Now, more than ever, it is time to up-end everybody’s approach to cybersecurity.
It is time to rethink, retool, and reinforce defenses, approaches, and culture in order to combat bad actors.
Of course, they are already rethinking, retooling, and reinforcing.
Trends show clearly that as financial services’ technological capability continues to spiral breathlessly upward, so do the threats, in numbers, intensity, and innovation.
Future’s all of a piece
This point is made clearly and cogently in an essay by Tom Patterson, chief trust officer for Unisys, published on the Financial Services Roundtable website.
“In our minds, we are painting a wonderful picture, where machines perform our tasks better, faster, and cheaper than humanly possible,” he says. “But make no mistake: The future of fintech and cybersecurity are interlocked, for without advances in cybersecurity, those same machines can destroy everything we’ve built.”
Patterson means it. He goes on to suggest a future based on lost faith in banking records. He sees this potentially progressing from not being able to tell “a crook from a president,” to third-party actors cutting global financial interconnectivity, to entire governments or terrorists targeting vital interests.
In short, it would be pretty bad.
2017: Year of the threat
A recent, unscientifically gathered but sobering collection of reports addressing cyber threats and how they are evolving indicates, anecdotally at least, what financial institution decision makers will have to cope with in the coming year. This includes both evolving threats and evolving responses.
Email encryption—Email encryption is a critical or very important business priority for 53% of organizations, despite only being used extensively by 40% of organizations, according to a survey for Echoworx by Osterman Research. When asked why its use is not more widespread, 53% said it was “asking too much of the email recipients.”
“Despite the necessity of encryption and the benefits it offers, there is still the common misconception that the technology is suited for only the technically savvy,” says Jacob Ginsberg, senior director at Echoworx. “The challenge in the security industry today is that despite the ever more complex threat vector, solutions must remain dead simple to use.”
Dearth of talent—More than half (57%) of 147 IT security decision makers and influencers surveyed by Osterman Research for Trustwave say finding and recruiting IT talent are their biggest challenges. On top of this, only one in nine have security staff with skills to enable them to deal with future security demands.
“The shortage of staff able to solve complex security issues is an industry problem that continues to worsen, but the way organizations are going about filling this void is all wrong,” says Chris Schueler, Trustwave senior vice-president.
Schueler explains that the usual methods of recruiting are not producing what’s needed.
“Yet we keep seeing enterprises simply throwing bodies at the problem when what is really needed is better staff training, more budget support to hire the right personnel, and additional assistance from experienced third-party experts, ” Schueler says.
Artificial intelligence—Late last year Mastercard introduced “Decision Intelligence” as a comprehensive decision and fraud detection service. The company explains that this “takes a broader view in assessing, scoring, and learning from each transaction.
That score then enables the card issuer to apply the intelligence to the next transaction.” In other words, it examines how a specific account is used over time to detect normal and abnormal shopping spending behaviors. In doing so, it leverages such account information as customer value segmentation, risk profiling, location, merchant, device data, time of day, and type of purchase made.
While Mastercard promotes this as mainly a way to ease legitimate customer pain points caused by false declines, it acknowledges that artificial intelligence can deliver an enhanced fraud score for every transaction, often in real time.
Internet of things—Juniper Research estimates that the installed consumer IoT base will reach more than 15 billion units by 2021, an increase of 120% over 2016. Its report notes that the use of botnets, which make use of all these connected devices, could only increase the likelihood and severity of distributed denial of service attacks. In October, such a scenario combined to hamper the operations of Dyn, a New Hampshire cloud-based internet performance management company.
“Attacks such as those on Dyn last October can be viewed as proof of concepts,” says Steffen Sorrell, researcher at Juniper. “In the medium term, botnets will be used far more creatively—not only to disrupt services, but also to create a distraction enabling multi-pronged attacks aimed at data theft or physical asset disruption.”
Increasing online spending—ACI Worldwide concluded that fraud and general online retail growth each increased substantially during the 2016 holiday season—fraud attempts up 31%, and transactions up 16%, compared with the previous year. It suggests that the trend will only grow.
“Over the 2016 holiday shopping season, merchants experienced significant growth in their digital channels, coupled with a substantial increase in fraud,” says Markus Rinderer, senior vice-president at ACI Worldwide. “Given the consistent and alarming uptick in fraudulent activity on key dates, merchants must be proactive in their efforts to identify weak points—and define short- and long-term strategies for improved security and enhanced customer experience.”
Electronic payments and invoicing—TD Bank’s Treasury Management Survey found that more than one third of treasury and financial professionals have heightened awareness of the growing risks of fraud and cyberattacks, even as they embrace a shift to digital platforms.
“The transition to electronic receivables and payables can improve organizational efficiency and reduce costs in financial departments, but these moves do create additional organizational risks,” says Rick Burke, head of Corporate Products and Services, TD Bank.
Burke says that there are numerous benefits to automating these processes. “Companies need to work with a trusted partner that will provide tools and insights to help them to protect their data, transactions, and company assets,” he says.
Insider threats—A global survey by Kroll, a risk solutions provider, found that 82% of executives say their company suffered a cyber incident over the past 12 months. Six out of ten of those from victimized companies say the criminals included current employees, former employees, and third parties. Junior staff accounted for 39%, senior or middle management accounted for 30%, and freelance or temporary employees accounted for 27%.
“With fraud, cyber, and security incidents becoming the new normal for companies all over the world, it’s clear that organizations need to have systemic processes in place to prevent, detect, and respond to these risks if they are to avoid reputational and financial damage,” says Tommy Helsby, co-chairman, Kroll Investigations and Disputes.
Lots more trouble to go ‘round
There are other examples of the sheer breadth of threats facing the industry—such as the persistence of phishing and general lack of understanding of it, detailed in a survey by Wombat Security—as well as new tools to proactively deal with threats—such as improved use of analytics, as suggested by the SANS Institute.
But back to Patterson’s essay. He cites these key areas in which changes to the current approach are necessary:
1. Cyber governance: “Today’s financial governance is led by a combination of corporate boards and government regulators. In both cases, the lack of deep cyber security acumen of the majority of members is a roadblock toward building a more secure future.”
2. Trusted security partnerships: “The financial community is borderless … The security of the global financial system is too important to leave up to one company, or one country.”
3. Distributed trust infrastructures: “Blockchains will allow users to skip a trusted third party like a bank or a brand … But blockchain is simply the technology that drives a future of peer-to-peer transactions. It will still take trust in the algorithms, trust in the implementations, trust in the security, and trust in a new infrastructure.”
4. Advanced security technologies: “Security technologies are advancing faster than the rest of the infrastructure, due to the advancement of our adversaries.”
All of which comes down to what was written at the outset of this blog: It is time to rethink, retool, and reinforce defenses, approaches, and culture.
Sources for this article include: