The IT Crowd has a lot to answer for. For years, those safeguarding an institution’s digital infrastructure were considered back-room bods à la Moss and Roy, neither seen nor heard…
Well, thanks to some eye-wateringly public clangers from institutions the likes of Equifax, British Airways and Capital One, cybersecurity is front page news. Here, TFT digital editor, Charley Brooke Barnett asks CyLon’s Taylan Durmus for his thoughts on everything from gender parity to Huawei in this paramount sector…
What are the biggest threats to the cybersecurity of financial institutions? Where are they coming from?
The source of the biggest threats to the cybersecurity of financial institutions are more likely to come from organised crime groups. However that being said, the threat from nation state actors should also not be ignored. Occasionally, even those two distinctions get blurry, but that is an answer to an entirely different question. Organised crime groups are simply after money so they will make their attack evident and present options for your institution to pay them. In some cases, these groups will have 24/7 customer service lines and will even offer to help patch your security holes after you pay them.
State-sponsored groups however have different intentions. They want to gain access to your data to snoop around, gather intelligence, see the calendars of executives, and steal proprietary information. You may never realise you were breached because they have no incentive to inform you. It is for this reason that data for state-sponsored attacks will be under-represented and under-reported.
The threat from organised crime has evolved in recent years. Pre the era of ransomware, a financial institution could be hacked and items like credit card and personally identifiable information was just stolen to be sold on illicit forums. The institutions would then scramble to inform users and invalidate all the stolen cards. In the era of ransomware however, institutions are at risk of having all of their data encrypted and held for ransom which actively prevents the institution from functioning.
The biggest threat to the cybersecurity of financial institutions comes from the people who work there. Whether the attackers are state sponsored or criminal organisations, the human element of cybersecurity is, and likely always will be the weakest link in cybersecurity. Humans can be tricked, manipulated, or simply be ignorant of a threat when they open an email attachment or click a link. This problem will never go away despite the tens of millions spent every year in awareness training for staff.
What fail-safes do you currently have in place for a worse-case cyber-attack?
Not speaking on behalf of CyLon, but from a general perspective: In an ideal world every company would have off-site backups kept isolated from the internet and their internal networks. That way in the event of a worst-case scenario they would just have to roll-back to our most recent, uninfected backups. Even this method is not bulletproof however, since if the attackers are clever enough, they will wait for some time to pass so that the backups are also infected. Depending on the organisation, rolling back six months may simply not be feasible so they would have no choice but to pay the ransom fee.
The word failsafe is difficult to apply in terms of cybersecurity. Sure, you can just unplug every computer in your network and that may help (it probably will not) but at that point your organisation just ceases to function. The backups mentioned previously are as close as you can get to a failsafe.
In an ideal world every company would have off-site backups kept isolated from the internet and their internal networks.
Is technical innovation helping or hindering banks’ security?
Innovation is a double-edged sword when it comes to the security of banks and other financial institutions. The reason for this is that attackers and defenders are locked in an eternal arms race to innovate new ways to get ahead of one another. Bad actors (be it nation state or organised crime groups) are always looking to exploit the latest (or previously unknown zero-day) vulnerabilities to gain access into places they should not.
Therefore, it is absolutely critical that banks and other financial institutions invest in the defending side of this arms race of innovation lest the attacking side gets an advantage. The funding and resources of the attacking side should also not be underestimated as some of these criminal organisations generate revenues comparable to that of large, multi-national companies with operations spanning the globe.
To put it simply, technical innovation is not only helping, but is critical to banks’ security (as opposed to hindering). The day that technical innovation ceases is the day all the security researchers and hackers of the world can just pack up their bags and go home, (assuming they are not already working from there…!)
Should there be increased cybersecurity regulation rather than merely fines for breaches? Given that some banks are seen as “too big to fail”, should there be greater oversight into how they handle the cybersecurity threat?
The trouble with financial sanctions against big banks is that they simply have so much money that if the penalty of failure is not high enough, they will simply budget to pay the fines! Cybersecurity regulation should be embedded into the rigorous financial regulation that these institutions are subject to. The reporting of breaches should also be mandatory and announced as soon as possible. We will never know which banks and other financial institutions have been hacked and paid a ransom. As customers and users, we should have the right to know if our data has been compromised.
Are challenger banks more vulnerable than legacy institutions?
Challenger banks are probably less of a target by virtue of their size rather than them being less vulnerable. They may have more modern infrastructure and secure backends, but as soon as criminal organisations think they would present a better opportunity to make money then they will also be targeted.
How are you addressing the acute skills shortage in the space? Do you think AI can completely replace human experts?
Maybe one day when we have true AI that can outperform a human. For the moment any ‘AI’ buzzword you see being thrown around is just a machine learning algorithm that essentially learns by trial and error and whatever data you feed it. They are good for some automation and monitoring however they are far from being capable enough to replace humans completely. That kind of AI is still 20-30 years away in my opinion.
We will never know which banks and other financial institutions have been hacked and paid a ransom.
I think the acute shortage of skills is mainly due to there not being a clear path of entry into the field. There are very few cybersecurity degrees being offered by top institutions. To address this, universities must catch-up and assemble the relevant faculties and curriculum to train the next generation of security researchers. In addition to this, cybersecurity is perhaps one of the few fields where there is a clear ‘good’ and ‘bad’ side. It is almost akin to mercenary work. You have two sides which offer varying levels of compensation and there is nothing (apart from difficult to enforce laws and morals) to stop you from working for bad actors. Sometimes people just want to work for the other side and it is not uncommon for people to change sides either.
How prolific are ransomware attacks?
As they are dependent on self-reported data, we will never know how truly prolific they are. What can be said for certain is that the frequency and complexity of attacks will increase over time. I would not be surprised if institutions do not report attacks as a matter of policy unless the consequences of the attack are evident to the public and or causes the business to stop functioning. This comes down to PR and brand protection.
What is your position on trusting foreign organisations like Huawei with state infrastructure, as seen in the recent 5G debate?
Chinese organisations are unique in that they technically have no choice in the matter if the state decides to inject their operations with espionage. Huawei although not technically state-owned, is more than likely de facto controlled by the state through a complex hierarchy of state-controlled trade unions.
Thus, if I had some critical infrastructure that I needed to keep secure, I would not contract Huawei to build it for me. The Chinese security apparatus is immensely well funded, clever, and brutally effective.
Chinese organisations are unique in that they technically have no choice in the matter if the state decides to inject their operations with espionage.
I would say the same for any foreign organisation. The key to ensuring the security of state infrastructure boils down to how much control you can exert on the organisations building it. Huawei for example? Good luck. A smaller Russian company? Maybe a bit better. A homegrown company like British Telecoms? Bingo.
Why is there so little representation of cyber security at C-level?
It is getting better, and I think it would be unfair to say that cybersecurity is underrepresented at the C-level in today’s world. This was perhaps truer ten to fifteen years ago. Almost all multi-national organisations worth their salt will have someone in the C-suite who is responsible for cybersecurity as they simply cannot afford to have that gap in knowledge anymore.
Is the move to cloud-based systems creating further vulnerability?
Cloud systems operated by giants like Microsoft, Amazon, and Google are almost always more secure than any private cloud solutions a company can use. They also have the added benefit of managing their own security to an extent which makes life easier for the users. I would say that the move to cloud-based systems is creating LESS of a vulnerability.
Most IT is generally male dominated, but this seems to be even truer of cybersecurity. Would a gender balance help protect firms?
The strength of diversity cannot be underestimated. The (ethnic, gender, etc.) diversity of a team is directly proportional to the diversity and quality of ideas and solutions generated by a team. That has been my experience thus far and it makes sense. When you have people from all walks of life who have all seen and done different things it brings a wealth of experience to the table which can be drawn from.
