Cybercrime is having a good year. It’s been steadily rising up through the ranks and, according to PwC, is one of the most commonly reported crimes in the financial services sector. It comes in many forms – phishing, pharming, social engineering, whaling, trojans, hacking, mules, back door attacks, carding, and cyber terrorism to name just a few – and is a main focus for Sibos.
Financial services is a playground for cyber criminals. There’s so much opportunity, so many different ways and so much to gain. It takes a company on average 146 days to even realize a cyber breach has taken place. Why is the response so slow, and why are financial services so vulnerable? There are a variety of reasons, but here are three critical ones I’d like to address.
First, many banks are still underestimating the risk. Less than 40% of economic crime in financial services was reported as cybercrime, according to PwC, because financial services haven’t always identified and logged the cyber element. This has given banks an inaccurate picture of their true risk. Second, the Internet wasn’t designed to protect us. It was designed for information sharing with openness and redundancy, not security. And third, while both the volume of data and data sources have been increasing, not only have old technology platforms reached their limits, but even existing security information and event management (SIEM) tools lack the ability to identify patterns in real-time or take preventative measures.
Cybercrime is now an established business risk – not just a technical one – that requires a coordinated business response:
- Education at all levels: The problem is too big and pervasive to remain relegated to the IT department’s domain. Banks need to educate all levels of employees about cyber threats and the different types of cybercrime. (The majority of internal cybercrime is typically committed by junior staff or middle management.) HR can play a strong role in this context of education. All employees should be trained for compliance, which also enables financial institutions to provide evidence of such training to regulators. This should be done at every level.
- Culture and controls: Take a closer look at your controls and processes, particularly with regard to business as usual cyber-risk process controls and the culture that supports it. Make sure you’re able to flag, identify, and prevent changes that may be inconsistent with set policies around security and to monitor unauthorized changes to settings or any profile changes to sensitive user IDs, for example. Your cybersecurity governance must be enforced consistently and proactively, and it starts with the processes. You also need to focus your efforts on where the most important data resides. Analyze and correlate context across logs and systems, not just expected threats.
- Technology and holistic approach: Put a modern technology platform in place that’s capable of taking a holistic approach to cybercrime. This combines a variety of defenses, including business operations, management oversight, and independent audits with sophisticated compliance analytics able to predict and react before anything happens. It’s worth remembering that knowledge is power, whether it’s coming from your own internal analytics or from coordination and cooperation with other financial institutions. Earlier this month, I read an article in the Wall Street Journal about eight of the largest U.S. banks teaming up to tackle cybercrime. This sort of cross-industry collaboration will become increasingly common as the threat of cybercrime continues.
Click here to find out more about what SAP will be showcasing at Sibos, September 26-29 in Geneva.