Cybercrime is having a good year. It's been steadily rising up through the ranks, and according to PwC is one of the most commonly reported crimes in the financial services sector. It comes in many forms – phishing, pharming, social engineering, whaling,
trojans, hacking, mules, back door attacks, carding, and cyber terrorism to name just a few – and is a main focus for Sibos.
Financial services is a playground for cybercriminals. There's so much opportunity, so many different ways in and so much to gain. It takes a company on an average 146 days to even realise a cyber breach has taken place. Why is the response so slow and why
financial services are so vulnerable as an industry? There are a variety of reasons, but here are three critical ones I'd like to address.
First, many banks are still underestimating the risk. Less than 40% of economic crime in financial services was reported as cybercrime, according to PwC, because financial services haven't always identified and logged the cyber element. This has given banks
an inaccurate picture of their true risk. Second, the internet wasn't designed to protect us. It was designed for information sharing with openness and redundancy, not security. And third, while both the volume of data and data sources have been increasing,
not only have old technology platforms reached their limits, but even existing SIEM tools lack the ability to identify patterns in real time or take preventative measures.
Cybercrime is now an established business risk - not just a technical one – that requires a co-ordinated business response:
Education at All Levels: The problem is too big and pervasive to remain relegated to the domain of the IT department. Banks need to educate all levels of employees about cyber threats and the different types of cybercrime. (The majority of internal cybercrime
is typically committed by junior staff or middle management). HR can play a strong role in this context of education. All employees should be trained for compliance, which also enables financial institutions to provide evidence of such training to regulators.
This should be done at every level.
Culture and Controls: Take a closer look at your controls and processes, particularly with regards to business as usual cyber-risk process controls, and the culture that supports it. Make sure you're able to flag, identify and prevent changes that may be
inconsistent with set policies around security, and monitor unauthorised changes to settings or any profile changes to sensitive user IDs, for example. Your cybersecurity governance must be enforced consistently and proactively, and it starts with the processes.
You also need to focus your efforts on where the most important data resides. Analyse and correlate context across logs and systems not just expected threats.
Technology and Holistic Approach: Put a modern technology platform in place that's capable of taking a holistic approach to cybercrime. This combines a variety of defences, including business operations, management oversight, and independent audits with
sophisticated compliance analytics able to predict and react before anything happens. It's worth remembering that knowledge is power, whether it's coming from your own internal analytics or from co-ordination and co-operation with other financial institutions.
Earlier this month, I read an article in the Wall Street Journal about eight of the largest US banks teaming up to tackle cybercrime. This sort of cross-industry collaboration will become increasingly common as the threat of cybercrime continues.