Create any network wherein money is exchanged and eventually someone will figure out a way to steal it. As banks shift more of their services online and hackers demonstrate daily their finesse in cracking into protected networks, Greg Noone talks to Paul Johnson, chief information officer at Aldermore Bank, and Dr Steve Purser, head of core operations at the European Union Agency for Network and Information Security, about the broad state of cybersecurity in the European banking sector.
Today, the fluorescent beams are hitting the US. They're shooting across the Atlantic from locations deep inside Germany or Morocco before impacting and leaving behind a blast radius signifying the chaos of their arrival. For the most part, they do so individually, but once in a while the beams rain upon their targets in a magnificent barrage. In about nine minutes, two of these will hit St Louis and Tacoma. That's when the light show really begins.
To describe Norse Corporation's 'Attack Map' as visually arresting is an understatement. Resembling a 1980s arcade game, the cybersecurity firm uploaded the visualisation - in which the neon beams of light represent an individual criminal attempt to seize information or disrupt an organisation's online operations - after laying thousands of 'honeypots', sensors, agents and crawlers to watch for, and in some cases, actively solicit cyberattacks across its network of protected computers. The map that resulted is merely a snapshot of the barrage of cyberattacks that occur every day across the world and, as such, acts as a standing reminder of the sheer frequency at which hackers and other criminals seek to prosecute their nefarious deeds.
Outrunning the abilities of the common hacker has been a priority for financial institutions since they realised that digitally storing their customer's information opened up avenues for theft and fraud beyond cold-calling or showing up at a bank's reception with a threatening note. Now, as their customers shed paper bills and regular meetings with their bank manager in favour of an exclusive reliance on online services to conduct their transactions, the vulnerability of the financial services industry to cyberattacks has never come under closer scrutiny.
Safe from harm
For Paul Johnson, chief information officer at Aldermore Bank, balancing a strong digital security regime with an agile online service is a constant battle. Having served in the Royal Navy, in addition to his previous work as an IT consultant to several large and medium-sized organisations over the years, Johnson sees close collaboration with colleagues as the key to an effective response to securing customer data in the long term.
"For me, the key to a technology function's success is building a team that has the skills, behaviours and togetherness to deliver growth while ensuring security, reliability, flexibility and agility," he says. "Likewise for Aldermore, this is fundamental to all that we do. We aim to ensure that customers can rely upon us to meet their needs and deliver great service and expertise."
It's an attitude to customer security that Dr Steve Purser finds is typical among his partners throughout the continental financial services industry. As head of core operations at the European Union Agency for Network and Information Security (ENISA), it's his task to sit with key stakeholders in the banking sector and devise new ways they can defend against attempts to illegally access their customer's personal data.
"For the past two years, ENISA has had a lot more connection with the banking industry," says Purser. "You may say, 'well why didn't that happen a lot earlier?'. In fact, one of the things I would like to say about the banking community is that they are very mature, of course. If you look at the history of the finance industry, they've been pretty much leaders in deploying good security techniques, because obviously there's a strong incentive to do so."
That's certainly the priority for Aldermore, which was originally conceived as an entirely digital bank.
"Whenever advances in digital technology result in increased risks, we are committed to putting in place the appropriate countermeasures," Johnson explains. "Mobile technology and the move towards device-agnostic delivery mean different considerations are needed. Through the use of new security technology, we aim to assure customers that their activities on such devices are secure and have the same level of protection as desktop access."
However, data security remains a two-way street, according to the bank's chief technology officer.
"From our perspective, the biggest threat out there is that the users themselves fail to protect their own device," says Johnson. "They could leave it logged in and unattended, and that essentially means they've left the gate open for the seizure of their personal details."
Fundamentally, the customer need only take simple precautions to make sure their data remains safe.
"Making sure your device is password protected is one obvious step," Johnson explains. "Ensuring that password is strong and regularly changed is another method the customer can use to shore up their defences, as well as simply making sure their computer and the applications that run on it are kept up to date through patches from the manufacturer."
False flags: a look across the broader cybersecurity land
While individual banks are fighting a running battle with hackers, supranational organisations like ENISA have to task themselves with the volatilities of the broader cybersecurity landscape. For Purser, an organised cyberattack on multiple financial institutions simultaneously is something he has actively prepared for.
"ENISA has been very successful in preparing the banking sector for a mass incident, and one really good example of an initiative that's produced a lot of impact over the past four years has been the Pan-European Cybersecurity Exercise (PECE)," explains Purser. "Every two years, we gather together representatives of the 28 member states, from the public and private sector, in this exercise.
It's one of the largest cybersecurity exercises in the world, and we go through a two-year cycle of preparing data-sophisticated exercises and then play it out, not over a desktop but in their actual work location."
The first time PECE was held in 2010, the results were hardly encouraging. "There was basically nothing to test actually," says Purser. "The objectives we set were that, in the event of an incident, who do you call? And there were no emergency lines of communication between the private or the public sector at the member state level. For example, if a cyberattack was launched from Cyprus at businesses in Portugal, there were no ways in which organisations could coordinate a response."
Since then however, the state of European defences has been raised. "As a result of PECE, we've learned enough to come up with a well-defined set of standard operating procedures,'" says Purser. "What's more, these are being continually tested and improved every two years.
So we've come a long way in that time. As a community, we're much more sophisticated in our response to cyberthreats. We communicate well, and we work well together, and I think it's a good example of how organisations like ENISA can achieve real impact in the business community in preparation for cyberincidents."
Protection issues : the right advice for the situation
ENISA advises the European Commission on drafting new legislation to better secure the networks the common market uses to coordinate much of its business. As threats grow more complex, this has meant a closer working relationship with the continent's financial services industry.
"For the past two years, we've seen our relationships with stakeholders in the banking sector increase in importance," says Purser. "This is primarily because we see that the threats facing that particular community are moving extremely fast, and sooner or later it will need the expertise we can provide as an EU-wide agency in recognising what is happening across Europe and how to respond accordingly."
The result is a sophisticated and shifting regulatory landscape, one that Aldermore does its best to keep up with. "The main challenge for us is to ensure that we have sufficient time to meet the requirements of new legislation," says Johnson. "We find this can be mitigated through early engagement and discussions with the appropriate bodies. We're also continuously assessing external and internal threats in line with data security regulations. Our security team monitors all requirements and we operate a permanent security programme that ensures we have the necessary focus and investment in place to meet regulations."
This is easier for a digital bank than one still transitioning the bulk of their services portfolio online. "It's very tough for banks, in the sense that it's a very traditional business," explains Purser. "The sector is very tightly regulated. I would say that the main challenge facing the industry in the future is that the existing legislation and regulation was really designed for older systems. So quite often, some of the regulation that's now enforced was really intended to apply to the old mainframe systems instead of highly distributed systems, which are totally different in terms of their risks and how you deal with them. I think the good thing is that regulators tend to interpret these rules in the light of today's systems. Nevertheless, that emphasis of moving ahead with the times has to continue."
Work together: teamwork in the industry is a must
For Johnson, his job effectively relies on a symbiotic relationship between the institution that employs him and the governmental bodies that regulate it. And those ties are as much defined by advice as they are by preventing malpractice in data security.
"We're all in this together," he says. "It's in everyone's interest to protect the customer, and in that sense financial institutions cannot allow cybersecurity to define their competitive edge, as this is a sector that relies on effective collaboration between banks when it comes to online threats. The worst possible outcome would be if either governments or businesses became insular and fearful of being compromised, and therefore refused to share information. The quicker we share information about new threats, the faster we can ensure that customers are protected."
Protection issues: both sides of the coin
It's a principle that Purser agrees with - up to a point. "There are a lot of conversations going on in the cybersecurity community in Europe at the moment, and there's been a lot of exchange of information and good ideas," he says. "ENISA totally supports this, but there's a pressing need to translate good ideas into real tools that have an impact in the field. At almost every conference you go to today, people say we should share more information. I actually disagree with this. We should share less information, but still share compelling insights between the right stakeholders to get the job done."