Can you keep one step ahead?

In November last year hackers gained access to US retail chain Target’s computer system and stole financial and personal data of 110 million shoppers.

The crime began with a malicious email clicked by an outside vendor two months prior. Once hackers had access to the vendor – a ventilation and air-conditioning company – they were able to gain access to Target’s computer system and payment card data.

It’s just one more example of the efficiency and ingenuity of cyber-criminals, a threat that is becoming more sophisticated and collaborative by the day.

Doug Johnson, vice-president, risk management policy, American Banking Association (ABA), says the Target attack shows how cyber-attackers will take a “long winding road” to get what they want. “They didn’t initially think they were going to attack Target, until they found out they had access through the air conditioning company.

“The sophistication of threats these days creates great vulnerabilities across our entire supply chain of vendors, which impact both institutions and retailers.”

Target is not the only recent example of a high-profile attack. Also in 2013, it was discovered a global cyber-crime ring stole USD45 million from two Middle Eastern banks by hacking into two credit card processing firms and withdrawing money from ATMs in 27 countries. Armed with ATM cards, the crime group made some 40,500 withdrawals.

These attacks have caught the attention of governments, regulators and banks’ high-level executives. US securities regulator the Securities and Exchange Commission hosted a roundtable on the topic in March which included speakers from the Department of the Treasury, the National Security Council, Microsoft, all the major US exchange and market infrastructure operators and banks and brokers including Bank of America Merrill Lynch, Wells Fargo and ITG.

UK-based Telecommunication company BT surveyed 500 IT decision makers in a range of sectors – including finance – and found 54% and 53% named ‘hactivism’ (illegal accessing of computers to promote political ends) and malicious insider threats, including internal fraud, respectively as the greatest risk over the next 12 months.

Steve Durbin, vice president at Information Security Forum (ISF), an independent organisation comprising of companies worldwide, says the nature of attacks is constantly changing.

“It’s about resilience rather than total security, as the latter can never exist. The bad guys are getting better and we’re always going to be playing catch up,” he said. “Organisations will continue to be targeted and at some point somebody will get through.”

Shared experience In November last year, the Bank of England (BoE) held a resilience exercise, Waking Shark II, to test the wholesale banking sector’s response to a sustained intensive cyber-attack. The exercise consisted of simulating a three-day scenario in a four-hour session. In a report later released by the central bank, it said there had been progress made since the previous exercise in 2011, but a couple of things could be improved.

The report found that although the exercise successfully demonstrated cross-sector communication and coordination, the BoE is considering the establishment of a single coordination body from the industry. It also reminded organisations of the need to report attacks to law enforcement and regulators. At present, fear of bad publicity or further attacks tends to lead to under-reporting.

Across the Atlantic, ABA’s Johnson says banks in the US have a “great capacity” to share cyber-crime information, but the country could always do better.

The Financial Services-Information Sharing and Analysis Centre (FS-ISAC) was established in 1999, following a government mandate for public and private sectors to share information about physical and cyber- security threats and vulnerabilities to help protect US critical infrastructure. “This year we’re particularly interested in growing the ISAC substantially past 4,500 institutions,” Johnson says. “And we’re working on automating the sharing of that information. We’ve also started a fairly significant initiative to pull retailers and banks together into a series of working groups.” Johnson says the challenge now is to share information across borders. “We will see greater levels of interaction between countries. We already have a very strong relationship with the British Bankers’ Association. We try to ensure that we all have access to the same information on threats and similar regulatory requirements.”

Bullet proof But collaboration is just part of the equation. Cyber-resilience is also about “situation awareness” and having the right technology and people at the helm, according Fredrik Hult, an independent cyber-resilience advisor, who worked on Waking Shark II.

“Institutions need to invest heavily in situational awareness, including security analytics, to improve their ability to detect an attack,” he says.

“A lot of firms think they are secure, but they don’t have great detection mechanisms. And if you don’t know what’s going on, you don’t know you’re being hurt.”

Hult says banks need to try to be predictive, rather than reactive by building a significant knowledge base on how attackers operate. “Institutions need to understand the purpose behind an attack. Was it simply espionage, disruption or fraud?”

To do this, banks need to marry qualified people to up-to-date technology, he says. “Cyber-capabilities are tied to people. Technology ages very quickly in this industry. If you don’t invest enough in people, then banks are not as good as they could be and may be compromised.”

Hult says banks need aggregation tools to collect all data and make sense of it and skilled staff to query and mine the information to dig beneath the surface.

Moreover, banks with strong detection capabilities can then provide material and data to executives to make the business case for further investment in cyber-crime prevention.

Resilience varies across the industry, with some institutions doing well in certain areas while others are not. Hult says, “There are a number of firms investing way ahead of what current regulatory requirements are. It’s because these firms are threat informed and risk aware – they get it.”

Perpetual warfare ABA’s Johnson says there will always be gaps in expertise, but nevertheless believes better education and governance can help banks. He highlighted that the US Congress had presented bills to fund research and development to increase the number of cyber-skilled people within financial institutions.

“But it’s also a governance issue,” Johnson says. “People have a tendency of thinking it’s a technical problem, but really it’s about ensuring that you as an institution have the right governance in place at the highest level of the organisation, including the board.

“In the long haul, we don’t want people to have the natural human reaction of pausing management oversight just because there is a pause in cyber-attacks. Organisations need to build a governance structure that allows them to deal with the issue as it evolves.”

Regardless of the cyber-resilient systems in place at banks, Hult says institutions will never be able to win the war against cyber-crime – it will always be a tie.

“But if banks start predicting their next move, they’ll be able to manage the threat in a more cost-effective way.”

“It’s a very tiny first step, as the field moves so quickly that something that had good detection capabilities five years ago is no longer effective. If you’re doing the same thing you did 10 years ago, you are losing the game – you’re toast,” he says.