Briefing: Cyberwar without end
Financial institutions are involved in a cyber arms race against criminals
We are sorry to inform you that your children have been involved in an incident at their local school. There is no need to worry as the emergency services have everything under control. To facilitate the handling of the situation we have enhanced our website to provide information to concerned parents. Please just click on the link below.
This message might seem far-fetched but it is an example of the kind of dishonest email that cybercriminals have used in phishing attacks. In the form above it might not seem that convincing but imagine if it was personalised using information from social media. It many cases it would be possible to find out the name of the parent, school and children from postings on the likes of Facebook, Google Plus and Twitter. This is known as ‘spear phishing’ as it involves targeting individuals rather than sending out mass emails.
Often, IT administrators are the targets of such tailored attacks. This might seem unlikely, given that they are tech-savvy but even specialists can sometimes be fooled if they fear their children are in danger. If there is even an outside chance that one of their children could be at risk they might be tempted to click on the offending link. But once they have done so the program could install malicious software. And, of course, if an IT administrator’s account is compromised it probably gives the attacker access to a lot of systems.
The use of psychological manipulation in this context is known as ‘social engineering’. Rather than simply hack into a system it is a way of using human weaknesses as a way of gaining entry into a firm’s computers.
A similar tactic was used recently against Mark Carney, the governor of the Bank of England. Someone purporting to be Anthony Habgood, the chairman of the Court of the Bank of England, managed to engage Carney in an email exchange. In the event, the person involved was just doing a prank rather than pursuing criminal ends. And the governor, to his credit, was guarded about what he said. But it does highlight the potential dangers of such activity to financial institutions.
David Higgins, director of customer development EMEA at CyberArk, a specialist software security firm, says that the threat has evolved substantially over the years. “Historically, when people talked about cyberattacks they thought about 16-year-olds in their garage trying to make a name for themselves,” he says. Nowadays there are two main sets of attackers – criminals trying to make money, and state-sponsored attacks.
It is clear that the monetary stakes are high and the costs can manifest themselves in unexpected ways. For example, earlier this year Verizon Communications lowered its bid for Yahoo by $350m (€314m) following two massive cyberattacks on the internet company.
In the case of financial institutions too the motive is usually monetary. Higgins identifies four main times of attacks to which the sector is prone.
First, smaller financial institutions can be targeted as a way of getting access to larger ones. Big banks, for example, usually have formidable defences against cyberattacks. But smaller financial firms are often not so well protected yet they often have IT links with larger institutions. Companies may therefore be targeted as a way of getting access to more lucrative targets. “The risk is not necessarily that you are the target but it could be that you are being used as a stepping stone to a much bigger target,” says Higgins.
A second type of attack aims to get access to sensitive data. This could be client information or intellectual property that is of interest to criminals.
Another possibility is an attack to disrupt a particular service. For example, the WannaCry ransomware attack earlier this year was designed to extort money from organisations around the world. Although the amount of money demanded to regain access to each terminal was relatively small, the total the criminals could steal was huge.
“The importance of the human factor in tackling cyber attacks is becoming increasingly emphasised”
Finally, there can be direct attempts to steal money from organisations. One of the most famous was last year’s cyber heist on the central bank of Bangladesh’s account at the Federal Reserve Bank of New York. The attackers managed to withdraw a reported $81m of funds over the SWIFT international payments system. It was only after a diligent employee of Deutsche Bank noticed a spelling mistake in a transaction instruction that the fraud was discovered.
The importance of the human factor in tackling cyberattacks is increasingly being emphasised. However sophisticated a company’s computer systems may be, they are still vulnerable to attack if its staff are dishonest or even simply careless.
“A company’s employees are the first line of defence,” says Maykala Hariharan, a senior consultant at Mercer in Singapore. “Cybersecurity has gone from being an IT risk to more of a business risk.”
For that reason, companies are increasingly putting their staff through training courses. These can be in classrooms or online. Sometimes companies follow up the training by themselves sending phishing emails to staff. Those employees who take the bait are then sent for further training.
There may also need to be discussions with clients. Nowadays it is common for one firm to have access to systems at another company.
Even competitors can become part of a cybersecurity strategy. Firms may be commercial rivals but they have a common interest in the integrity of the overall business. “Sometimes you can have a competitor who warns you about an attack you could be facing,” says Benoît Esnault, head of global security at BNP Paribas Securities.
A network of Computer Security Incident Response Teams (CSIRT, also known as Computer Emergency Response Teams or CERT) around the world which communicate on a regular basis. These can belong to states, public or private organisations. Many large financial institutions are members of the Forum of Incident Response and Security Teams (FIRST).
Some are even arguing for the inclusion of cybersecurity within ESG as it raises fundamental issues related to governance. Olivia Mooney, corporate governance engagements manager at the United Nations supported Principles for Responsible Investment (PRI), says: “One of the key messages we’ve had from investors is that this is a risk that needs to be recognised and taken account of at board level.”
Meanwhile, national governments, regional organisations and financial regulators are encouraging firms to take cybersecurity more seriously. The EU is in the process of implementing the Global Data Protection Regulation (GDPR) with protecting data against cyberattack as one of its goals. The regulation is expected to be implemented in May 2018.
In the US, President Trump signed an executive order in May to review the country’s cybersecurity capacities. In February, New York State introduced minimum cybersecurity standards for banks and insurers. It also made it mandatory to report breaches to regulators.
Asia is often regarded as behind the US and Europe in this area but it is starting to take it seriously. China recently introduced a cybersecurity law, while Singapore is tightening its regulation and Thailand and Indonesia are discussing draft bills. Australia has also recently passed legislation which tightens the rules on the notification of data breaches.
Around the world a consensus is emerging that cyberattacks present a serious and sometime a mortal threat to organisations of all times. But battling against cyber criminals is a never-ending struggle involving both technology and wits.