As the financial world changes, becoming more interconnected and inclusive, the ever-moving target of cybersecurity will continue to evolve. Mitigation will therefore demand a collaborative approach from financial services companies across the industry.
While financial services is generally among the best performing industries in cyber management, it is becoming more interconnected with sectors which do not perform as well. As integration between large, mature banks and smaller fintechs or companies in
retail, travel or entertainment becomes more common, new threats emerge.
Counteracting this, companies of all industries and sizes, including banks, are shifting data storage to the cloud to benefit from the sophisticated security that providers can offer. HSBC, who uses Google’s cloud to store its 100 petabytes of data, for
example, knows that the tech giant can spend a great deal more on its cyber defences.
While the defences provided by Amazon, Microsoft, Alibaba, Google, and IBM are far more secure than those that even a major bank can provide on its own (let alone a fintech start-up) they are not insurmountable and will prove particularly enticing targets
“Cloud providers have suffered breaches though, 2019 gave us some examples of this,” says Steve Holt, partner at EY.
“We expect hackers to really test cloud providers, as they know how much more data is being hosted.”
The cloud market is becoming increasingly consolidated with five providers accounting for over 75% of market share, according to research by Gartner in July last year.
With companies across different industries and sectors so interconnected, it should follow that a collaborative approach is required in order to cope with the evolving threats posed by hackers.
Experts often speak of the need for organisations to take an integrated rather than siloed approach to their cyber management, ensuring robust defence and diligent process is being followed across all areas of an organisation, as hackers will inevitably
detect and exploit weak points.
Across the different siloes of cyber management – systems, processes, people – it is important to keep raising the bar, because leaving it lower in one area leaves a company vulnerable to advanced persistent threats.
Taking this approach and applying it to the financial services industry as a whole, it is important that all participant companies – banks, fintechs, and players from other sectors who are interconnected – meet a high standard to ensure that potential chinks
in the armour can be identified and addressed.
Collaboration between entities like SWIFT and SEPA, the tech giants listed above, and major banks and payment providers like Visa and Mastercard could create a market-wide cybersecurity command centre, to ensure that the bar remains consistently high across
all areas of financial services and all companies involved therein.
“Key to this type of collective action is trust which allows full transparency and central reporting,” says Karel De Kneef, SWIFT’s chief security officer. “Implementing mandatory reporting requirements and reporting timelines would be the first step in
creating an effective market-wide command centre.
“If those setting up a command centre follow these steps and involve the wider community in the process, then a market-wide command centre could be realised. In my view, this would be welcomed as a positive development by both financial and cybersecurity
The method for handling a cyber event
This would also facilitate developing a universal procedure for responding to a cyber event, mapped out and implemented by cybersecurity professionals.
“While IT staff might be able to deal with some events, cybersecurity professionals deal with events on a daily basis and are generally more experienced in this field so they are the best people for the job,” De Kneef says.
“It also needs to involve the business. Cyber resiliency has become a very important element of the cyber framework and it is closely linked to the business.”
De Kneef cites the SANS Incident Handlers Handbook as an example, which includes a detailed process for dealing with cyber events known as PICERL method: preparation, identification, containment, eradication, recovery and capturing lessons.
Preparation includes taking the steps to ensure teams are equipped to handle an incident at a moment’s notice. This of course needs to take place well ahead of time and rehearsed thoroughly so each team member knows their individual roles. This also includes
having in place proper policies, the tools which will be used, and paths of communication to be used.
Identifying involves not only initial detection, but crucially classifying the scope of the incident - gathering information necessary to determine how the incident should be classified.
Containment is aimed at limiting the damage and preventing the event’s extending beyond the initial scope identified.
Eradication and recovery involve the removal of the malicious activity and bringing the affected areas of the business back online. The key to these stages is carrying them out in a controlled manner so as not to create further incidents.
Finally, lessons learned is meant to ensure that identified gaps or issues encountered during the other steps are fixed in the process so as not to allow similar events to occur again.
“Throughout this process, clear, transparent and timely communication with all stakeholders is key,” De Kneef sums up.
“Generally speaking, if you follow these steps your chances of dealing with a cyber event successfully increase significantly.”
Initiatives in ethical hacking
Of the steps above, it can be argued that preparation is the most important: prevention would almost certainly be preferable to mitigation. This is where increased use of ethical hacking and regulatory initiatives facilitating it is crucial.
Penetration testing has been around for many years. Initially starting in the UK with CBEST, the Prudential Regulatory Authority-driven red-team testing was aimed at proving that the attackers could breach cyber defences with the right threat intelligence
and tools, to demonstrate where there were weaknesses to address.
This has been mirrored by other initiatives, such as ICAS, implemented by Hong Kong Monetary Authority and TIBER-EU by the European Central Bank.
These programmes allow ethical hackers to attack a network in a controlled environment, testing cyber defences and the company’s procedures in live conditions. This helps identify gaps in the tactics, techniques and procedures of responders, rather than
having them find these out the hard way.
“They also ensure that organisations don’t bury their head in the sand and assume everything is okay. Instead, they are forced to continually improve their defensive and response capabilities,” De Kneef adds.
What this should lead is a more agile and nimble approach from businesses adjusting their approaches and developing their methods to dealing with hackers’ attacks.
As well as having the ‘red team’ attacking an organisation to find weaknesses in its defences, there is an internal ‘blue team’ looking to see how the cyber team is reacting and what is changing. This makes the processes of attacking and defending more joined-up
and helps better integrate detection and remediation.
“This should better inform organisations how the methods of attackers flow into cyber remediation projects,” says Steve Holt.
“It should tell them how quickly they are starting to fix problems and joining up the different steps in handling a cyber event.”
Ultimately, defenders are always playing catch-up with attackers. However, red teaming, facilitated by initiatives like TIBER-EU, coupled with internal blue teaming, may allow organisations to minimise this disadvantage.
Cybersecurity a key topic to be discussed at EBAday, the Euro Banking Association's annual conference in partnership with Finextra. European banks, fintechs, and payment providers will gather to explore changes in the industry to develop an open dialogue
across key industry players.
Register here for EBAday at The Hague, Netherlands on the 25-26th November, 2020.