The report, which was based on more than 100 conversations with banks, retailers and investigators, concludes that cyber-security threats “are escalating more quickly than banks or businesses can deploy defences against them” and proclaims that “the username/password combination as an authenticator is officially broken”.
The risk of cyber attacks is of growing concern to banks and businesses. Another study published by PwC earlier this week found 58% of attendees at the professional services firm’s 2013 finance leaders’ summit believed their organizations face substantial or critical cyber risk – but only 13% are able to mitigate these risks effectively. More than half said they lack the data to manage cyber risk well.
Another survey published by PwC this year found 93% of large organizations and 87% of small businesses had suffered a security breach in the previous 12 months. The survey also found that the number of breaches is rising sharply: the median number of breaches suffered by large organizations was 113, up from 71 in 2012.
Cyber attacks might be carried out for a range of reasons, from financial gain to political protest. While some cyber attacks are the work of sole agents, others are carried out by hacktivist groups or by organized crime rings. The method of attack also varies, from hacking and phishing to denial of service attacks and malware.
Such attacks can have a sizeable impact: as well as financial loss, the victims of cyber attacks can also suffer substantial damage to their reputation if customer information falls into the wrong hands.
Earlier this month, Adobe reported that hackers had extracted data relating to almost three million customers, including encrypted debit and credit card numbers as well as source codes for some of the computer software company’s products.
“Cyber attacks are one of the unfortunate realities of doing business today,” says Brad Arkin, the company’s chief security officer.
Cyber attacks are also of growing concern to banks, particularly since a denial of service attack carried out on HSBC in October 2012 left millions of customers unable to access online services for seven hours. Last month, 12 men were arrested after another cyber attack on a London branch of Santander was foiled.
The Aite Group report points out that those seeking to protect their businesses from such threats are at a natural disadvantage. In the cyber-security arms race, the criminals are typically one step ahead of their intended victims.
“The bad guys don't have to make a business case in order to innovate and deploy new technology, whereas the forces of good usually do,” says Julie Conroy, research director at Aite Group and one of the authors of the report.
“Typically with a large bank, you are looking at an 18-month cycle between the time that you identify your issue and the time when you are able to get it not only through your business case channels but also your IT queue in order to get your solution deployed.
“By then the bad guys are leaps and bounds ahead of you again.”
To address this disadvantage, Conroy says banks can become more proactive and start planning for tomorrow today – although knowing what the threats are likely to be in 18 months’ time presents another difficulty.
So institutions also need to have an infrastructure that allows them to be nimble and adjust their policies and procedures on an ongoing basis – essentially turning themselves into a moving target.
“I’ve spoken with some people as part of this research that really are doing that – they are that moving target,” says Conroy. “They are finding in many cases that the bad guys are going elsewhere, because these people do study their targets and if they can’t figure those targets out they are going to move on to another target that is a little bit easier to compromise.”
In addition, Conroy says some banks are looking to become more flexible by evolving their technology infrastructure so that critical technologies can be deployed more quickly.
At an industry level it is clear that these threats are being taken seriously. Minutes to the Bank of England’s (BoE) Financial Policy Committee meeting in September revealed that work is under way to “assess, test and improve the financial system’s resilience to cyber attacks”.
According to the minutes, the next step is “for the boards of the relevant supervisory bodies to ensure that there was a concrete plan in place to deliver a high level of protection against cyber attacks for each institution at the core of the financial system, including banks and infrastructure providers, recognizing the need to adapt to evolving threats”.
The work to construct these action plans is due to be completed by the first quarter of 2014, while the BoE will also be “reviewing its own resilience”.
Conroy comments that in the US a variety of bills relating to cyber security have been presented to Congress, while there have also been attempts by regulators to put forward best practice guidelines.
However, she warns that “any such guidelines need to be looked at as the bare minimum. Very similar to the bank, by the time the guidance gets out there the bad guys are already four steps ahead.”