By Prof. Dr. Igor Podebrad, Group Chief Information Security Officer, Commerzbank
While technology is opening up new worlds of possibility, the downside is that its pervasive use brings new and more pernicious cybersecurity threats. Indeed, cybercrime now constitutes one of the greatest financial risks to governments, businesses and the public alike.
Improving cybersecurity protection can reap significant economic and reputational benefits, but simply purchasing the latest fraud-prevention technology is not enough—without the support of a trained workforce, even the most advanced technology can fall short of the mark. Financial institutions (FIs) should seek to understand their own risk exposures and tailor their internal controls, procedures and workforce training accordingly.
The economic motive
FIs have more to lose from security breaches than other institutions—not the least because of the sensitivity of data they hold and the public-facing nature of their products and services. This makes them top targets of cybercriminals: just look at the United Kingdom, where, according to the Financial Times, companies in the financial-services sector experienced a fivefold rise in data breaches in 2018 compared to the previous year (145 significant cyberattacks, up from the 25 reported in 2017). Aside from the upfront costs, fraud can cause further business-interruption losses by reducing efficiency and disrupting cash flow.
Previously, the priority for FIs was to prevent security breaches—to steer clear of danger. Yet the goalposts have moved. The primary focus now is towards achieving operational resilience—the ability to withstand an attack. Some credit for this shift in perception goes to the G7 Cyber Expert Group’s publication of its “G7 Fundamental Elements of Cybersecurity for the Financial Sector” (G7FE) in 2016. The paper constitutes a guide that entities can use to develop their own approaches to cybersecurity, informed by their individual risk-management needs and culture. More importantly, the G7FE provides FIs with a set of cybersecurity best practices as they seek to design and implement effective policies and operational frameworks. It goes without saying that operational disruptions will occur at some point—so by establishing a series of protocols, companies can minimise the damage while dealing with interferences in a timely manner.
A can of (cyber) worms
Banks and other FIs have invested substantially in market-leading technology to protect against cyberattacks—but educating staff and promoting security awareness is of equal importance. According to a recent McKinsey & Company study, human error was a factor in around half of the recorded incidents. The vulnerability of information systems is as much a human as a technological risk, with attackers increasingly targeting the employees themselves as a means of access.
So-called “social engineering”—an attack vector that exploits the human element—can be highly effective and is now ubiquitous throughout cyberattack processes. Fraudsters target individuals in order to extract key information or credentials, or directly infiltrate the target company’s systems, databases or bank accounts. Criminals who are collecting such information approach individuals seemingly innocuously with a phone call or email, sometimes even engaging in regular correspondence to convince the potential victim of their credibility. “Phishing” emails are more generalised and are sent to multiple recipients, so they are often easier to detect. But “spear phishing” attacks—in which the criminal tailors his or her approach to deceive a sole target recipient—can be harder to recognise.
In some cases, such attempts are meant to induce the employee to download inadvertently malware, either a virus or a “worm”, onto company systems, which can then propagate within the network or simply commandeer that particular computer to harvest data. For instance, a Trojan horse virus takes control of the individual’s computer to damage, disrupt or steal; a rootkit is designed to allow privileged access to restricted areas within a computer while going undetected; and a keylogger collects private data and credentials by logging keystrokes on the victim’s keyboard and relaying these to the perpetrator.
Seemingly small-scale social engineering can accumulate into cyberattacks of drastic proportions. Indeed, the Bangladesh Bank cyber-heist in February 2016 was a major wake-up call for the financial-services sector as to the scale of cyber-risk. Hackers issued 35 fraudulent instructions via the SWIFT (Society for Worldwide Interbank Financial Telecommunication) network to transfer illegally US$951 million from the Federal Reserve Bank of New York (FRBNY) account with the Bangladesh central bank. The hackers disabled Bangladesh Bank’s printers—to which SWIFT usually sends notifications of the transfer orders—with a piece of malware, meaning the bank’s employees were unaware that the heist was ongoing. The criminals successfully received $101 million of the total requested transfer (as FRBNY blocked the remaining transactions), with only $20 million of this sum being recovered due to an error in the instructions.
Human error contributed heavily to the failure to detect the fraudulent activity: employees at the Rizal Commercial Banking Corporation (RCBC) failed to stop the attackers from opening fraudulent accounts to receive the stolen funds; human error in the installation of the SWIFT system in Bangladesh Bank may have opened up security vulnerabilities; inconsistencies in the fraudulent SWIFT orders were not identified in real-time by FRBNY.
Spotting the red flags
The incident highlighted the fact that rigorous training for staff and senior management is as much of a priority for the banking sector as technological defences. Individuals need to be fully equipped to identify the red flags in real-time and trained to raise them quickly through the correct channels to block any breaches.
Good governance and proactivity are integral to instilling vigilance around cyber-risk into everyday corporate culture. For instance, the responsible person at every FI should be encouraged to build profiles of would-be attackers, how they might operate and what their motives are. Identifying whether attackers are targeting disruption, surveillance or data theft allows organisations to deal with the situation more efficiently.
Furthermore, entities should implement controls and procedures around incident response as part of their risk-management strategies. These controls should clearly outline where decision-making responsibilities lie, define escalation procedures and establish processes for communicating with internal and external stakeholders. As a result, they can be used to facilitate effective and timely responses for banks and other FIs when they are exposed to cyberattacks.
Putting training into practice
A key strategy for keeping banks, and their customers, safe and minimising the chances of an attack remains, of course, prevention. This involves ensuring that staff and clients are regularly informed about cyber-risks, including phishing attempts and social engineering.
At Commerzbank, for instance, we invest heavily in cybersecurity training for our workforce and use secure, user-friendly applications and release processes—as well as run awareness campaigns for employees. Detection capabilities are also paramount. Fraud-detection engines identify suspicious payment orders in real-time. Well-trained corporate-client consultants contact our customers to verify the payment orders and enable them to recognise attacks on their companies on their own at an early stage. If orders have already been processed, this process is followed by quick “reaction and confinement”, where fraudulent bank transactions are stopped or cancelled. Commerzbank, for one, remains in close collaboration with relevant law-enforcement agencies, as well as with relevant banking partners, throughout the entire process to limit any potential damage. Commerzbank has saved hundreds of millions of euros of customer funds. Due to the awareness trainings with our customers, most of the attacks are now identified by our customers themselves, which is considered to be the most important achievement of our anti-cybercrime strategy.
In essence, cybersecurity is about people. Investing in advanced technology alone does not necessarily mean better security. Leading FIs are those that invest not only in technological excellence but also in thorough cybersecurity training among all of their staff with the understanding that these individuals can play a crucial role in keeping the door firmly closed to cybercriminals.