Robert Rutherford on why the C-level must take full responsibility for a security breach rather than placing blame on the IT team.
The Financial Conduct Authority (FCA) has expressed concern over the cyber attack on Tesco Bank last year after £2.5 million was drained from customers’ accounts. Within hours, customers’ current and saving accounts, as well as credit card details, were being traded on the dark web, with many hackers on live chat rooms referring to the firm as a “money machine”.
According to FCA data, only five cyber attacks were reported in 2014 – as opposed to the staggering 75 reported in the first 10 months of 2016 alone. Although the money stolen from Tesco Bank was refunded and no personal data was compromised, this incident should serve as a warning to all banks and the financial services industry as a whole that cyber criminals are implementing increasingly intelligent ways of outsmarting IT systems.
The truth is that firms in this sector have been facing cyber attacks for decades, as this industry is especially attractive for criminals who are looking to access financial data. After all, the data being held on these systems not only includes client’s financial and personal details, but also information about the firms as well. It is undoubtedly difficult for banks to continually defend against the constant cyber attacks they face, but IT security must be considered a priority when it comes to budgets.
Why are banks such easy targets?
The biggest reason that criminals target banks is obvious: money. Financially motivated cyber crimes account for three quarters of all reported security breaches. It has, however, been reported widely that Tesco Bank ignored various warnings regarding its IT systems and how secure they really were. This is an issue with many firms who do not understand the importance of cyber security – particularly in the current economic climate, with budgets being evaluated more critically than ever in an effort to reduce costs.
In addition, banks’ computing systems are not only incredibly complex, but are also outdated legacy systems in many cases. This creates a good opportunity for cyber criminals to target various parts of the networking and transactional systems within these organisations. The individuals behind these attacks understand that bypassing standard controls can provide them with access to the bank’s back-end systems, which can lead to a huge loss for the firm and a major gain for the fraudsters.
Without a doubt, cyber criminals have become more patient and more intelligent over the years, especially when they’re financially motivated. Some hackers will watch an organisation for months, sometimes even years, to establish where the vulnerabilities in its systems are.
What methods should banks use to improve cyber security?
Ensuring that IT systems are up to date with the latest software is crucial for any firm, but for banks and other organisations that hold enormous amounts of data, this is even more important. It is still common practice in many banks to allow access to their systems via a password alone, which is unacceptable from a security standpoint. The weakness in password-only protection is widely known, yet it is still being ignored.
Whatever the reasoning behind this decision, it is dangerous and leaves organisations highly vulnerable to cyber attacks.
ISO 27001 is a global standard that can help greatly in relation to IT security in general, as it enables financial institutions and any other businesses to identify what risks there are to their operations and then assign controls to prevent or minimise the likelihood of them from occurring. The assets, risks and controls are then reviewed continually; it’s a living standard that ensures continuous improvement.
The senior leadership within a bank also plays a huge role when it comes to cyber security. The C-level must take full responsibility both in the event of a security breach and when determining a cyber security strategy, rather than placing blame solely on the IT team. Senior management also needs to communicate with employees at all levels in order to understand what the risks are and how the firm can work together to prevent these attacks from happening.
How can staff help to keep IT systems safe?
All members of staff need to know the IT basics as a minimum, no matter what part of the business they may be working in. Most data breaches often occur internally because an employee failed to notice a potential threat to the firm, such as not knowing they were opening an email that contained a virus or a dangerous website link.
Social engineering has always been one of the most effective way to breach a system at its core. It’s not uncommon for a fraudster to ring up a company pretending to be an IT technician in order to convince the employee to handover their login details.
In this scenario, the employee who provides these details will essentially be giving the attacker full access to the firm’s network and confidential files. It is therefore vital to train staff in how to identify and handle these communications. This first line of defence is essential for banks to protect their data, as it is these individuals who will be able to spot, block and prevent a security breach in the future.
Robert Rutherford is CEO of the business and technical consultancy QuoStar.