Will the next financial crisis be a cybersecurity crisis?

Will the next financial crisis be a cybersecurity crisis?

Recent economic slowdown coupled with widespread geopolitical risk has stoked fears that a recession is looming, which will inevitably invite comparisons with the financial crisis of 2007-08.

To a large extent, the scar that the Great Recession left has kept the financial world on red alert for any kind of recurrence. Just as the present growth has been slow and shallow, its eventual contraction may well be a gradual one, as robust defences are in place to prevent the cataclysmic shock that occurred a decade ago.

Perhaps though a crisis of the scale and damage caused by the subprime mortgage crisis in 2007-08 could be replicated from an unexpected source that the world is not expecting.

Cyber attacks and data breaches have been prominent in the news over the last couple of years, thanks to high-profile breaches at the likes of Facebook, Marriott and British Airways. Given the integral role technology plays in the way we do business and go about our lives, could a cyber attack set the butterfly’s wings flapping on the next financial crisis?

The 2007-08 crisis emanated from severe loss of liquidity in financial markets. With the global financial system reliant on payment companies and other intermediaries facilitating frictionless movement of money from one place to another, one can imagine the damage that could be caused by a major disruption to this.

“We live in a connected world,” says Ed Williams, EMEA director of Trustwave SpiderLabs.

“Something could happen in one part of the world that has huge ramifications on what goes on elsewhere, so the next great crisis could easily originate in cybersecurity.

“I expect though it would be very subtle and difficult to pinpoint.”

Whether it be cybercriminals, rogue nation states or terrorists, there are a large number of highly motivated people who wish to destabilise other parts of the world. It is not in their interests to make their work easily traceable, so will do everything in their power to ensure that it is subtle.

Technical weaknesses

Finance is traditionally one of best performing sectors with relation to cybersecurity, owing to the maturity of the industry and the central role that protecting customers’ data and information plays.

There are still some potential single points of failure, however.

“A lot of money goes through legacy kit,” Williams says.

“Mainframes or network architecture that have been around for a long time still exist within large financial enterprises, and we’re seeing tools and practices that are successful in breaching these.”

The agility of large institutions to fend off cyberthreats is naturally hampered by the sheer size of their networks and systems.

“Large banks could have millions of machine identities across their networks. It only takes one to be forgotten for cybercriminals to take advantage,” says Martin Thorpe, enterprise architect of cybersecurity firm, Venafi.

“Companies often still try and keep tabs on their machine identities manually, with staff logging them in spreadsheets. This is why we continue to see cybercriminals use compromised machine identities to target financial services firms.”

Evolve and adapt

Thankfully though, industry players are fully aware of the potential cyber dangers that could expose these chinks in the armour and are acting accordingly.

“I think when you look at it from a resilience perspective in cybersecurity, the industry is really good when it comes to business continuity,” Karel De Kneef, chief security officer at SWIFT, tells Finextra.

“Businesses are tremendously resilient to the impact that cyber attackers would try to cause.”
Where danger may lie is when banks strike up partnerships with companies in less mature industries, such as e-commerce, travel and entertainment, whose systems and processes are not as robust. Such partnerships will become increasingly prevalent thanks to PSD2, so this is a threat that is likely to gain prominence.

“With any third-party supply chain, I would always want to find out if they’re performing regular pen tests and vulnerability scans, what the results look like and how they’re reacting,” Williams says.

“There’s always software upgrades and patches released, so there’s always new vulnerabilities. Are they adapting to those new threats, because they change and evolve so quickly? It’s always about keeping ahead of the curve.”

People power

Despite the best efforts of cybersecurity teams in ensuring systems are sufficiently protected and resilient to the effects of hacks and breaches, it is people who will always be both the first and last line of defence.

“People are equally as important as processes and systems, and I think it’s important to take a holistic view when it comes to cybersecurity,” De Kneef says.

“If you raise the bar in one area, but leave it a little bit lower in another area, that’s where you will be exposed. We certainly see across the industry that where threats are not dealt with, it is due to a lack of, what we call, ‘basic hygiene’.”

While much vigilance is quite basic and can be mitigated with a good degree of common sense, people should also be wary of the more complex and nuanced attempts that cyber criminals will employ to gain an initiative.

The UK National Cyber Security Centre, a division of GCHQ, claimed in a report this year that it had prevented more than 177,000 malicious phishing attacks that attempted to trick people into disclosing passwords.

“Ultimately when hacks are successful, it’s because somebody has made a mistake or they’ve allowed someone to gain some sort of privilege over them,” Williams says.

“So, they’ve been coaxed into following a link they shouldn’t have done or been pressured into accessing something and have set up a bad password.

“This shows the importance of education and raising awareness when it comes to cybersecurity, and it needs to happen across the board.”

Cybersecurity will be discussed at Money20/20 USA in Las Vegas. Check back here on 27-30 October for coverage from the event.

Jamie Crawley, Reporter, Finextra

Comments: (0)