Cybersecurity: doing better, together
Cyberattacks have been increasing globally, and financial services is no exception. From DDoS and domain cloning to spear-phishing and credential stuffing; from script-kiddies to advanced persistent threat (APT) actors – we are all seeing higher volume and more sophisticated attacks.
Aim higher
It is tempting for firms to set their cybersecurity sights too low – either waiting for regulation (such as PSD2) before implementing improvements, or basing investment decisions on what others in the industry are doing – perhaps using “I only need to run faster than you, not faster than the gorilla” thinking. This reactive approach leaves firms vulnerable to fast moving attackers who will pivot to exploit weaknesses wherever there is profit to be found for them there.
Cyberattackers demonstrated their agility last year as they took advantage of uncertainty during the pandemic to increase phishing attacks and advance fee scams – including targeting of job seekers in financial services sector.
Promote security-by-default
Financial services firms look after trillions of pounds of customers money, and the sector should be leading the charge on information security. It is surprising to many customers to find that their email accounts have better, stronger security controls than their investment accounts – which all too often still don’t support multi-factor authentication (MFA) or rely on weak PIN code authentications which discourage use of password management software.
Together, we can push each other further and improve the whole industry’s resilience and defences against cyberattacks
A joined-up effort across the sector to push for MFA-everywhere and to support biometric authentication available on all modern mobile devices would help give customers confidence that their savings are well protected. We don’t all have to use the same technology, but we should all meet at least the minimum standards from bodies such as NIST in the USA and NCSC in the UK – not just for new solutions but for legacy systems and existing customers too.
Don’t let fear hold you back
Some organisations may be wary of digitising their businesses due to the fear of cyberattacks – perhaps hoping that manual checks will act as a back-stop against fraud and attackers. But manual processes cannot keep pace with the rate of cyberattacks – and are themselves vulnerable to social engineering and to human error. Continue to invest in automation and digitisation. Automated business-to-business (B2B) processes such as account transfers, share class conversions and open banking are more secure, with less chance of mis-keying and errors.
Automation and artificial intelligence (AI) technologies will be needed to support fraud detection processes – extending know your customer (KYC) from a one-off check at onboarding to an ongoing process to learn from and recognise customer’s behaviour. Getting the AI right requires lots of data – something that is much easier to achieve when we pool our knowledge and data, allowing smaller firms, mutuals and friendlies to benefit from data from across the whole industry. This will likely require some innovative business models as well as innovative technology!
Be a good cyber citizen
Attackers tend to exploit the darker, unloved areas – legacy systems which still support older, less secure standards or which haven’t been patched; niche web portals which don’t implement modern security practices such as attack rate-limiting or intrusion detection and alerting; test environments containing cleartext customer data which are made available to delivery partners. Shine a light on those areas and make sure they are brought up to standard, before attackers find and exploit them.
Be a good citizen in response to incidents too. We need to be open with customers (and with ourselves) when a breach or security incident occurs, explaining clearly what the risk to them is, and what we are doing to mitigate that risk and to prevent it happening again. That openness will also mean that we can all learn from each other to improve further.
Firms already work together to identify and close down phishing sites and domain cloning, but this tends to be within sub-sector groups such as banking and investments – not across the whole industry. Support from the regulators may be required to ensure that concerns about data protection do not block investigations or delay shut-down of these sites and to close down accounts which are used by cyber-criminals.
Together, we can push each other further and improve the whole industry’s resilience and defences against cyberattacks.
About the author
Misha Dorman is principal consultant at Altus Digital. He has spent over 20 years turning financial services strategy into reliable, operational software solutions designing everything from sub-system components to entire IT landscapes.
He has worked with numerous technologies including pensions admin, agency management, fund trading, platforms, ecommerce and workflow. In the process, Misha has become an expert not just in designing solutions but also getting them implemented across a wide range of organisations from specialist software suppliers to global insurers.
He has been responsible for development of the Altus PEAK framework and many of the technical services which build on it.
