No longer occupied by the need to hunker down and safeguard their systems in a period of disruption, now is the time for banks and fintechs to take a proactive approach to cybersecurity.
While the pandemic increased the time we all spend online and expanded the proportion of our lives that we could run from our phones, it forced many businesses to be reactive in terms of their systems and cybersecurity. Now, as the world moves into a new reality, there’s an opportunity to rebase, and to enter a proactive phase in the continuous battle against cybercrime.
“Let’s start looking ahead again,” says Adam Munro, Director of Cyber-Financial Intelligence (CyFI) at Standard Chartered. “Attackers seem to be using new techniques for new types of vulnerabilities, and you don’t know until they’re discovered that they’ve been exploited by an attacker for months. We’ve had a period now, because of the social upheaval from COVID, where we’ve been trying to play catch-up.”
The pandemic increased the attack surface available to cybercrime by forcing more people online and accelerating business adoption of fintech technology.
This created yet more opportunities for cybercriminals, who are always agile, and left a huge number of organisations playing catch up – migrating online and trying to backfill controls. It also laid bare the deficiencies of many cyber toolboxes and underscored the strengths of others – opening up a gap between those organisations that were ready to tackle advanced cyber-related criminal activity, and those that weren’t.
An acceleration in cybercrimes
As people around the world took to the internet to work, shop, bank and connect with others, demand for internet access soared along with global data consumption. Some telcos carried as much as 60 per cent more data on their networks than they did before the crisis, a PwC report1 revealed. According to KnowBe4, a security awareness provider, email attacks related to the coronavirus were up 600 per cent during the quarter that ended March 30, 2020.
Banking and financial institutes are 300 times more at risk of cyberattack2 than other companies, research from Boston Consulting Group found. At the same time, it is a sector with high digital penetration: 96 per cent of 27,000 consumers surveyed in 27 global markets3 were aware of a fintech transfer or payments service, and three-quarters had used one, EY’s most recent fintech adoption trends survey shows.
On the defensive
And many of those organisations weren’t ready for the rapid increase in digital uptake, giving cyberattackers a first-mover advantage that they quickly capitalised on.
That left many ill-prepared, with COVID-19 uncovering shortcomings in the digital capabilities of almost 80 per cent of the institutions surveyed by Deloitte.4 Nearly all of the 200 senior banking and capital markets executives that responded said their institutions are already implementing or planning to accelerate digital transformation of services to maintain operational resilience over the next six to twelve months.
“It’s been very reactive,” says Mr. Munro. “The pandemic created a period where there has been a lot of implementation followed by remediation and that’s storing up a longer-term problem. From a cyber-financial intelligence perspective, the focus now needs to be on how best to deter future attacks and on anticipating what’s coming next.”
Fintech in the spotlight
Banking, finance and fintech shoulder a huge responsibility as gatekeepers and guardians of trust, Mr. Munro says, since everyone has an expectation that they will be able to bank online securely, while criminals are constantly looking to insert themselves into the chain.
Additionally, there’s a tension between introducing new functionalities at a rapid pace to meet consumer demand, and embedding the right checks, controls and balances. Regulators want to see innovative products that have inbuilt capability to anticipate and thwart cyber threats.
To help address this, at Standard Chartered we set up our Cyber Financial Intelligence Unit (CyFI) to guard against abuse of the financial system. Going beyond a cyber-threat intelligence function, this unit builds cyber toolboxes that are crucial for tackling advanced cyber-related criminal activity.
It pairs technologies such as blockchain with traditional techniques for tracking criminals – including information sharing, collaboration and following the money – and highlights how combining the two approaches is imperative for success. In this way, CyFI plays a proactive role in identifying, mitigating and disrupting financial crime.
Taking charge of cybersecurity requires buy-in from the board down. Embedding awareness throughout the organisation is paramount and is, in part, about instilling the idea that it’s not just a responsibility for the IT team, but for every employee.
In the same way, customers should be seen as an extension of your organisation and should be educated and supported too.
“The pandemic exposed where businesses hadn’t embedded security measures or been able to bring together expertise from across their organisation to consider cyber as more than just a technical issue,” says Mr. Munro. “That underlines how important it is for cyber to be part of the culture and for this to come from the board down.”
Expanding our practices, Standard Chartered developed a cross-functional working group during the pandemic to explore the end-to-end cyber issues and support clients. We continue to invest in our information and cybersecurity capabilities, strengthening them to meet the additional requirements brought by COVID-19.
It’s important not to depend on technology or the latest tooling alone; the basics are a core building block, such as critical security controls and a culture of shared responsibility.
Find the gap
With cybercriminals becoming increasingly sophisticated there is no room for complacency. All organisations should be constantly identifying potential holes in their security and working out how to plug them.
Wargaming can be an effective approach but it’s important to look beyond technical teams. Employees in security-critical positions should know who to contact – and how to make contact – if systems are compromised. It’s also important to include customers and clients in cyber crisis planning, putting processes in place for them to access their money in times of disruption.
The human is an important element and is still often overlooked. Technical controls don’t have all the answers and there is a lot of education with clients needed to build an end-to-end response.
Fintechs have a unique opportunity to embed cybersecurity and create this culture, because they are building things from the ground up. Anonymised sharing of data and effective use of technical indicators can help uncover a potential attacker’s reconnaissance activity and prevent an attack before it even begins.
“Trust is so important for any company,” says Mr. Munro. “So fintechs, and all companies, should see cybersecurity as an opportunity to earn trust, strengthen customer relationships and build brand reputation. Don’t look for the lowest minimum standard; in the long term those that invest in it and aspire to the highest standards will be the most successful.”