Banking has long been a target for fraud, but as technology has become more sophisticated, banks are becoming more exposed to cybercrime threats from countries far from where their businesses are based.
Digital attacks come in a range of forms, from individuals attempting to hack into systems and smaller groups of hacktivists performing a protest, to highly sophisticated state-backed attacks.
[Most larger organizations] have dedicated staff living and breathing this stuff
Large-scale attacks have attracted increasing attention – such as the breach of JPMorgan’s systems last summer which saw customer and corporate contact details taken, and the recent attack on Sony Entertainment’s systems which some suggest might have been backed by North Korea.
There are repeated warnings that Isis could attempt to mount a cyber-attack against western countries and companies.
State-sponsored attacks attract such attention because of their potential scale and because they are more difficult for institutions to do anything about afterwards, according to Shirley Inscoe, senior analyst, Aite Group.
She adds that there is “little to no cooperation with law enforcement or federal agencies in such situations”.
The online nature of attacks means the risk is no longer limited to a region or even to within a business. It is now possible for systems to be infiltrated from anywhere, with Inscoe noting that a number of recorded attacks are being traced to Eastern Europe, Russia, China, Korea, Iran and Nigeria.
Although protecting against large-scale threats understandably demands more time and budget, banks must prevent too much of their attention being deflected away from smaller scale attacks.
Lower-level cybercrimes can still have a substantial impact on their customer base.
Richard Horne, partner, cyber security, at PwC, says: “Attacks of all sizes are of a concern. State attacks that could disable bank systems are a major concern, but equally worrying are attacks against consumers or uses of bank services if they start to erode confidence in bank channels.”
These attacks come in a number of forms, and banks are vulnerable to more types than many other institutions.
Seth Ruden, senior fraud consultant at ACI Worldwide, explains that while receiving phishing emails or receiving vishing phone calls – where someone poses as a representative of the bank on a call to a customer and obtains information in this way – are not unheard of for banking customers, banks themselves are at a greater level of risk from targeted attacks such as denial-of-service attacks, where the institution is flooded with information to prevent it from operating as normal.
Aware of this threat, the banking community has taken a tougher approach to protection than other consumer retail sectors.
In the UK, for example, the Cyber-security Information Sharing Partnership was established in 2013 to detail and share the nature of attacks and the steps that can be taken. This collaboration aims to build a united front against hackers, who will likely replicate a successful method of attack against another institution.
Ruden says: "The financial industry is taking a more of defensive stance than other retailers, developing stronger transaction controls, educating its customers, and adding new layers of technology, such as transaction elements, some device-related and/or additional customer authentication data."
The corporate space is also exposed to the often-substantial financial impact of a cyber-attack.
The cost of a breach for corporates can be high – according to the 2014 Information Security Breaches Survey conducted by PwC, the average cost to a large UK business of their worst breach was between £600,000 and £1.5 million. This figure relates just to the amount lost in the attack, and does not take into account the subsequent steps required and amount spent to improve existing systems.
Even for a small business, the sum could be debilitating, coming in at between £65,000 and £115,000.
Fraud threats are not wholly limited to online, and banks still have to remain vigilant to attacks from other channels. One senior transaction banker relates how his assistant received a phone call from an individual claiming to hold a bank account with the institution, and to have forgotten their log-in information. The details were, of course, not forthcoming.
While this was not exactly the most sophisticated fraud attempt, it demonstrates how potential criminals are brazenly going directly to the source to obtain access to accounts.
As well as keeping technology up to date, having the right personnel to keep on top of the ever-changing nature of the attacks is also crucial.
PwC's Horne says: “There are a number of security tools that are being used by banks and large corporations, but it is not just down to the tools – there also needs to be skilled people and efficient processes to identify and tackle new threats.”
Aite Group's Inscoe says most larger organizations “have dedicated staff living and breathing this stuff”, and are likely to have created their own guidance on what they are experiencing.
ACI's Ruden adds keeping their systems up to date needs to be more than a checkbox for corporates. He concludes: “The case is for a collective effort to limit and change the potential upside for their operations. Making cyber-security a priority and not just a parallel to a compliance requirement is the go-to target.”