The UK’s Tesco Bank, part of Britain’s biggest supermarket chain, is the most recent financial services firm to have fallen victim to a cyberattack. On November 7, the bank announced that some parts of its online banking system were being suspended after it detected “suspicious transactions” on 40,000 accounts the previous weekend. It was soon revealed that £2.5m (US$3.1m) had been drained from customers’ accounts and stolen credit card details were being traded on the dark web within hours of hackers gaining access to the network.
UK watchdog the Financial Conduct Authority (FCA) has expressed serious concerns over this latest cyberattack; advising banks of the need to update their IT security systems. According to the regulator’s own data, the number of cyberattacks reported across the UK financial services sector has increased exponentially over the past two years, with 75 attacks being reported over the period January to October 2016 alone.
Global financial messaging services provider SWIFT has also has also put pressure on member banks to improve their cybersecurity after a series of hacking attacks; the most audacious being last February’s US$81m heist on Bangladesh’s central bank.
Why is the financial services sector so avidly targeted?
The main reason for financial services firms, especially banks, being targeted is clear: for money. A recent study from US mobile giant Verizon has found that financially-motivated cyber crimes account for almost 75% of all reported security breaches. Another factor to consider is the ease with which hackers can gain access to the networks of firms in this sector, with legacy systems running rife and many organisations vulnerable to security breaches as a result.
Cyber criminals have undoubtedly become more patient in their approach over recent years. Some hackers will now watch a firm for weeks, months and even years to establish where the vulnerabilities are in its systems. In the case of Tesco Bank, it has transpired that the firm was warned about its lack of IT security on several occasions prior to the breach, with cyber criminals being fully aware of its insecurities, terming the organisation a “money machine” on live chat rooms.
It is likely that several financial services institutions are unaware of the risks facing their firms from a cybersecurity perspective, and are therefore not allocating budget to this much-needed area. With the number of cyberattacks growing exponentially year-on-year, it is an area that undoubtedly requires an increased focus.
How do these attacks happen?
The methods used by cyber criminals is evolving, with hackers patiently waiting for weeks, months and sometimes even years to establish where the weak points are within a firm’s system. It is still common practice in many financial services firms to allow access to their systems via a password alone – this is unacceptable by today’s IT security standards.
Social engineering is another frequently-used tactic, and can be one of the most effective ways to breach an organisation. It is not uncommon for a fraudster to ring up a member of staff pretending to be an IT technician in order to gain access to an employee’s login details, offering an easy entry point into a firm’s network. With this in mind, it is clear that employees are the first line of defence.
A vast number of cyberattacks are targeted towards employees, with hackers believing that a firm’s staff are its weakest link when it comes to security defence. The first step is to ensure that all staff have received, and are regularly re-trained in being able to stop, block and report any suspicious activity, including the various forms of security threats.
What’s the solution?
Concerns around cybersecurity are increasing across the financial services sector. However, the truth is that the security systems that are needed to protect a firm against the majority of hacks are likely to already be in place. Technology is the last piece of the cybersecurity puzzle – the key is to focus on the employees who are using IT systems at their desks every day.
Along with ensuring that all employees are fully trained, the best way that firms can truly be confident in their IT security is to take steps to understand the threats to their assets, whether that is a PC, a server, or a key member of staff. The recommended approach is to implement the ISO 27001 standard, which is a recognised standard for best practice for managing IT security within an organisation. As a minimum, a firm should have a register of all its assets, consider the risks facing each one, and then determine what controls can be introduced to mitigate them.
A key issue for banks and other financial services firms is that many do not understand the importance of cybersecurity and the effect a cyber attack can have on the future of a business, not just in terms of business continuity, but also in terms of reputational damage. Firms in this sector must take steps to train their employees on how to identify and handle suspicious communications, in order to bolster their cybersecurity defences.