Finance industry firms offer rich pickings for cyber criminals – and they’re having to sharpen up their act as those criminals become increasingly sophisticated
If you were to suggest to most CEOs that they might want to include an £8.5 million cost, attributable to nobody they know, in their latest accounts, the likelihood is that you’d be sent packing. However, that’s precisely the amount that information security research body the Ponemon Institute found was lost on average to cybercrime by large UK financial services businesses in 2015.
That £8.5 million figure is an increase on each of the previous three years and it gives an important insight into the negative value of cybercrime to the financial services sector.
As such, it serves as a warning to the Channel Islands, where 40 per cent of GDP relies on the health of the finance industry, which itself relies to a great extent on information and communications technology for its everyday operations and to stay connected with the rest of the world.
In the islands themselves, there’s a growing awareness of the threat that cybercrime poses. In February last year, John Harris, Director General of the Jersey Financial Services Commission, wrote to all CEOs of financial businesses in the island warning them of the risks. “Common risks involve data/information theft, misappropriation of client assets and reputational damage,” he wrote. “These all carry financial costs, which may be significant and may also result in breaches of the law…”
Stephen Baker, Senior Partner at Jersey-based law firm Baker & Partners, is in no doubt about the threat that cybercrime presents to the Channel Islands’ financial sector. “Widespread hacking is a massive threat,” he says. “Criminals are so sophisticated that they pose a threat to institutions and clients.”
The trouble is that cybercrime sets unique challenges to any business. First, it can come from any part of the world. A hacker can be based in any country and use various methods to cover his or her tracks, but equally, they could be an insider or have help from someone within the business.
“There’s genuine insider risk,” says Mike Loginov, CEO of cyber security specialist the Ascot Barclay Group. “Over 40 per cent of commercially related cybercrime involves insiders, making the management of user privileges and the use of sensitive company information a significant issue for many organisations.”
As well as the issue of geography, cybercrime comes in many forms. From DDoS (distributed denial of service) attacks to spearphishing, whaling, malware and old-fashioned brute-force hacking, the list of threats can seem endless.
On top of the actual losses derived from being a victim of cybercrime, John Harris’ letter went on to remind business leaders that there are also regulatory issues that can lead to the companies that have suffered a breach being punished through fines, restrictions or even criminal trials.
Naturally, the apparent enormity of these risks has led organisations to turn to the insurance industry for cover in the event of a breach. “We’re seeing an increase in enquiries about cyber insurance,” says John Lowery, Corporate and Professional Risk Broker at Channel Island insurance broker Rossborough.
“From an insurance point of view, there’s the first-party risk to our client’s own business data and the third-party risk to their clients’ data, which can also result in fines and penalties. Recent cases have demonstrated this is the case.” He cites TalkTalk’s fine of £400,000 last October following the theft of the personal data of nearly 157,000 customers.
Companies are also taking alternative routes to dealing with the aftermath of attacks, says Baker. “As criminal investigating authorities receive fewer resources, we’re seeing private lawyers being hired. And they’re acting aggressively because if you fall victim to an attack, you only want it to happen once – creating a deterrent effect is important.”
On the regulatory front, EU regulations set to come into force in May 2018 will affect Channel Island businesses that process the data of EU residents. The General Data Protection Regulation (GDPR) introduces the concept of ‘privacy by design’, which means that data protection considerations must be included in business processes for products and services.
On top of this, there is scope for fining companies up to €20 million or four per cent of total worldwide annual turnover.
“GDPR will lead to many businesses having to change their attitudes and cultures to data protection,” says Justin Bellinger, Group Business Transformation and Development Director at telecoms provider Sure International. “We can try and block access [to malicious actors] through firewalls and other technologies, but the weakest link is us, the users. As long as we can’t shift the culture away from relying on the IT department to the users, we won’t get anywhere.”
The need for a cultural shift has been brought about, in part, by the rise in the number of attacks enabled by human behaviour, and which top the list of common attack methods – a number of which are examined below.
Up to 95 per cent of all data breaches start with a phishing email – a message designed to look like it is from an authentic source but is counterfeit. The intention is to lure the reader into clicking on a link or opening a contaminated attachment, which then installs malware into the network and hands access to the attacker.
A 2013 attack on US retailer Target was initiated by a phishing attack on the company’s air-conditioning maintenance provider. Once the link had been clicked by an employee of that provider, it downloaded a version of the Citadel Trojan, malware that can, among other things, log key-strokes and obtain email server details.
In just under three weeks, the attackers stole 40 million credit card numbers and over 70 million client data records.
Phishing attacks come in a number of guises, with spearphishing the most common. In such an attack, the email appears to come from a trusted source or individual. Similarly, ‘whaling’ attacks send spoof emails from senior executives, on the basis that many of us act unquestioningly when asked to do something by the boss.
Technology is an important defence against phishing attacks, but with their sophistication always increasing, there’s no doubt that email filters, firewalls and the like must be backed up by human awareness training.
Crypto-locker or ransomware attacks
As Bellinger explains: “This is an attack that uses a piece of malware masquerading as a genuine piece of software or an email. Once installed, it encrypts the contents of the machine’s hard drive and issues a ransom note. The note demands payment, usually by Bitcoin, in return for regaining access to the system.”
Unfortunately for the victims of such attacks, there is often little choice but to pay the ransom, although the cost involved can be offset with insurance. “We’re definitely seeing more enquiries about protection against cyber extortion,” says Lowery. “Following an attack, the insurer will take control of the systems at a technical level and will pay the ransom.”
This does, however, create a dilemma. “Paying the ransom just makes you more valuable to the attacker,” says Bellinger. “It commoditises both you and your data.”
These attacks involve flooding a company’s systems with requests to the point that they can no longer function. They are aimed at causing disruption and, in themselves, don’t directly lead to a network breach or the loss of funds or data. They can, however, be used as a distraction from a second attack aimed at theft.
DDoS attacks are the most common form of attack, with 57 per cent of financial institutions worldwide reported to have fallen victim. The scale of disruption can be enormous, as an attack last year on US internet performance management company Dyn proved – the incident took out internet services across the north-east of the country for most of a day.
DDoS attacks are focused on a particular organisation and can cause huge problems, particularly for companies that transact online. Whereas attacks aimed at breaching a network often need human intervention (unwittingly or not) to succeed, DDoS attacks can only be fought off by defensive technologies.
Cybercrime is a global problem and finance is a particularly attractive victim, but, as has been pointed out in this article, there needs to be a cultural shift within organisations if the problem is to be dealt with effectively.
Loginov sees this shift as one that needs to redefine how we think about cyber risk management at a cross-functional organisational level.
“There’s very little information security representation on boards despite 70 per cent of CEOs saying they see cyber security as a major threat to their businesses. One of the biggest challenges is understanding that this in not purely a technology challenge, it’s just as much an HR issue, because we’re dealing with changing cultures towards personnel taking the online threats and security of data a lot more seriously.”
That threat is not limited to businesses alone. As Panama has discovered following the Mossack Fonseca breach, reputational damage can affect the whole jurisdiction.
If the Channel Islands are serious about maintaining their global reputation as well-run jurisdictions, they must ensure their approach to information security looks beyond technology and works to bring everyone working in the sector onside.