As financial services firms continue to innovate, cyber criminals are presented with new avenues of attack – which means cyber security should be a focus for companies from the beginning of app or service development.
Never before have Australia’s banks felt such constant pressure to continually innovate and deliver new products and services for customers, across evolving platforms and multiplying channels.
This, of course, comes with the expectation that they’ll provide instantaneous customer service and support for those new products, services, platforms and channels, all the while maintaining their security and complying with legislation.
This is pushing banks to be more open-minded than ever before – exploring technologies like blockchain, P2P and artificial intelligence, developing iteration after iteration of technology, and often launching into market with a ‘test and learn’ attitude to ensure they’re staying ahead of the competition, including their smaller and more agile competitors.
This thirst for innovation can also provide unending possibilities to improve and streamline internal processes, redeploy staff to higher value responsibilities, and encourage a business culture of agility and continuous improvement.
But as the relationship between new technologies and financial services deepens, so do the threats posed by increasingly sophisticated hackers, potentially leading to growing oversight requirements by regulators.
This tension between innovation, security and compliance will be one of the great challenges for the banks in 2017.
According to BAE Systems’ research released last month, 63 per cent of senior IT leaders in the financial services sector globally said their company had suffered an attack in the past year, and 18 per cent said the cost of that attack was more than $850,000.
Additionally, 14 per cent they weren’t very confident they could return to business as usual within 48 hours if they suffered another attack.
Bitcoin suffered a reported theft of nearly 120,000 Bitcoin from the Bitfinex exchange last year.
This seriously impacted the alternative currency’s reputation and served as a warning for what can happen when vulnerabilities in new financial technology are identified by the bad guys first.
Advances such as faster payments systems, robo-advisers, P2P lending and automated trading platforms are obvious targets, where not only the exfiltration of customer information or fraudulent transfer of money, but also the manipulation of data, could have dire consequences for account holders, investors, financial institutions and broader financial stability.
In a hyper-connected world, to protect users and maintain confidence in the sector, institutions must focus on future-looking and robust security architecture from the outset.
Rather than viewing security as an impediment, they should see security as a way to speed adoption and build trust with their key internal stakeholders, customers and regulators.
The future of cyber security is about using cloud-based technology, data and intelligence, and machine learning and automation to improve decision-making, in real-time, enabling speedy outcomes, while reducing the burden on strained resources.
The increasingly stark reality of cyber defence is the asymmetric nature of the expense and effort required by the attacker and the defender. An attacker can choose the time and place of their next attack, often after lengthy and detailed reconnaissance while the defender must protect the entirety of their network around the clock.
Banks of all sizes should consider how to join financial crime and cyber-defence activities more closely.
The Bangladesh Bank heist proved criminals don’t work alone anymore. Here, criminals utilised cyber, fraud and money laundering techniques, and yet were able to capitalise on the siloed nature of banking teams and law enforcement, who were not sharing intelligence.
Likewise, cyber, fraud and risk teams should not be working alone. The same data that’s important for anti-money laundering transaction monitoring might be the canary in the goldmine identifying a cyber attack, and vice versa.
Data is knowledge, and knowledge is power.
BAE Systems recommends four steps to help financial institutions ensure their innovations are secure:
- Identify potential weaknesses from the beginning and perform thorough stress-testing and scenario-planning;
- Choose cloud-based security technology which scales with the business and can be adapted to suit new technologies and new compliance requirements;
- Use real-time threat intelligence technology to protect against known attacks; and
- Add a final layer of data analytics to identify unknown threats.
Addressing these risks is a delicate balance between protecting the banks’ interests and providing a low-impact user experience.
The need to strongly authenticate clients, detect man-in-the-middle to man-in-the-browser attacks and provide non-repudiation of transactions has to be balanced with usability and minimising the overhead to both the end user and bank systems. Security does indeed come as a cost.