As hacking and cybercrime become increasingly sophisticated, it gets harder for banks to stay on top of developments to protect customers from fraud, with a dynamic cybersecurity strategy increasingly considered a prerequisite for good business. Oliver Hotham speaks to Richard Horne, partner at PricewaterhouseCoopers and former head of cybersecurity at Barclays, about how banks can stay vigilant, fight major breach attempts and the importance of educating customers about keeping their data safe.
October 2015 was Cyber Security Month in the US, a time for business and government partners to make sure that everyone understands the importance of keeping safe online: protecting passwords, setting up two-step authentication processes; the gamut of precautions everyone should take to make sure there's no chance we wake up to find our internet wallet has been emptied. A similar scheme was underway in the UK - the Keep Safe Online campaign.
But it was also the month that, in the UK, a group of hackers made off with £20 million from UK bank accounts. In an attack described by the Guardian as "one of the worst cyberattacks ever seen", infiltrators used a Trojan horse-style malware known as Dridex to break into accounts and slowly siphon-off money. It's believed the Dridex has raised £100 million worldwide for its creators, in a digital heist worthy of the most prolific bank robbers. It was a shocking breach and there was little the authorities could do about it once it was over.
"Fraudsters are cashing-in online and are using the internet to commit crimes that they would never have been able to execute in previous decades," Matt Bradford, head of the National Fraud Intelligence Bureau at the City of London Police, told the press in the aftermath.
To many, it was an indication of the extent to which, in the current climate, many customers are justified in the belief that banks simply aren't doing enough to keep them safe online and protect accounts from criminals. And the industry is under pressure from other sides, too: in October, Standards & Poor announced that it was considering cutting the ratings of lenders that failed to adequately protect themselves against attacks, or if they experience an exceptional breach of security. The news sent a stark message: invest in cybersecurity, or face the penalties.
"Since the dawn of time, really, banking has been about confidence," says Richard Horne, a partner at PricewaterhouseCoopers (PWC) and an expert in cybersecurity. "Ask any economist around what matters about banking - it's confidence.
"In today's digital world, security is a key part of trust in your bank and your financial transactions - it's absolutely fundamental to a bank's offering and brand."
Once more into the breach
For years, Horne worked for Barclays, as a COO for infrastructure and service delivery, as director of electronic protection and as managing director for cybersecurity. During this time, he was seconded to the Cabinet Office, developing policy for the UK Government, a diversity of experience that means he's seen the issue from both sides of the fence.
"Clearly, having worked in a big global bank, I have a good understanding of what the banking environment is and how the processes flow," he says, when asked what he thinks this broad insight has contributed to his understanding of the environment. "I know what matters and what needs to be focused on from a security perspective."
He's now at PWC, having been invited in 2013 to build a national practice for the company specialising in cybersecurity, a division that now employs roughly 200 experts, and does everything from advise clients on strategy and approach to security, to helping them build controls and defences against attacks.
"They decided that it is an important investment and key part of its whole offering in the market," he says. "It wasn't the first time, but it was at a stage where we decided that we really needed to go for it."
Part of the problem is that the losses incurred by breaches often don't give enough of an incentive to invest the large sums necessary to really curb these types of issues. In a report for The Conversation, published in March, Benjamin Dean, a fellow for internet governance and cybersecurity at Columbia University's School of International and Public Affairs in the US, argued just this, making the case that regulators need to step in.
"JP Morgan's CEO, Jamie Dimon, says his firm spends $250 million each year on cybersecurity," he argues. "To put that in perspective, that constitutes 0.35% of the JP Morgan annual expenses. If that's how much a firm for which its very existence rests on preventing data breaches spends, one can only imagine how much the average firm invests in information security.
"In the presence of this market failure, the case for government intervention becomes strong."
There's certainly space for collaboration between the state and the private sector, and when finance represents such a significant part of the national infrastructure, there's a self-evident need for these kinds of initiatives.
But the news about Standards and Poor, for many, shows that the financial industry should begin to see cybersecurity as a major concern - and one that has an impact on profitability - rather than a simple inconvenience. One bank suffering a major breach, for example, can have systematic impact across the sector.
Hackers are smart, however, and keeping track of the constantly changing threats and staying one step ahead can be close to impossible. There are ways of tracking who adversaries are, however, and the techniques used and infrastructure available to them. Also important, argues Horne, is that companies work together to develop joint strategies.
"I think a second area is collaboration between organisations," he argues. "The more banks can share information around the attacks they're seeing, the techniques and how they're evolving, the more they will develop a pack immunity and start to be able to respond to threats, and be better prepared to predict what the attackers might do next."
It's also a case of firms increasingly needing to hire people as skilled as the hackers attacking them. There's a clear desire for specialist skills, and banks must make their recruitment - and retention - approaches more flexible to make sure they can attract and keep hold of the right skills. A key part of cybersecurity is understanding the infrastructure of a business and where vulnerabilities lie, so blending the technical skills with understanding of finance is essential.
The types of attacks also vary depending on the work that the target does. In investment banking, there's potential for extremely destructive breaches, and hackers can interrupt key flows, disrupt information channels, create imbalances in the market and wipe data. For retail banks, by contrast, the target is usually the customer: breaking into accounts, manipulating and compromising transactions. While there is some activity attacking institutions generally, it's much more common that individual clients are exploited for their personal data - and this is where customers need to be protected and learn to protect themselves.
"There's a range of measures you can take," says Horne. "Techniques around having secure authentication, helping customers protect their devices, having good intelligence and monitoring capability to detect when clients are behaving in an anomalous way."
Much of helping customers help themselves comes down to education - hence the importance of Cyber Security Awareness Month and the Keep Safe Online campaign. Banks are increasingly investing in these kinds of projects to help people get more streetwise about the dangers they face, and encouraging others to take the initiative.
So is the message sinking in?
Horne is fresh from working on PWC's Global State of Information Security 2016 report, a worldwide survey of over 10,000 CEOs, CFOs, CIOs, CISOs, CSOs, VPs, and directors of IT and security companies from 127 countries.
"We had respondents all over the world answer quite detailed questions on their security," says Horne. "In many cases, it's about trends continuing; you're seeing a steep rise in the number of incidents being detected, and a rise in attacks that companies believe was nation-state directed.
"In some ways, there was nothing too surprising, but it confirms that trends are continuing."
The results are interesting. While incidents were reported to have increased by 38%, 24% of respondents said they had boosted their information security budgets and that financial losses decreased by 5% year on year. They also listed a number of initiatives taken to improve security and reduce risks: more than half said they used big data analytics, cybersecurity insurance, risk-based security frameworks and cloud-based cybersecurity measures to keep customers safe.
The banking industry is developing in a multitude of ways, all of which, from the increased use of mobile to the expansion of cloud-based services, have complex implications for cybersecurity and the safety of customers. New technology is a double-edged sword: it presents new options for improving controls, but at the same time brings in new vulnerabilities.
"In many ways it really doesn't matter what the new technology is," argues Horne. "It's a constantly evolving environment, and within that environment there are improvements that can be gained and there are going to be new vulnerabilities that need to be managed.
"All this makes it a really changing landscape."