Banks are under threat, and increasingly in the digital world. In recent times, Barclays, Santander and NatWest have suffered data breaches, and a glance at the 2014 Verizon Data Breach Investigations Report reveals that the financial sector was the most targeted in terms of data breach incidents in 2013. Insurance broker Aon recently detailed how financial service companies are more ‘exposed' to cyber events.
But changes are being made to combat the threat. The Waking the Shark II demo showed that banks are at least willing to test their network defences – if not completely share the intimate details of the attack with competitors – while the British Bankers Association (BBA) has recently established CBEST, so that financial services firms can test their security against simulated attacks based on detailed threat intelligence.
In other areas, bank bosses are getting the message too. Investment bank JP Morgan is spending a reported $150 million (approximately £90 million) on cyber security, and a study from recruiters Robert Half revealed that 52 percent of finance bosses plan to increase spending on cyber-security – with 39 percent planning to take on more employees to cope with the extra work, and 43 percent to spend on data analytics tools.
These figures aren't unique, Pwc recently found that financial services companies are increasing their cyber security budgets, which is perhaps unsurprising in an age where the largest American banks lost $23.6 million to cyber-attacks in 2013, a figure that could increase with botnets like Zeus Trojan, hidden vulnerabilities in popular mobile apps and continued concerns around Open SSL.
Indeed, the Bank of England told the Institute of Risk Management's Cyber Risk 2014 Summit that attacks on their systems was a regular occurrence. “We get on average around eight incidents a week, and we are a central bank that is pretty small in number - around 4,000 people,” said Don Randall MBE, chief information security officer at the Bank of England.
“To date, none of these have caused any major harm - but they [cyber criminals] are definitely looking at it.” These include DDoS, malware attacks and spear phishing.
Larry Ponemon, founder and analyst at Ponemon Institute, told SCMagazineUK.com that the increase in spending is not a surprise.
“Our benchmarks on cyber security spending over the past decade all indicate a very significant increase in technology and personnel investments over the past 12 months. This increase is especially significant in the financial sector.
“Within this sector, companies in retail banking and investment management are making the most substantial investments in technologies that focus on cyber-attack intelligence and data leakage. While there are country differences, it appears that this rise in cyber security spending is a worldwide phenomenon.”
But the view that spending is on the rise is not universally accepted, with budgets often hard to interpret, and going in different directions – from compliance to new technologies and staff.
On the JP Morgan figure, F-Secure researcher Sean Sullivan said that it wasn't clear what the money is for: “It's difficult to tell what exactly the increase is for. I get the sense it's just added costs related to DDoS mitigation, and not for actually improving core security principals.”
Andrew Barratt, managing director of IT compliance and auditing outfit Coalfire Europe, picked up on this, saying that clever companies often tweak budgets to hoodwink shareholders into thinking they're doing more than they actually are.
“The notion that cyber spending is on the up completely is certainly not unilateral. Some organisations are increasing spend because of perception of threats increasing and also additional regulatory requirements.
"However in others - major international bank - budgets were being cut significantly and focus was being placed on SIEM technology as it is mandatory for various compliance regimes – think PCI DSS for card data, the Federal Financial Institutions Examination Council (FFIEC -US) and Monetary Authority of Singapore's Internet Banking and Technology Risk Management Guidelines (IBTRM) so offers considerable bang for buck in terms of a security/compliance spend.”
He adds that spend in many others would have ‘security implications' but would have traditionally been part of IT control, citing the Windows XP upgrade – an IT issue which has security implications too.
Ben de la Salle, head of IT security and risk at Old Mutual Wealth told SCMagazineUK.com: “The spending on cyber security is not managed from a single pot within our business, and in many cases, nor can it.
“Whilst we do plan and follow a cyber-roadmap which sets out our initiatives over the coming years, many of these initiatives will run in amongst a change portfolio delivering specific business improvement or new services. Our role within the business is to establish the common services and to inform change programmes about the threat landscape associated with their current delivery, help them identify controls and map them back to these common services wherever feasible. We must always remember that the spend against any risk, is balanced against the impact.”
While spend direction appears to be a mind boggler, what is clear is that CEOs and other boardroom members are now aware of cyber security as a serious, potentially expensive issue.
Sources told SCMagazineUK.com that cyber security is now a ‘top priority' at the four major banks in the UK – although they didn't mention specific numbers - and this is an encouraging trend, says Tenable's Gavin Millard.
“It is encouraging to see the tone at the top being set by both the CEO and COO rallying around a message of securing the business by investing heavily in cyber defence,” he told SCMagazineUK.com.
“With this increase in focus will come more demands from the board for clarity on how the security teams are adding value and how effective they have been in reducing the risk to the business. Boards, executives and security teams need to communicate in a way that bridges the traditional but disappearing divides between technology and business.”
De la Salle, agrees that C-suite is engaging. “Absolutely [CEOs are interested in cyber security], both in terms of supporting our initiatives and also wanting to be more informed about our current threat landscape. This is, in many ways, great for us and is enabling a much smoother ride in delivering improvements within the organisation. It has a positive impact on our ability to support the business.”
So what has grabbed their attention, the media, the CISO or something else entirely? “I think it's a combination of influences,” de Salle told SCMagazineUK.com, noting media ‘grabbing' cyber as a term, increased publicity around breaches, regulators taking note and security professionals “talking in business terms, and not preventative or detective controls.” The customer too plays a part.
Barratt added: “In smaller environments the term ‘cyber' is now definitely getting board level focus as they try to work out what they have in place and is causing increased visibility of process in both IT and infosec. This could lead to a trickle spending effect, so spending is likely to increase on people first.
He says that the message is coming through loud and clear, especially in the US through regulatory requirements and governments, but warns that boards still have work to do.
“One major difference that I've seen is that the C-level whilst they are becoming more aware typically don't have a lot of info on what to do,” he told SCMagazineUK.com. “Finance directors in particular are starting to be aware of the potential for revenue loss due to security issues and starting to want answers.”
Of course, bigger budgets and more tools aren't the only way to go – and that's been evidenced at some other banks looking at other avenues, such as “hacking back” or greater intelligence.
HSBC hired Jonathan Evans, a former head of MI5, in May 2013 to combat financial crime, and the Bank of England hired a geopolitical analyst to understand international tensions, and a recent article in The Economist also details how banks in the US are more active participants in “carder forums” where card numbers are sold for $20 to $100 a piece, often in batches of up to one million. Some banks, it transpires, are even engaging in the bidding to see what the hacker knows.
“I am always very wary of any approach to “hacking back” or offensive defences. Any response provides an insight into your organisations level of skill and also present a challenge to them,” said de la Salle.
“The net result is that you could turn an inquisitive sweeping scan into a fully organised onslaught, a vindictive reaction to your audacity to respond to their virtual knock on the door. What started as a desire to breach your defences could quickly become a campaign to takedown your services.”