Cyber-attacks destroy the trusted relationship with customers and partners, the lifeblood of financial services. The industry is also behind the curve when it comes to adapting to the changes in working practices and consumer behaviour, driven by rapidly evolving smart devices.
2. Table of contents
1 Change with the times
1 Next-generation threats
2 BYOT—an expectation, not a privilege
2 Cyber-attack risks continue to rise
2 New attacks are coming—get prepared
3 Technology used to cope with coming threats
3 Identity is everything
4 Threat detection and attack analysis are evolving
4 Compliance and governance is essential
5 Playing field getting leveled
6 About the author
Viewpoint paper | Cyber crime is wreaking havoc
3. 1
Viewpoint paper | Cyber crime is wreaking havoc
Financial services are getting squeezed by massive social and
technological changes, and the need to modernize. Combine that
with the growth and sophistication of cyber crime, it’s time to
fight back and level the playing field with a strong security policy.
Change with the times
Banking executives are aware of the cyber threats directly impacting financial services, and the
erosion of trust that such attacks invariably entail.
They are also aware of the dramatic changes happening in IT infrastructures, and consumer-
driven tech trends such as bring your own technology (BYOT); it’s forcing them to rethink much
of what they have practiced in the last 20 years.
While these trends are happening now, what follows in the next 10 years is likely to be
even more disruptive. Many sectors are already preparing for the future, but is the financial
services industry (FSI) in danger of being overwhelmed due to its ingrained technological
conservatism—particularly when it comes to security policy?
Next-generation threats
Cyber attacks that steal money, intellectual property, or launch political attacks can destroy
trusted relationships with customers and partners, which is your lifeblood.
Banks, understandably, still rely on keeping large parts of their organizations behind firewalls,
much as they still prefer gigantic headquarters buildings to give an assurance of trust,
reliability, and permanence.
Appearances can be deceptive, and old school defences can give a false sense of reassurance.
A continued reliance on centralized, mainframe network architecture reduces flexibility when
dealing with next-generation attacks.
At the same time, it puts financial institutions at a disadvantage, trying to adapt to fundamental
changes in working practices and consumer behavior—driven by rapidly evolving, always-
connected smart devices. By not adapting, they will lose out to rivals that learn how to securely
embrace the change for customers and employees, and new innovative FSI sector entrants that
have already disrupted their own sectors, such as retail.
4. 2
BYOT—an expectation, not a privilege
In other industry sectors, BYOT is no longer seen as a privilege. It’s becoming a multilayered,
multipurpose device of choice that shares business and personal data and functions. This trend
will accelerate; devices will become extensions and virtual outposts of the central organization
and hubs for personal data clusters now developing. How ready is your organization for this?
The pace of development in smart devices outstrips anything in conventional network
architecture or desktop PCs. Financial services will have to accept that employees will use these
devices or become potential dinosaurs in a newly competitive, disruptive financial services sector.
Cyber-attack risks continue to rise
Banks and financial institutions have no choice but to adapt to BYOT and other social and
technical trends. Cyber attacks are out of their control and will increase exponentially in the
next 10 years. The negative cost of each attack will also increase. The Ponemon 2013 Cost
of Cyber Crime Study, sponsored by HP, pegs the average annual cost of cyber crime for
organizations at $7.2 million in 2013, up 30% from 2012.
That figure has risen every single year the survey has run. Meanwhile, according to a recent
report by Booz Allen, a consultancy firm, cyber attacks are the “new normal” for the financial
services industry.1
In the United States (U.S.), The Depository Trust Clearing Corporation (DTCC) has named
Distributed Denial of Service (DDoS) attacks as one of the three types of attacks that pose a
“systemic risk” to the financial system. The organization, which settles the majority of securities
transactions in the U.S., said DDoS attacks against financial institutions have dramatically
increased in the last 12 months. Such attacks are also often used as a smokescreen for more
targeted attacks and to exploit pressured call center staff vulnerable to phishing attacks.2
New attacks are coming—get prepared
Worse is coming. The European Union (EU) sponsored International Cyber Security Protection
Alliance (ICSPA) has predicted that 2020 will see cyber criminals using some or all of the
following tactics and malicious technologies. Some are based on the very technologies that
banks and others are using to lower IT costs, such as cloud and virtualization.
• Exploitation of Near Field Communication (NFC) technologies, which banks will be using for
new services in the future
• Highly distributed denial of service attacks using cloud infrastructures
• A move from device-based to cloud-based botnets, hijacking distributed processing power
• A mature illicit market for virtual items—stolen and counterfeit
• Physical attacks against data centers and Internet exchanges
• Electronic attacks on critical infrastructure, including power supply, transport, and data services
• Micro-criminality, including theft and fraudulent generation of micro payments
• Bio-hacks for multifactor authentication components
• High impact, targeted identity theft and avatar hijack
• Sophisticated reputation manipulation
• Augmented reality misused for attacks and frauds based on social engineering
• Hacks against connected devices with direct physical impact such as wearable technologies
Viewpoint paper | Cyber crime is wreaking havoc
1
boozallen.com/media-center/press-
releases/48399320/booz-allen-releases-
annual-cyber-security-trends-for-2014
2
Ibid.
The Ponemon 2013 Cost of Cyber Crime Study,
sponsored by HP, pegs the average annual cost
of cyber crime for organizations at $7.2 million in
2013, up 30% from 2012.
5. 3
Not all these threats will disrupt financial services, but some certainly will, and it’s clear that
none would be stopped by contemporary cyber defences.
Banks will want to use NFC to introduce new products and fast payment solutions. How will
they protect their customers from aggressive targeted attacks and the use of avatar-based—a
highly advanced digital creation assembled from numerous stolen aspects of an individual’s
real identity—attacks? Where banks can be fooled into thinking they are dealing with a real
customer online, when they’re not. In this next level of identity theft, bank customers find
themselves “cloned” online. Right now, it’s unlikely that plans are being put in place to beat such
advanced criminal techniques.
Denial-of-service attacks will increase in number and intensity as criminals have seen the
fruits of fostering disruption and fear among bank customers. This industrialization of micro-
payment fraud will put huge new pressure on staff and security policies to contain multiple
account harvesting techniques.
Therefore, unless the banking industry initiates change now, it will be highly vulnerable to the
systemic failure that the DTCC fears.
Technology used to cope with coming threats
Neil Passingham, technical solutions director at HP, believes that security is always behind the
threat curve. He said, “We need to leverage resources—make the most of Big Data and the
cloud for example. CISOs are advised to use present day solutions but what they really want is
to be listened to. We need to align serious solutions that secure their business.”
All leading security vendors should heed this statement. Given whole new attack types that will
seek out vulnerabilities in tools and infrastructures—and the use of super-connected devices—
financial services, like other organizations, need to urgently switch attention to application
layers and the data itself.
The organizational perimeter needs to shrink to an absolute minimum core data piece, where
data simply cannot be breached. All else can be protected as much or as little as needed by
using mature risk assessment controls.
Beyond that, the focus must be on advanced encryption techniques, and security analytics
that exploit the power of Big Data. This will turn enterprises from reactive security positions to
intelligence-based positions, where risk positions are calculated around hard data readings with
attack lines plotted before they can happen.
New forms of identity such as unique personal data clusters will be needed to combat
aggressive phishing and fraud attacks. The trend will be toward creating online identities and
access models that rely on multifaceted digital profiles based on an individual’s online behavior
rather than simple two-factor authorization.
Identity is everything
True identity is the lifeblood of financial services, but the measurement of identity needs to
change. Passwords, two-factor, even biometric systems are flawed. Identity as implemented in
enterprise applications doesn’t necessarily align with how identity works in the real world.
Systems are being researched and will be brought to market that create complex identity sets
based on personal data clusters and an individual’s data history rather than passwords that can
be stolen or easily guessed. A “biodata” identity system is more secure than even biometric data
such as fingerprint or eye scans, which have been proven not to be failsafe. This is all part of how
data analytics, Big Data, and informatics will form the core of next-generation cyber defences.
Viewpoint paper | Cyber crime is wreaking havoc
Unless the banking industry initiates change now,
it will be highly vulnerable to the systemic failure
that the DTCC fears.
6. 4
Threat detection and attack analysis are evolving
Elsewhere, forensics are moving from a method of simply analyzing a cyber attack after the event,
to a tool that can profile the cybercriminal and attack methods by building bio data patterns of
criminal and malware activity. Such digital forensics will become an integral part of the enterprise
in the near future. It can also be used to monitor employee behavior to cope with insider threats
and unusual data patterns or financial movements. There are a number of developments in this
area. For example, a number of vendors are developing their own threat intelligence services
such as a “next-generation” security operation center (SOC) and security intelligence as a
service and other “human factors” research to help meet the 2020 cyber challenge. 3,4,5
Conventional signature-based anti-malware solutions cannot cope with 2013 levels of malware
production, let alone those predicted for 2020. New anti-malware solutions, which are already
appearing, trap malware at a micro visor level, so it can’t enter the organization at any level or
point—and the infected file can be safely extracted. New-generation security protocols will
adjust, seek out, and quarantine perceived threats before any system is compromised.
Compliance and governance is essential
Unfortunately for security managers in financial services, turning to governments for help in
dealing with next-generation threats is likely to end in disappointment.
Instead bodies such as the EU, U.S. Federal Government, and increasingly powerful Middle
Eastern and Asian agencies are likely to make financial services work harder to meet new
compliance regulations as emphasis will be firmly made on banks’ responsibilities to protect the
consumer, bank customers, and partners.
When Islamic hacktivists attacked U.S. banks in early 2012, the response was not sympathy,
rather calls from government for greater diligence on the part of the banks themselves.
At the same time, progress on international cooperation to defeat cyber crime and state
sponsored cyber attacks on banks and other organizations is limited, and the situation is
unlikely to improve anytime soon.
Revelations by whistle-blower Edward Snowden are likely to make governments cooperate
less on issues of cyber security. Sadly, Snowden revealed that even allies are willing to use
cyber means to spy on each other—hardly the spirit to foster international cooperation against
mutual enemies.
Financial services information leaders face the prospect of uncontrolled international
cybercrime, and governments concerned with locking down and protecting their own
infrastructures from their allies, while responding to public concern about data breaches with
tighter governance and higher financial penalties. A failure to invest in data management
systems that assist in meeting compliance rules will not be an option.
Complicating the picture, as banks open up and abandon their traditional security posture to be
more competitive and efficient, they increase their actual risk of exposure to compliance busting
data breaches.
Viewpoint paper | Cyber crime is wreaking havoc
3 en.wikipedia.org/wiki/Data_analysis_
techniques_for_fraud_detection
4 eweek.com/small-business/hp-updates-arcsight-
portfolio-with-security-analytics/
5 techrepublic.com/blog/it-security/how-user-
behavior-monitoring-helps-reduce-risk/
Given that whole new attack types will seek out
vulnerabilities in tools and infrastructures—and
the use of super-connected devices—financial
services need to urgently switch attention to
application layers and the data itself.
7. 5
Playing field getting leveled
No doubt the picture for financial services is a hugely challenging one. They are squeezed by
massive social and technological changes, and the need to modernize. At the same time, an
unprecedented period of growth and sophistication of cyber crime is predicted. And there will
be further legislative pressure in a globalized market.
At the same time, vendors and the information security industry are fighting back with a level
of innovation that has been absent for too long. Advances in Big Data analytics, intelligent
anti-malware techniques, digital forensics, and identity science are emerging, which will start to
level the playing field back in favor of a financial services sector that must change itself at the
same time.
Learn more at
hp.com/enterprise/security
Viewpoint paper | Cyber crime is wreaking havoc