What are the major cyber threats facing financial services firms?
I break the threat down into three main areas. First is the direct attack that targets the company itself, by trying to breach its systems so the attacker can either try to steal company information or commit fraud.
Second is online vandalism, flooding a company’s online services with virtual garbage. It doesn’t breach the systems targeted; instead, it overloads the systems and prevents access to them.
Third is the attack that targets a bank or financial services firm’s customers through its online channels.
Back in 2007, when this type of attack first started happening on a large scale, most firms’ focus was on securing their systems, without thinking about the other end of the transaction.
Every transaction has two ends, and if you can compromise one end, you can do the same to the other. With online banking, for instance, the focus of an attack isn’t on breaching the bank’s systems, but on their customers’ systems and devices, targeting them using viruses such as Trojans, which compromise transactions.
Are firms’ own employees often involved in cyber attacks on their employers?
We’ve found that cyber attacks often contain some element of insider involvement, whether it’s knowingly helping the attacks or doing so unwittingly. A lot of attacks start from an employee clicking on an email that looks as if it comes from where it says it does, but when you click on the link within the email it downloads a malicious virus.
So firms need to emphasise to their staff how important it is to not click on any emails that look remotely suspicious. Employees should instead alert whoever in the firm is responsible for cyber security to that email.
How is cyber crime evolving?
I think probably the most notable thing is that for cyber adversaries, whether they are criminals or not, there is a growing marketplace for them: in trading stolen information, sharing cyber attack tools or techniques and so on.
You might have a cyber attacker that uses a simple Trojan virus to gain access to a company's system and then decides that the best way to make money from it isn’t to hack the system, but instead see who might want to buy access to that system, and then trade it.
These networks are making the world of cyber crime a dynamic environment that changes quickly – and one in which it can prove hard to see where attacks originate from.
What strategies can firms adopt to combat the threat posed by cyber criminals?
About the expert
Richard Horne is Partner, Cyber Security at multinational professional services network PwC. A recognised leader in his field, Horne previously worked as Managing Director, Cyber Security at Barclays. While with the bank, he spent a year on secondment to the Cabinet Office, where he helped shape the UK’s national cyber security plan.
For many years, a number of firms have been employing penetration testers – basically ethical hackers – who test their systems against techniques that hackers might use against them. These tests remain a useful way of testing your defences against potential threats.
PwC conducts penetration tests with companies where we simulate an attack and see how well they respond. We’re seeing this type of test being conducted on a wider scale too, with banks and other financial services firms joining forces with each other and government agencies to see how they would cope with a major cyber attack.
In 2014, the Bank of England (BoE) ran its Waking Shark II exercise, which tested the wholesale banking sector's response
to a sustained and intensive cyber attack.
Last year also saw the BoE launch a vulnerability testing framework called CBEST, which is more focused on individual organisations, forcing them to undergo a penetration test that concentrates on what a hacker has to do to attack their systems, and establishes how effective their defences are.
Is there anything else that firms should be aware of when assessing their cyber security?
It is a technique that a lot of companies use anyway, but the Government doing the test as a regulatory initiative is something I’ve picked up on as a new trend. In the most recent Financial Policy Committee report, it stated that it wants to see CBEST rolled out more widely across the whole financial services industry.
Cyber criminals will often look to exploit the weakest link in the chain. Direct attacks might target the systems of a company’s third-party supplier to get hold of sensitive, valuable information belonging to that company.
The attack on Target [which led to the theft of millions of the US retailer’s customers’ credit card details and ended up costing the company over $162m] involved the company it used for its heating, ventilation and air conditioning (HVAC). The attackers were able to access Target’s customer data after using exfiltration malware to steal network credentials from the retailer’s HVAC supplier.
“The best form of defence is to have resilience built into your systems, so you don’t have those vulnerabilities that can lead to you being held to ransom”
A big part of preventing third party attacks involves understanding your business processes, how you operate in today’s digital world and what your critical systems are. It’s also about understanding what data you have, what systems you rely on and who you depend on for them. Who has access to your systems and who do you share that data with?
The data flows you rely on, for example, might include social media. Over a year ago, the Associated Press Twitter feed was hacked and a message was posted saying there had been an explosion at the White House. At the time, the US stock market briefly plunged and then recovered, but for a short period there were loads of traders executing transactions on the basis of an unverified data feed. The incident illustrated the importance of understanding exactly what data you rely on so you can protect it.
There has been a lot of coverage recently of ransom demands made by hacker group DD4BC after they have accessed firms’ data. What can companies do to defend themselves against this type of attack?
A lot of these attacks encrypt your data and the attackers then say: “If you want your data back, pay us.” The best form of defence is to have resilience built into your systems, and data backed up, so you don’t have those vulnerabilities that can lead to you being held to ransom in the first place.
What else do financial services firms need to be aware of in their efforts to guard against potential cyber attacks?
There’s a lot happening in Europe around new requirements
for protecting personal information, which raised questions around how you manage cyber security. Are you allowed to have a team in another country monitoring your network and security in the UK? What are they allowed to do and not do from a data protection perspective? The situation is complex and the answers aren’t yet clear, but it’s something that firms need to be aware of and address.
The cyber threat in numbers
Five key findings from PwC’s analysis of the financial services industry in its Global state of information security survey 2015:
1. Respondents reported an 8% increase in detected security incidents in 2014.2. Financial losses associated with incidents jumped 24%.
3. Despite these increases, information security budgets show very modest growth.
4. 41% of respondents say they detected security incidents perpetrated by third parties with trusted access.
5. The number of security incidents attributed to current and former employees increased substantially, with almost half (44%) of respondents attributing security incidents to existing staff.