Phishing, malware, denial of service, bots, keyloggers, advanced persistent threats—banks have become all-too-aware of not only what these are, but why they need to be defended against.
From the earliest days of the internet—barely 20 years ago—despite all the undeniable benefits that digital technology represents, banks have suffered attacks from criminals able to exploit digital vulnerabilities.
For two decades, the industry has invested increasing amounts of time, talent, and, especially, money to battle an intractable cyber menace.
The war has only started, it seems.
Merely a skirmish, up until now
Many bank execs and others are coming to the realization that that juggernaut of cyber criminality is accelerating.
All the defenses put into place so far likely won’t stand a chance against the cybercriminal masterminds—and the lesser lights among them who can just buy new digital weapons on the dark net and elsewhere—who are coming up the ranks now. More resources, on top of what’s already in place, are needed to push back against this insidious threat.
Two recent reports bear this out.
• IDC Financial Insights forecasts that worldwide risk information technologies and services spending will reach $78.6 billion this year, and rise to $96.3 billion by 2018.
Total global IT spending in the financial services industry likely will reach $458 billion this year, rising to $522.3 billion in 2018. The risk management portion of this equates to 17.1% of overall spending, growing to 18.4% in that time period.
• Accenture found that nine out of ten risk managers at financial services firms plan to increase their investment in risk management capabilities in the next two years—specifically in response to emerging risks of cyber security. Accenture surveyed 470 executives.
More than a quarter said they’d increase investment by more than 20%. More than a third said that understanding cyber risk will be the most-needed capability in their risk function.
The situation is forcing fundamental changes in strategy as financial institutions seek to take advantage of the beneficial aspects of technology in the face of heavy regulation, customer preferences, and increasing competition.
“The combination of market forces, advances in technology, and customer demands are pushing financial institutions to become more digital and requiring a broader range of skills from today’s risk management professionals,” says Steve Culp, senior global managing director for Accenture Finance and Risk Services. “Financial services firms are struggling to keep pace with the demand for people with highly specialized skills, such as cyber risk experts, business analysts, security specialists, and fraud experts. To fill these gaps, most firms will have to look outside of their organizations—and the competition for the right people is increasingly intense.”
Customers know risks all too well
At the bottom of all this is fear—fear among those at the base of any business, customers.
A GFI Software survey of more than 1,000 U.S. adults finds that 46%—nearly half—had been victimized by at least one cybercrime in the past year.
Credit card fraud was the most prevalent form, at 24%, followed by 16% having at least one social media account breached or defaced. Of those surveyed, 43% see banks as the main target for cyber criminals in the coming year. Fifty-seven percent believe malware still poses the biggest threat to both individual and business information security.
“Cyber-attacks have profound consequences for the business community, whether companies are the target, or the victim of an attack elsewhere. In the last few months alone we’ve seen major corporations targeted in systematic acts of espionage and geopolitical retaliation, as well as hundreds of thousands, potentially millions, of individuals affected by the fallout of data being stolen and misused,” says Sergio Galindo, general manager of GFI Software.
Galindo said that usernames, passwords, credit card data, health records are all exposed.
“Malicious use of this data by criminals can quickly create financial hardship and significant stress for affected individuals,” says Galindo, “while the negative fallout for organizations the data was stolen from can range from loss of reputation to fines, falling sales, and civil and criminal legal proceedings and more.”
Best targets appear to be reachable
From the corporate point of view, added to all these concerns, are some other developments on the front lines that drive increasing investments in risk technology.
One minor but illustrative example—it seems that 96% of corporate executives in one survey failed to tell the difference between a real email and a phishing email 100% of the time. This was reported in a joint eBook written by Intermedia and Intel Security.
It’s not that the execs were naïve or uninformed about the dangers of phishing. There’s a new development in the phishing arena, and even the follow-on phenomenon of spear phishing, in which criminals target specific companies.
The new thing is called “whaling,” in which the targets are specific, high-level individuals in a corporate network. Through social engineering and other means, the crooks are able to leverage personal information regarding an executive to gain access to confidential data that can be exploited for profit.
Such practice, no doubt, has the side effect of putting risk technology investment higher on the agenda of board meetings.
A more obvious generator of risk technology investment is seen in the whole shift to chip-and-PIN card technology, in which the entire industry has to switch by a fast-approaching deadline. The Payments Security Task Force estimates that, in study of eight financial institutions that represent 50% of total U.S. payment card volume, 63% will contain EMV chips by the end of this year. That should expand to 98% by the end of 2017.
Of course, none of that transition is without cost.
Battle is not yet a rout
There is some indication that, at least for the moment, banks have made some gains against the bad guys.
A Kaspersky Lab report finds that in 2014, cybercriminals used the names of well-known banks in 16% of attacks, compared with 22% in 2013. Meanwhile, attacks on well-known online shopping sites rose to 7% in 2014, from 6.5% the year before.
Surely cold comfort. The war never ends.
Sources used in this article include: