It is one of the ironies of modern business that the better organizations become at the critical process of digital transformation, the more they expose themselves to the risk of cyber attack. Retaining customer trust will depend increasingly on innovation and technology to safeguard security.
Digital transformation delivers huge benefits to both banks and their customers, but by definition it increases their attack surface – the number of points at which cyber criminals can gain entry to their systems and do them, or their customers, harm. And it creates vast quantities of personal data that must be protected from ever more sophisticated hackers.
The scale of the threat is not immediately evident from publicly available figures. The recent Accenture report Unlocking the value of improved cybersecurity protection found that the average annual cost of cyber crime in banking globally increased by 11% in 2018, to $18.4 million per institution. This is a small sum compared to other operational risks and to traditional fraud, but it is a poor indicator of the risks faced, as Spain’s National Cryptologic Centre lays out in its report Cyber threats and trends 2019, for example. This highlights the huge losses suffered by banks globally through the Carbanak and Cobalt attacks and the increased threat from sophisticated organized criminals.
Much of what banks put in place to fend off cyber attacks must, by definition, remain secret, but institutions at the forefront of the fight are employing an ever-smarter array of techniques to stay ahead of the criminals.
One of these is the use of ‘white hat’ or ‘ethical’ hackers. As Alberto Rosa, corporate head of security & governance at Spain’s CaixaBank, says: “If you want to protect yourself from cyber attacks, you must understand the hacker mindset. Ethical hackers can provide a vision of the strength of your security that can be difficult to achieve from a more traditional point of view.” That is, it takes a thief to catch a thief. White-hat hackers can bring a ‘criminal’ mindset to penetration testing, cyber-fraud prevention, and the detection of cybersecurity threats, which ‘normal’ security employees may not have.
Another critical defence is information sharing. Hackers share information on new exploits and targets, and industry and government are responding with their own threat intelligence-sharing initiatives. Within the EU, CaixaBank is collaborating actively in different Horizon 2020 innovation projects, including Project Concordia.
Concordia is a consortium of 46 partners from government, academia and industry whose goal is to interconnect all of Europe’s cybersecurity capabilities in a connected cybersecurity ecosystem. This may sound abstract, but the least it can achieve is to have a practical impact on innovation in research, education, policy, roadmaps and governance. Within this, Concordia aims to provide a framework for risk assessment and threat-related information sharing to ensure competitiveness, security and regulation in financial entities. The role of CaixaBank is to lead the finance pilot ‒ Assessing Cyber Risks, Threat Intelligence for the Finance Sector ‒ which focuses on the need to share threat-related information within the finance sector.
The bank has also spearheaded the establishment of APWG.eu, the European arm of the US Anti-Phishing Working Group (APWG), an international coalition that unifies the global response to cyber crime across industry, government and law-enforcement sectors and NGO communities, with a global membership of more than 2,200 institutions. And this is not simply a think-tank. APWG‘s clearing houses for cyber crime-related machine event data send upwards of a billion records per month to APWG’s members to inform security applications, forensic routines and research programs. APWG Engineering continues to work with data correspondents from its membership and apex data clearing houses worldwide to develop new, potent data resources to unify the global response to cyber crime.
As well as these big-picture initiatives, banks must also keep investing in the basics. CaixaBank has invested in a state-of-the-art security operations centre and has developed an advanced cybersecurity model, certified under international standard ISO 27001 and established as CERT official, through a team of specialists that are trained and prepared 24 hours a day to prevent, detect and take action when faced with any cyber threat.
Cybersecurity is one of the most potent threats to large, digitalizing organizations, but banks may have advantages over others. First, they have always been in the crosshairs. Today it may be ransomware and digital attacks, but previously it was paper-based cheque and mortgage fraud and even guys with guns. So, banks have always needed a proactive security posture. Second, banks are also fundamentally risk-management operations and have long been dependent on complex technology running across large networks of branches and subsidiaries. They understand long-tail, low-volume, high-impact market risks and, with regulation, they are experienced at managing the intersection of operational risk and compliance.
However, the cyber world is evolving far faster than the physical world and, in the virtual world, the past very quickly does not look like the present. This environment demands new types of processes and systems designed to spot problems before they happen. Only banks committed to a secure digital future will retain the trust of their clients ‒ the foundation of the industry since its beginning.