Keep on top in the cyberwar
Cybersecurity is part of a never-ending arms race
Companies are becoming increasingly aware of the immense harm that cyber-attacks can do to their businesses. Not only is it possible to lose substantial sums of money but such threats can damage reputations and sour relations with clients.
High up on the embarrassment scale was what has become known as the Bangladesh Bank heist. In 2016, hackers managed to extort an estimated $81m (€73m) from the Bangladesh central bank’s account at the Federal Reserve Bank of New York.
It could have been worse. The original plan was to steal almost $1bn, but a sharp-eyed Deutsche Bank employee noticed a spelling mistake in the transaction’s documentation. As a result the ruse was discovered.
The authorities are also tightening up on regulations related to cybersecurity. In the EU, the General Data Protection Regulation is coming into force in May 2018. In the US, the president has issued an executive order commanding a review of the US’s cybersecurity readiness. Other countries too, including China, are improving their cybersecurity defences.
Financial institutions should take cyber threats seriously but they should not panic. Certainly the days have long gone when some considered a firewall and some anti-virus software as sufficient defence. Not only is technology becoming more sophisticated but criminals are inventing new ways of penetrating systems.
“Cyberattacks are best seen as part of an evolution of the threats that companies have always faced”
One of these is known as social engineering. That involves psychological manipulation as a way of getting access to systems (see Briefing on page 59). Social media can help criminals make such threats more plausible – for example, by harvesting personal data on those they want to target.
There are at least two key mistakes firms can make in reacting to such threats. One is not to take them seriously enough. Cybersecurity involves costs rather than yielding profits. For that reason some institutions might skimp on the necessary investments in IT systems and staff training.
The opposite mistake is to overreact. Fear of the immense potential damage could cause alarm or paralysis.
Cyberattacks are best seen as part of an evolution of the threats that companies have always faced. Fraud and theft are not new, even though the means have become high-tech.
The analogy with physical security should be clear. Until recently, the idea of terrorists using vehicles to mow people down was relatively unknown. But now the murderous tactic has had some successes it is necessary to adapt to tackle it.
Cybersecurity should be seen as part of a never-ending arms race. There is no chance of an ultimate victory against the criminals but it is possible to contain their malign activities by keeping one step ahead.
Daniel Ben-Ami, Deputy Editor