirements for security practitioners is mandate. Budget is justified and resources are allocated. GDPR pushed the incident response programme at our organisation years into the future. Even if you are forced to bootstrap solutions, you and your team are pressed into service, and results will be achieved.”
Norton says: “The regulators have got a lot to do in terms of encouraging hesitant organisations to disclose information about attacks, which is crucial. They can also raise the bar by setting minimum criteria and helping organisations such as banks to comply.”
Norton also highlights the importance of ensuring that the banks’ supply chain is strong and there are no weakest links. Concluding on a positive note, Norton states: “The duty of care towards outsourced organisations is rising throughout the whole industry.”
