On the frontline against cyber crime

Cyber security is a growing problem as the frequency and diversity of attacks continues to increase. While many attempts are rebuffed by existing defences, the number of successful recent attacks has elevated cyber security to a critical risk that is beginning to feature regularly in C-Suite strategic discussions.

Cyber security is a growing problem as the frequency and diversity of attacks continues to increase. While many attempts are rebuffed by existing defences, the number of successful recent attacks has elevated cyber security to a critical risk that is beginning to feature regularly in C-Suite strategic discussions.

Regulations, standards, technology development and the implementation of best practices all help mitigate cyber breaches, but they can never eliminate the risk totally. This constantly evolving threat requires new thinking and a new approach.

Professional cyber crime

The proliferation of tools and expertise is giving rise to new professional, corporate-style cyber-criminal organisations which pose a different threat to anything we have seen before, and to which financial institutions have to be increasingly alert.

“We have seen an increase in gangs or small criminal cells exchanging cyber attack tools and malware over the dark net. These tools are widely available
and can be acquired cheaply. Historically, criminals viewed cyber attacks as being too hard to perpetrate, but this has changed now that they are able to obtain tools and technical know-how easily and inexpensively. The acumen required to launch cyber attacks today is not that sophisticated,” said Cheri McGuire, Group Chief Information Security Officer at Standard Chartered.

In such an environment, it is inevitable that attacks are on the rise. The Cyber Security Breaches Survey 2016 found that 65% of large UK firms detected a cyber security breach or attack in the previous year.[1]

In the last few months, ransomware and malware has caused enormous business disruption. In May 2017, the UK National Health Service (NHS) was severely disrupted by cyber criminals, while in June 2017 hackers targeted institutions across 64 markets.

Industry and infrastructure in every sector is affected, and the systemic importance of banks and their fundamental role of being entrusted with customer and institutional assets makes them a primary target for hackers.

Securities Services: On High Alert

Financial institutions reported just five incidents to the Financial Conduct Authority (FCA) during the whole of 2014, compared to 75 in the first nine months of 2016.[2]

Within the industry, the securities services sector received a huge shock following the breach at Bangladesh Central Bank when USD81 million was stolen by criminals using the Bank’s credentials to obtain Swift access and established fraudulent bank accounts to receive and transfer misappropriated funds. [3]

The theft of assets is extremely serious, but a sustained and powerful attack on securities services could bring even greater disruption to capital markets, through data corruption or manipulation; disruption to clearing and settlement; or by flooding the network with spurious instructions preventing clients from instructing their agents.

Protecting the industry requires close collaboration between financial policy makers, regulators, standards organisations and industry participants.

Industry responses to cyber crime

Cyber threats are fluid and are becoming increasingly advanced and sophisticated. Recognising this, regulators are wary of introducing prescriptive legislation which will become obsolete within a few years or even in a few months’ time. “Prescriptive regulation will solve yesterday’s problem, but it will not solve tomorrow’s problem,” said Nick Seaver, partner at Deloitte’s UK Information and Technology Risk Group.

Where regulations do apply, they are unlikely to be the same across jurisdictions. Inconsistent or divergent applications of cyber regulation create other problems for global organisations as they must implement different solutions on a per market basis creating complexity and therefore risk. It can also exacerbate the likelihood of criminals identifying weak spots to wreak harm on businesses.

Many believe that a better approach is the adoption of global standards such as the ISO 27000 series; the National Institute of Standards and Technology (NIST) principles and CPMI IOSCO guidance, with more industry collaboration and sharing of best practices.

Internal Responses

Together with the industry responses, financial firms are building stronger security cultures, developing closer collaboration between in-house information security teams and senior management, to help develop security policies that are both expert and authoritative.

As part of building a strong cyber awareness, firms have been educating technical and non-technical staff about the risks of phishing and other forms of social engineering for the last few years, and many have a disciplinary framework in place for those who are casual about the risks.

However, the lack of diversity in cyber teams has given rise to much discussion. Diversity drives at least two key benefits; helping to improve the quality of our thinking and helping to bring more people into the fight against cyber crime.

With regards to better performing teams, Patrick Wheeler, a leading cyber security consultant, makes the case for more diverse groups as follows: “The cyber realm is usually occupied by males over a certain age with a similar technical background. There is a low degree of diversity and with it, cognitive diversity. Hiring more women with the same background as those males is not necessarily going to change things. It is critical not only more women, but also ethnic minorities and persons with different skill sets and personal backgrounds, are introduced into the world of cyber to grow our cognitive diversity,”

Diversity is also key to plugging the enormous talent gap in the cyber security industry.

Cybersecurity Ventures said there were an estimated one million cyber job openings in 2016 pointing out that 209,000 cyber roles lay unfilled
in the US.[4]

Cyber roles at organisations globally are overwhelmingly occupied by males. In APAC, women comprise just 10% of cyber roles, for example. [5] The training and recruitment of women who are already working into those roles would open up a new talent pool to help meet urgent demand.

“The cyber security industry is at negative employment and global leaders in the US, UK, India and other nations have talked about the shortages of expertise in this domain. If institutions want to be able to protect and defend their infrastructure, they need to find the right talent. This is a priority agenda item for many CEOs and government leaders,” commented McGuire.

Educating children at an earlier age about cyber and encouraging interest in science, technology, engineering and mathematics (STEM) subjects is another way to attract more people into cyber roles, and this could help redress the talent dearth both now and in the future.

Conclusion

The rising threat of cyber crime requires organisations to reconsider their operational processes. In the short-term, this will oblige organisations to improve intra-business unit communications, accelerate industry-wide collaboration and implement diverse hiring practices. A longer-term objective will be to widen the talent pool available for cyber roles by supporting cyber education initiatives to bring diverse new talent into the industry across now and in the future.

Standard Chartered is a leading bank providing clients with an unsurpassed level of securities services. Click here for our recent white paper on Strengthening responses to cyber crime in financial services.

[1] Klahr, Rebecca, Sophie Amili, Jayesh Navin Shah, Mark Button and Victoria Wang. “Cyber Security Breaches Survey 2016.” GOV.UK, May 2016. [Online]

[2] Cyber attacks against UK financial industry on the rise – FCA.” Financial Times, 21 September 2016. [Online]


[3] “SWIFT action: Preventing the next $100 million bank robbery.” PwC, June 2016. [Online] 


[4] Morgan, Steve. “Cybersecurity jobs report.” Cybersecurity Ventures, 2017. [Online]

Please click here to read our disclaimer