Business suffering collateral damage from escalating levels of cyber warfare

The attacks brought down three television broadcasters and two major commercial banks, affecting 32,000 computers at the respective organisations, and were traced back to servers in China. This led to speculation that they were instigated by state-sponsored North Korean hackers who have previously used China-based servers to launch attacks on their neighbour.

The Korean incident has fuelled concerns that future conflicts between nation states will be fought in cyber space, especially as computer hacking represents a far more economic means of attack than nuclear weapons. And while the idea of a cyber-based World War Three may be worrying in its own right, there is also a growing concern among corporate risk managers that state-sponsored cyber attacks will leave many organisations, especially financial services, vulnerable to collateral damage.

Peter Hill, Chief Technology Risk and Security Officer at ING US, voiced this concern during a panel debate organised by Clear Path Insights on cyber risks facing financial services firms. Mr Hill referred to the development of super-malware such as StuxNet and Flame created by national agencies that have crossed barriers of logical and physical security.

hide

“If I look at this from a financial services perspective you have to wonder what potential opportunities there are to use this malware, for example in a credit card processing unit to change what is embossed on credit cards,” said Mr Hill.

Concern is heightened by the fact that these powerful tools are being traded on underground networks. As Bradley Schaufenbuel, Director of Information Security at Midland States Bank, noted, cybercrime is becoming increasingly industrialised. “Long gone are the days of hackers nibbling at your perimeter, seeking bragging rights. All the evidence indicates to us that we are dealing with a sophisticated underground economy with the same specialisation of services that you would see in any modern economy.”

Mr Schaufenbuel has also seen a rise in the number of blended threats, where a distributed denial of service (DDoS) attack is used as a smokescreen to launch an onslaught on commercial accounts. “We rarely see malware which doesn’t attempt to exploit more than two or more vulnerabilities.”

These trends have created three significant challenges for financial institutions, said Mr Schaufenbuel. “Firstly, because the threats have become more sophisticated, they are much harder to defend against. Secondly, because the pace of innovation in the world of cybercrime is quickening, it is harder to keep up. Finally, the cost of defending against cybercrime is increasing. More sophisticated counter measures come with higher price tags.”

Although financial institutions are spending more on cyber security at least technology is advancing to meet their needs, said Mr Hill. There is however a challenge in incorporating these tools into banks’ IT infrastructure. The increased need for security expertise has also meant that demand for skilled staff is outstripping supply and causing problems for organisations that do not have full security teams.

Changing business models, most notably the increase in mobile device usage, have exacerbating cyber risks. “This increases the potential to lose control of our data as it is being used in personal devices and we all have different mechanisms for controlling them,” said Mr Hill. “It will get to a point where one may not know where their data is, so we have to manage that data versus device issue.”

The main vulnerability for financial institutions are their customers. Most banks have the tools needed to successfully mitigate cyber attacks. These tools include next generation firewalls, sophisticated intrusion prevention systems, anti-malware, data loss prevention, content filtering software and security event information management systems. The same is not true of their customers.

“As the security of our public facing network and systems improves over time, cyber criminals have turned their attention away from our network perimeter and towards our employees and customers,” said Mr Schaufenbuel. “Because we have a much greater ability to lock down end points used by employees, most of the attacks we are defending against these days originate from customer-owned systems that have been compromised by cyber criminals and that we don’t control.”

In addition to attempting to increase the level of security awareness among its customers, Midland State Bank has also focused more attention on decreasing employee susceptibility to social engineering techniques often used by cyber criminals.

“In the past year we have doubled the amount of mandatory employee training on topics related to social engineering. We have also increased the frequency in which we conduct testing to measure employee susceptibility to social engineering techniques and have made the detailed results of this testing available to managers and supervisors so that corrective actions can be taken at the individual employee level,” said Mr Schaufenbuel.

Once a potential incident is identified, both ING US and Midland States Bank have security incident response teams comprised of security staff and corporate communications, legal, compliance and business experts ready to step in. “They have a very structured process to triage the incident which starts off with understanding what it is, what is required to ‘stop the bleeding’ or prevent any additional damage to be done and the communication required both internally and externally,” said Mr Hill. “Finally, a root cause analysis is completed to ensure that we don’t see this form of incident occurring again.”

Both banks also carry cybercrime insurance, said Mr Schaufenbuel. These policies typically have large deductibles and many exclusions and do little to protect against the reputational damage caused by a cyber attack. “We don’t rely on insurance as our primary method of mitigating cybercrime risk. In my opinion focusing on cybercrime prevention offers most financial institutions a much higher return on its investment than paying insurance premiums. That being said, when a major security incident does occur, not having any cybercrime insurance coverage at all could have catastrophic repercussions for your organisation.”

A key aspect of any organisation’s cyber security strategy is gaining the support of the executive board and, even with the increased media attention on cyber risk, securing necessary capital support is a constant challenge.

The day before any breach the return on this investment is zero and the day after a breach it is infinite, said Mr Hill. “This perfectly describes the challenge security has in most corporations.”

Gaining this support requires translating security risks into tangible business components that can be directly related to the company’s business objectives, said Mr Hill. “These must be prioritised from a risk-based perspective and provide clarity on the top security items requiring attention.”

He also thinks that reporting structures for cyber security must be reconsidered, especially within the financial services industry where cyber security has typically been managed in the technology division and reported to the chief information officer. “The question is whether that is the right place for security in the future and are there potential conflicts of interest as a result? Is there also a greater opportunity for the right level of exposure and support, if cyber risks are reported elsewhere such as an audit committee?”

Back to top button