In 2016, cyber-threats to the UK business community showed little sign of abating, despite the scrutiny placed on protecting both corporate and financial institutions alike. In fact, despite all of the dialogue and the many operational solutions implemented, cyber-related attacks escalated. This was particularly noticeable in the world of ransomware and other types of attacks that threaten business health and ultimately the economy as a whole.
A recent PWC report indicated that approximately 55 percent of UK firms have fallen victim to economic crime in the past two years compared to 36 percent globally. This was in addition to the more commonplace cyber-related problems we've seen over the past few years, such as a spike around special events (the Olympics, Brexit and the UK election) and the always cyber-busy Christmas shopping season.
Among this year's most hair-raising cyber-crimes were the massive HSBC online banking attack in January; the theft of tens of thousands of credit cards from Acer in the early summer; and the complex DDoS attack on Dyn this past autumn. But with all these intense attacks that resulted in both financial loss and reputational damage, the question of whether or not we are able to forecast improvements for 2017 remains to be seen.
Lessons that the banks learned
Based on these and other experiences in 2016, UK banks recognised a few key trends that should be addressed heading into the New Year. First, many UK banks recognise that their consumers, for the most part, are still quite easily duped by sophisticated social engineering scams. A combination of newsworthy events, susceptible private citizens, and cyber-adversaries who have learned to communicate in increasingly smarter ways, have lead to a scenario that will continue to adversely impact consumer confusion. Unfortunately, this is not something expected to change immediately.
The financial institutions have also noticed an uptick in social engineering-related attacks on their employees. Targeted attacks on key individuals will likely continue to be a top concern. The process of identifying which employees have access to which sensitive systems is easier than ever before as their professional responsibilities are detailed often including CVs - on sites such as LinkedIn and other social media or employment-related web sites.
Additionally, as we became more aware during the election season throughout Europe, nation-state actors are increasingly involved in these attacks and are using them for politically-motivated means to achieve goals that traditional diplomacy has not provided. It should be assumed that this will continue to be the state of affairs as geopolitics adjusts to cyber-warfare as an effective tool in both propaganda and espionage-related efforts.
What UK banks can do in 2017
Looking ahead to 2017, there are three main areas where UK banks should prioritise their operational planning as they work on improving their efforts against cyber-crime-related attacks. First, the public-private partnership model becomes even more necessary, both to encourage cross-bank information sharing and to enable the public agencies to more adequately be on the front lines of what the UK banking sector is dealing with on a daily basis. Moreover, this approach may provide the initial steps towards enabling a greater level of sharing between financial services and other vertical sectors, something that the banks alone may not be able to achieve as rapidly on their own.
Another area that should be paramount in 2017 strategic planning is mobile banking. Mobile unfortunately has numerous elements that could show problems - Wi-Fi trustworthiness, fake apps in app stores, and operating system updates not being released or installed in a timely manner - all of which combine to make it an even more complicated topic.
A not so small third consideration is the fact that regulations will continue to be a major factor for UK banks to consider in their planning and operations. New EU legislation and the overlap with other international jurisdictions - think General Data Protection Regulation (GDPR) - make it such that UK banks should plan to burden the cost of both additional staffing and technology and/or of additional fines.
Ironically, with the growth of a multitude of layered technology solutions designed to fight financial crime and protect against cyber-warfare, the one factor that will remain a constant in the coming year is the social impact of smart cyber-criminals and how they interfere with our institutions and customers. While we focus on innovation to protect ourselves, we may also want to focus on education so we aren't so easily letting them in the front door and past security. Here's to a better protected New Year!
Contributed by Joram Borenstein, vice president, NICE Actimize