The City of London Police chief Adrian Leppard recently claimed that UK banks are covering up the true scale of cyber crime with up to 80% of online crime going unreported to authorities. This very same topic was touched upon in last September’s edition of the SWIFT Institute newsletter featuring the Hot Topic of cyber security.
Clearly an issue that is not about to fade from the spotlight anytime soon, the SWIFT Institute questioned two participants of the upcoming Cyber Security in the Financial Services Industry conference, co-hosted by the SWIFT Institute and the University of Delaware. Craig Young, SWIFT’s new Chief Technology Officer, and David S. Ebert, Director of DHS Visual Analytics Center of Excellence at Purdue University, spoke to us about the level of consideration the financial services industry needed to give to cyber attacks.
Given that one of the conference’s panels on ‘Malicious Insider Threats’ will feature guests from the FBI and Raytheon, we asked whether the financial services industry had much to learn from other industries with regards to cyber security. From David Ebert’s point of view, the answer was a resounding ‘yes’ in that adapting and adopting practices from other fields could be very beneficial, even necessary, given that this dynamically evolving threat was common amongst many industries and parts of society.
Craig Young expanded upon Ebert’s response, pointing out that cyber threat actors could be divided into three major groups: nation state actors; criminal organisations; and hacktivist groups or individuals. In order to better understand how the financial industry aligned with other industries, it was import to understand what area each of these major groups targeted. Young continued, “Nation state actors are typically interested in critical infrastructure such as energy, transportation and financials. Criminal organisations go where the money is, being mainly financial and service industries, whereas hacktivists target any and all industries. Malicious insider activities, regardless of industry or threat actor, are markedly similar. While each business puts a variety of controls, vetting and education in place, these individuals or groups still do infiltrate. There is much for us learn from each other and through each security event.”
We asked whether new financial technology, or ‘FinTech’, products, the majority of which focus on providing easier access for their financial services clients whilst reducing cost, could pose problems for cyber security. Young was unequivocal in his response saying that FinTech products absolutely posed problems for cyber security because they moved key components of their service into areas that were traditionally outside of security control. Young clarified, “Attackers are generally attracted to soft targets, one where they can inject and maliciously interact with these products outside of the fortified castle walls of a server. There is great incentive for attackers to find ways to compromise and divert funds away from FinTech. In a recent McAfee study, they put cyber crime at roughly $400B (USD), just below global narcotic trafficking and counterfeiting/piracy.”
Ebert cautioned that a balance needed to be struck between convenience and levels of security, thus great care should be taken when providing lower cost, more convenient solutions. He responded, “Automated product solutions that eliminate human-in-the-loop solutions can also make it easier for attackers since these solutions are not adaptive and don’t incorporate the human’s experience and ability to find patterns and detect anomalies.”
We wanted to know whether our panellists believed if the cyber security tools presently available on the market were plentiful enough to supply the financial services industry, and if there were any areas in which tools needed to be developed further. Ebert responded by continuing with his theme that humans were still better than computers in detecting patterns and anomalies because they could make decisions from complex, fuzzy data, and utilise their extensive context and historical knowledge, most of which is not available in digital form. He specified that one critical need in product development would be a tool that created interactive security monitoring and decision-making environments, balancing the expertise of an institution’s security personnel and the latest advances in automated algorithms. Furthermore, tools were needed to take advantage and harvest indicators of security and malicious intent from social networking communities as early indicators of developing security threats.
Young agreed with Ebert in that there would always be a need for new tools and techniques to be developed as the threat was always evolving. “Much like antivirus protection, you are only as good as your last signature patterns,” Young declared. As new attack vectors and surfaces are being created or changed, the need for new tooling to defend is constantly being generated, which in effect creates a catch-up model in the development of security tools. He claimed that there were, without question, areas in which further tool progression and refinement would be beneficial saying, “While there are some tools available, there is clearly not enough automation or cooperation where intelligence is automatically gathered and distributed and applied at machine speeds. We need the ability to share actionable intelligence with the cyber community and in time to be able to hinder threats.”
You can hear more about the critical cyber security issues impacting the global financial industry at the Cyber Security in the Financial Services Industry one-day conference, taking place in Delaware, USA on 18th May 2015. Topics covered throughout the day will include:
- New Financial Products and their Security Vulnerabilities
- Malicious Insider Threats
- Cyber Security Tools: What is coming and what more is needed?
- Information Supply Chain post Snowden
Participants will have the opportunity to engage with leading academics and experts from the financial and technology industries as well as those involved in policy and law enforcement.