Threats from within

Already under threat from the outside, financial institutions increasingly have to deal with cyber attacks that stem from internal failures. How can firms protect themselves? 

Over the last few years, a number of high profile and extremely damaging leaks have hit many of the biggest institutions in the world. The US National Security Agency leaks by Edward Snowden in 2013, the US State Department revelations by Wikileaks in 2010, and a number of disclosures from the Vatican have highlighted the danger of internal leaks, either as a result of deliberate action by whistleblowers, revenge attacks by disgruntled employees, or by sloppy adherence to security procedures. 

Sir David Omand GCB of the Global Commission on Internet Governance (profiled in the December 2015 Review) gave a stark warning to 1,300 senior investment professionals at a conference in Berlin in early June. He said that one of the biggest issues facing the financial industry was cyber crime and the uncertainty around how criminal attacks were going to be prevented. He added: “Investment in security is my message to this conference.”

According to PwC’s 'Global economic crime survey 2016', cyber threats have increased over the last year, “but business preparation is not keeping pace”. Cyber crime has risen to second in the list of economic crimes against companies, with 32% saying they have been affected, and it is steadily catching up to the usual leader of asset misappropriation.
Attacks on the rise
Many of the respondents said they were not adequately prepared, while some did not even understand the risks faced from cyber crime. Worryingly, while 61% of CEOs said they were concerned about cyber crime, “less than half of board members request information about their organisation’s state of cyber-readiness”. Only 37% said they had a cyber incident response plan. 

A number of companies offer security assessments to financial institutions so that they can see how strong their online defences are. One such firm, MWR Infosecurity, offers a range of services that help bolster finance firms’ defences, including vulnerability assessments, targeted attack simulations, and internal process analysis. Jason Kerner, Senior Platform Developer at MWR’s business division Phishd, says weak passwords are a particularly easy way to access networks for attackers, as staff “often use the same password, or a close variant, on multiple accounts”.

Perhaps the most alarming recent example of this is the case of Facebook founder Mark Zuckerberg, whose Twitter and Pinterest accounts were hacked into in June. His password was reported to be ‘dadada’ – in apparent disregard of his company’s recommendation to choose a “complex combination of numbers, letters and punctuation marks”. 

The cost of cyber attacks to global business was last year estimated to be $400bn by Lloyd’s of London CEO Inga Beale. It is also the financial services sector that suffers the most attacks, with 300% more than any industry, according to a 2015 white paper by cyber security firm Websense (now known as Forcepoint after a recent merger with Raytheon and Stonesoft). 

One major breach to hit the banking industry in recent years was the 2014 attack on JPMorgan Chase that exposed contact information of 74 million US households, even though it had spent $250m on cyber security that year. 
Security trainingThe overarching theme of the 2016 Cambridge International Symposium on Economic Crime, the largest and most highly-regarded event on this theme globally (and which is again being sponsored by the CISI), is cyber crime. Professor Barry Rider, Executive Director of the Symposium, said: “Simply stated, the question is who should be held accountable for the misconduct of others, whether colleagues, employees or customers and clients, and what is a proportionate and practical way of bringing this accountability home?”

The CISI has developed two qualifications that will help the industry tackle cyber crime issues. One of the qualifications, Combating Financial Crime, has been revised and updated, and now has an increased international focus and emphasis on practitioner responses to financial crime, as well as highlighting practical business safeguards and specific considerations for financial services.

The other qualification, Managing Cyber Security, was released earlier this year and is an entirely new exam that provides candidates with a grounding in the threat of cyber crime.

The original version of this article was published in the July 2016 print edition of The Review.
Published: 21 Jul 2016
  • Features
  • The Review
  • cybercrime
  • cyber crime

No Comments

Sign in to leave a comment

Leave a comment