The financial services sector has been experiencing widespread digitisation for several years, but the pandemic has suddenly forced financial institutions all over the world to step up their digital pivot in order to continue offering seamless services to their clients. In turn, this has widened the scope for cyber risks and financial crime. When it comes to cybercrime, humans are more vulnerable to exploitation than machines. Together with leading cyberpsychologist, Professor Mary Aiken, Standard Chartered has recognized the importance of Safety Tech, to protect people online and to create cyber situational awareness within the financial ecosystem, positioning the sector for longer-term sustainability.
The emergence of SafetyTech
Cyber-security at financial institutions (FIs) is about more than just protecting computers. Protecting data, networks and systems is vital, but it is equally important to protect the people who use the systems from online harm. People are arguably one of the most vulnerable parts of the security equation. Protecting people in cyber contexts requires understanding not only those who are attacking the institution, but also the people financial institutions serve and employ.
What is the difference between cybersecurity and cyber safety - according to Prof. Aiken "its binary, cybersecurity focuses on protecting data, cyber safety or 'SafetyTech' focuses on protecting people."
A new sector, the online safety technologies or 'SafetyTech,' which complements the existing cybersecurity industry is gaining prominence. Prof Aiken emphasizes that "cybersecurity traditionally focuses on protecting data and information from cyberattacks, Safety Tech focuses on protecting people from psychological risks, harms and criminal dangers online -from mis information to online harassment." She points out that "It is critical that networks and systems are robust, resilient and secure however, it is equally important that people are psychologically robust, resilient, secure and safe in cyber contexts." SafetyTech describes the emerging online safety technologies sector which delivers solutions to facilitate safer online experiences, and to protect users from harmful content, contact or conduct, protecting users from everything from misinformation to online harassment.
To take one example, Standard Chartered uses safety technology to block access to certain websites and dark net platforms.
“By working with safety tech, we can now better understand the criminality of the networks that we're dealing with, and how we can get under their skin and put up defences to prevent abuse of our systems and our clients," said Patricia Sullivan, Standard Chartered’s Managing Director and Global Co-Head for Financial Crime Compliance, speaking at our Correspondent Banking Academy Masterclass on 10 November. “By understanding SafetyTech, you can better protect and or respond to ransomware attacks and offer more digital banking and ensure that it’s safe and that your communities can trust that they can use it.”
The COVID-19 pandemic has changed how we live, accelerating FIs’ digital pivot and multiplying associated risks. According to INTERPOL, the pandemic has seen criminals shift to targeting major corporations and governments and propagating fake COVID-related news. In one month, one country reported 290 postings of such fake news, with the majority containing concealed malware.1 In this context, "SafetyTech is not an invention; it's a catch-up,” explained Professor Mary Aiken, a world leading expert in Cyberpsychology who has done extensive pioneering work in this new field, and a guest speaker at the Standard Chartered masterclass. “Online safety technologies or SafetyTech ensures that the levels of assurance we expect in the real world are matched in cyber-contexts.”
SafetyTech for institutional resilience
SafetyTech aims to ensure that humans are resilient and secure when interfacing with technology. To this end, Professor Aiken said that financial workers should be trained to have increased cyber-situational awareness and trained to become more aware of their “digital exhaust,” that is, the identifiable traces people leave on the Internet, for instance on social media. Professor Aiken recommended that in order to develop cyber-situational awareness and to check out your digital footprint, you should search yourself often, and when you do this, use a private window or incognito mode option. Personal information attained online facilitates a range of cybercrimes from socially engineered attacks, to identity theft and cyber fraud.
“Basically you need to think like a profiler, be cognizant of your digital exhaust and develop cyber situational awareness,” said Professor Aiken.
Professor Aiken suggested multiple levels informed by the online safety technologies taxonomy2 whereby FIs can implement SafetyTech:
- At the system level: Removing illegal content such as that linked to child sexual exploitation, terrorism and other serious crimes.
- At the platform level: Tackling potentially illegal content or conduct, such as hate crime, or harassment, coercive behaviour and intimidation.
- At the device or endpoint level: In the form of user-initiated protection, applications and products that can be installed on devices to help protect the user from harm. Network filtering can actively filter content, black-listing or blocking harmful content. SafetyTech methodologies that are particularly important given pandemic induced surge in remote working.
- In the information environment: Flagging content with false, misleading and harmful narratives, through fact-checking and disrupting disinformation (e.g. by tagging trusted sources and building confidence in them).
- Via online professional safety services: Through training for increasing psychological resilience, cyber situational awareness and cyber safety practices, along with research frameworks and methodologies for auditing, evaluating or mitigating potential harms. In addition, advisory support for implementing technical solutions, enabling the development of safer online communities by embedding safety-by-default.
Human behaviour can change in cyber-contexts, Professor Aiken noted, due to powerful psychological drivers such as the Online Disinhibition Effect, compounded by anonymity afforded by the Internet. Behavioural evolutions, coupled with the 24/7 'always on' nature of digital services, along with the profusion of communication channels, has increased the risk of vulnerability to cybercriminality, and has expanded the potential attack surface. Professor Aiken is working on the development of a SafetyTech service in the form of 'cyber-psychometric' testing, that would be of particular relevance in terms of tackling Insider threats, bottom line she says, "you need to know who your employees are in the real world, and you need to know who they are online."
Prof. Aiken points out that on the dark web (i.e. that part of the internet which is invisible to search engines and can only be accessed with dedicated browsers), insiders can sell access to their employers’ confidential systems, they can also be recruited by sophisticated threat actors. Understanding the motivation of insiders who have the potential to cause damage – whether disgruntlement, revenge or outside influence – is crucial to identifying and preventing it.
Safety tech for financial inclusion and sustainable development
The impact of implementing Safety Tech goes beyond protecting institutions and businesses and has broader societal implications. One key to achieving the UN’s Sustainable Development Goals is extending financial services to unbanked people.3 SafetyTech can help to build the trust of the unbanked in digital banking, while preventing them being exploited by unscrupulous third parties, for instance those that overcharge migrant workers for remitting money to their families.
To date, much of the cyber-safety discussion on the societal level has focused on protecting children and teenagers. "We don't really see the same focus when it comes to vulnerable adult populations," Sullivan noted. But in many cases, it is urgently needed.
"At our bank we have a strategy to provide microfinance to women in need in vulnerable populations, as well as certain countries where additional economic support is needed, for instance to combat corruption,” Sullivan explained.
“In those populations there's a lack of feeling of safety when on the internet. Women most definitely tend to be more targeted when using the internet. Some countries also lack the same protections around freedom of communication. SafetyTech can come to the rescue and really shore-up the digital products we're offering. We want our clients to feel that they are not going to be victimised when accessing our digital banking platform."
To date, Standard Chartered is the first, and to the best of our knowledge, the only financial institution to recognise the importance of Safety Tech from both a financial crime compliance (FCC) perspective and as a means of building long-term resilience. SafetyTech speaks to the bank’s three Sustainable Agenda Pillars: Sustainable Finance, Responsible Company, and Inclusive Communities.
As Heidi Toribio, Standard Chartered’s Global Head for Financial Institutions, Corporate & Institutional Banking, pointed out: “SafetyTech supports sustainability goals concerning health and wellbeing, quality of education, gender equality, economic growth, and our ability to build partnerships to support these goals.”
By ensuring that people are just as well protected from cyber-threats as are machines and data, FIs can promote the sustainable financial inclusion of those who need it most, while at the same time shielding their employees from harm.
Essentially safety tech ensures a focus on People risk and vulnerabilities and is another dimension to cyber leadership that is critical in the fight against cyber risk and cybercrime,” concluded Sullivan.
1 Interpol, "INTERPOL report shows alarming rate of cyberattacks during COVID-19", INTERPOL News, 4 August 2020, https://www.interpol.int/en/News-and-Events/News/2020/INTERPOL-report-shows-alarming-rate-of-cyberattacks-during-COVID-19
3 UNCDF, “Financial Inclusion and the SDGs”, https://www.uncdf.org/financial-inclusion-and-the-sdgs