With over 25 years’ experience in Information Technology and Financial Markets, Pat Carroll, Executive Chairman and CEO of ValidSoft, has had the opportunity to build extensive knowledge in security, strong authentication and voice biometrics. TFT sat down with Pat to talk about the future of cybersecurity.
TFT: In your opinion, how much has the cybersecurity threat landscape shifted over the last 20 years?
Pat: A change in the cybersecurity threat landscape can be traced back to the early 90s with the introduction of the publicly available World Wide Web. This led to the rise of electronic or Internet services, such as online and mobile banking. Also around this time, the first commercial email services, such as AOL and CompuServe appeared, followed soon after by the first web-based mail services such as Hotmail. The advent of such services and the growth of email spawned what we now know as Phishing, and a new paradigm in fraud emerged.
The introduction of digital channels, the use of telecommunications and the decentralisation of service fulfilment have all created new and further opportunities for cybercrime. In banking, for instance, the days of the armed robber are largely gone. The way to the cash is now through the web, an app or the call-centre.
When people used to transact with an entity such as a bank they did so in person and their identity was themselves with physical forms of proof-of-identity. And the cash was physical. Today, we bank remotely, the cash moves electronically, and our identity is largely determined through a form of proxy such as a PIN or password. However, these proxies are weak and an easy target for cyber criminals and hackers.
The threat today, therefore, is the theft, loss or hijacking of these proxies as they are literally the keys to the bank or other electronic services. Before services became web and app-based, no one even had a password to steal, let alone twenty of them (or worse, a single password for accessing twenty services). They physically cannot be defended against all of the cyber fraud vectors and methods employed to obtain them and this is why we are starting to see the migration trend away from proxy forms of identity and instead towards physical identity in the form of technologies such as voice biometrics.
TFT: Do you believe these changes to the threat landscape have changed the strategic considerations of businesses operating in the finance space?
Pat: The rise of the digital age and the new forms of cyber threat were not understood initially and largely not considered at the Board level. This has changed over time and the topic is now a regular standing agenda item for many/most Boards, especially in larger organisations, particularly financial institutions.
The threat today, therefore, is the theft, loss or hijacking of these proxies as they are literally the keys to the bank or other electronic services.
A serious concern to many is the loss of data and the associated reputational cost, as well as monetary costs in many cases. The introduction of legislation such as the GDPR in Europe has no doubt been another important agenda item in Board rooms around the world.
However, cybercrime is more than the theft of databases. It is also transactional, and this is where there is a potential discrepancy in considerations and budgets. Many financial services institutions, use security systems that are weak or were designed to be robust but have since been shown to be vulnerable to widely published cyber-attacks. A good example of this is SMS-based security systems, and the SS7 transport layer in mobile communications infrastructure, that are very vulnerable to cyber-attacks, including SIM Swap fraud (fraudulent number porting). Provided the losses through cyber fraud are “within budget”, many organisations take no action to rectify the weaknesses. This mentality needs to change – there should be zero tolerance for fraud, and certainly no financial institution should ever have a budget for fraud.
The problem that will face Boards going forward, is when a cyber threat that is known, but not considered a major threat, becomes one. Trying to play catch-up at that point can be too late, and the consequences severe.
TFT: How are the demands and expertise of cybersecurity in the finance industry driven by technological advancement?
Pat: Whilst the fight against cyber fraud in particular is still an arms race, the defensive strategies deployed by businesses in the finance industry are still largely reactive. The cyber threat is not (only) from teenage hackers but from well-funded, well organised and incentivised organisations (or nation states), employing skilful people with wide ranging technical skill sets.
cybercrime is more than the theft of databases. It is also transactional, and this is where there is a potential discrepancy in considerations and budgets.
The nefarious side of this arms race tends to be more agile and are more adept at finding the weaknesses in both the digital workflows of today’s business models, as well as defences put in place to protect them.
We see this especially in the reliance organisations place on established, trusted networks such as telephony and SMS, which have been cunningly exploited by cyber criminals in ways never envisioned by the organisations utilising them or indeed the networks themselves.
We are now on the cusp of the Artificial Intelligence (AI) era, which is now the buzzword being heard more and more. As organisations in the finance industry look to adopt AI, we would suspect that cyber criminals are looking more closely at how to exploit its deployment than organisations are looking at how it might be exploited. Technology solution rollouts often occur ahead of all security due diligence.
TFT: What role will cybersecurity companies play in guiding financial organisations through this evolving threat-scape?
Pat: The answer to this lies largely within the culture of a particular organisation. As previously stated, defensive strategies are largely reactive, and in many cases so is the deployment of cybersecurity solutions. In a similar way to how some people view insurance, i.e. why pay for something that hasn’t even happened and probably won’t, some organisations may not budget for expert advice and pre-emptive security strategies. However, this is a false economy, as the cost of then being a victim to a cyber-attack and having to play catch-up, becomes exponential.
defensive strategies are largely reactive, and in many cases so is the deployment of cybersecurity solutions.
Threats and weaknesses can be understood, the appropriate solutions chosen and implemented in a structured and planned fashion, rather than in fire-fighting fashion in a reactive model where the reputational and financial damage is already done.
Cybersecurity companies, similar to cybercriminals, spend considerable time analysing channels and solutions for weaknesses and devising methods of attack. By understanding the weakness, comes the understanding of how to defend them and it is this information that is critical for financial organisations to understand.
For those organisations in the finance space that do involve experts in both reviewing their existing defences against the current cyber landscape, as well as the technologies and associated threats on the horizon, their expense should be viewed as an investment in their ongoing operational wellbeing. Some solutions, and I am of course a huge proponent of voice biometrics, also provide a compelling return on investment and business case, over and above the pure security benefits, by for example reducing the time and costs of engaging customer experience and making the customer experience more attractive.