- Cyber threats have become increasingly prevalent since data and transactions have been available online.
- The always accessible internet means that criminals have been able to reduce their risk of discovery by working across borders and increase the potential rewards by automating attacks on mass markets. Initially targets were large size and known-brand enterprises (e.g. asset management firms and banks) but this has now moved to small and medium-sized enterprises.
- Another trend is the re-use of malware – once something has been seen to work, it is available to anyone to copy and develop, both across borders and cross industries:
- In 2010 one firm lost £10 million within 2 hours due to the network being breached, prepaid cards being topped up and money withdrawn. This same technique has been used in several later attacks in different countries.
- Another cyber issue called ‘Stuxnet’ originally targeted a Siemens centrifuge to spin slightly too fast, damaging Iran’s nuclear program. The code was reverse-engineered and was later seen in financial systems.
Our expert recommended using the NIST framework - a framework for countering cyber issues which included 5 pillars:
- Identify - your assets; potential attackers; routes in.
- Protect - prevent with security tools; training; vigilance; user behaviour analysis.
- Detect - know when you are under attack.
- Respond - practised decisions; emergency options; timeliness; policies and procedures for all
- Recover - know what to do in various scenarios; timeliness; learning and action.
The room then discussed actions that could be undertaken that fit into this framework. A key element agreed was that firms need to ensure that the correct culture is in place – people can potentially be the weakest link, but also the strongest asset!
- Testing and practice are key:
- Spoof emails to all employees to collect metrics and get them to be better at recognising a spoof email;
- Run through scenarios and test in a full day event to prepare staff - including Senior Executives rehearsing policy on what to do in a ransome ware situation. Include a full post incident review. There are various groups that can assist in these events (‘exercise in a box’).
- One participant talked about where the same individuals seem to be clicking on the spoof emails. The firm included these spoofing metrics in their KPIs (risk and compliance rating) for its employees. However, this then had the effect of employees reporting phishing excessively - additional processes and filters had to be put in place to be able to reassure employees relatively quickly that some emails weren’t, in fact, spam.
- People need to feel comfortable reporting any issue no matter how silly;
- The right KPIs and metrics are important as they dictate behaviour;
- Run passwords through a ‘password cracker’ and contact users with weak passwords to fix them;
- Suspicious activity tracking – learned behaviours (machine learning and people observation), look at voice recognition, IP address of computer/location, time of instruction;
- ALWAYS stop transactions if anything remotely suspicious (err on side of caution even if it annoys a client).
- Another important metric to measure is how quick the first report of a phishing attempt comes in – this can protect a firm by early intervention and prevent other users from being affected by it.
It is important to note that all pillars should be considered in unison rather than investing too much in one area and neglecting another. The subject matter expert quoted 3 principles that they adhere to at their company:
- green today is not green tomorrow (continued investment is required to combat cyber-attacks);
- it will happen (don’t solely rely on prevention, response should be just as important); and
- collaboration is key (work with other companies in your industry, government bodies etc. - each party provides a different lens).
Several further questions were raised and points discussed:
- Is cyber insurance worth it? Premiums are very high and insurers are unlikely to pay in the event of a cyber-attack… (Case study re Maersk system being hit by ransomware. Maersk then went to AIG and other insurers who are refusing payment, claiming it to be an ‘act of war’).
- Discussion was around the industry becoming adaptive to these attacks rather than insurance-reliant.
- How sympathetic is the regulator when an event happens? and how can senior management best show that the appropriate controls are in place.?
- Our expert said that the important thing is to have a strong framework, show you are following the framework and that you have metrics measuring how well the framework is doing.
I’m not a firm the size, and with the budget, of RBS - how much do I need to spend?
- Our expert advised that each firm should identify what is important to them and keep it segregated and secure. Prioritise spending on sensitive data and financial transactions - concentrating the security controls around the things that really matter and not spending on things that don’t. Example given was the car parking app.
- It is also important to seek solutions that are relevant to your business. Biometrics work for a large-scale industry where technical solutions are needed to assess transactions on a mass-market scale but are perhaps overkill in a wealth management business with less clients.
- Further advice was to make sure that all stakeholders are engaged - there may be a pull from different parties to make service more sleek than secure. Security should remain extremely important. Relationship Managers and Clients all need to be educated with scenarios that will resonate with them e.g. don’t talk about banking cases to a wealth management client or provide examples of something that doesn’t relate to the firm’s business.
How much do you collaborate with other large banks?
- Security is not competitive, and collaboration across all banks is significant. The network is built on informal relationships with a culture of ‘how can we help’.
- Additional support can be found with the National Cyber Security Centre (NCSC) which is doing work on formalising this – 10 steps for organisations to get the benefit of the entire industry (all companies input to the NCSC who then distribute).
- The Cyber Information Security Sharing (CISS) portal is another useful government initiative where firms can register as a UK business and receive various alerts to tap into other organisation’s skills.
How much risk does the Internet of Things bring to bear?
- The Internet Of Things will shape security in the future. As more devices become connected to the internet, it creates the potential for more DDOS attacks. On a personal level, every device you connect to your home network is a way in. It is key to ensure that these devices will be able to manage safe and secure transactions (some manage payments) and create segregation and protection around what is most important.
Expert: Glenn Attridge, Head of Cyber Defence & Security Response. NatWest
Facilitator: Gilly Green, Managing Partner, Sionic