The latest Bank of England Systemic Risk Survey suggests that Brexit is the biggest risk to financial stability in the UK, pushing cyber-attacks into a distant second place.
With 91 percent of respondents citing 'UK political risk' as being of most concern, cyber-attack was cited by just 62 percent. When it comes to the perceived difficulty in managing these risks the two were pretty much neck and neck on 52 percent and 51 percent respectively. However, while the Brexit management concerns were down by 18 percent on the previous 2017 survey, cyber-attack management concerns were up by 5 percent. This is the third consecutive rise in cyber-risk management concern, which suggests that financial services organisations are still struggling to get to grips with cyber-security strategy.
Financial services also top the charts when it comes to being targeted by malware attacks, according to the 2018 IBM X-Force Report, with some 27 percent of malware targeting the sector. The majority of this is from organised crime in an attempt to obtain details of high value targets and where possible to commit grand larceny. "The traditional ‘threat triangle’ requires motivation, capability and locality in order for a threat to be effective" Alex Hollis at SureCloud points out "technology has removed the locality as the internet makes everything ‘local’ to a potential attacker."
As the Bank of England report states, the Financial Policy Committee (FPC) is establishing regulatory 'threat tolerances' alongside the National Cyber Security Centre (NCSC) based upon how long it takes for 'material economic impact' to happen after an attack. Time is, therefore, running out for the industry to get its cyber risk management house in order. So, why is the financial services sector still struggling to get to grips with this issue and what can be done to rectify the situation?
"The trouble with financial organisations is that they are incredibly siloed due to their size, with many different segments, banks, and countries operating across the industry that never intersect" according to Ross Brewer, VP and MD EMEA, LogRhythm. Not forgetting that these are legacy-infrastructure silos all too often. "Due to the complex nature of existing systems which have been built with different and sometimes conflicting metrics over the years, legacy infrastructures are typically built from a complex patchwork of applications, which communicate with each other in complicated ways" says Nick Hammond, a former Global Head of Networks with Barclays and now Lead Advisor for Financial Services at World Wide Technology. The solution might be as simple (in theory at least) as visibility. "Insights into infrastructure can create a real-time picture of the entire network" Hammond suggests "this means they can fit the right security policies to each segmented application, preventing unnecessary or illicit data flows which can create cyber vulnerability."
Yet common-sense screams that cyber threats to financial services organisations should reduce as security budgets, and threat awareness, increase. The Bank of England report clearly shows that common-sense and cold realities are two very distinct concepts. There are two main reasons for this, according to Steven Murdoch, Innovation Security Architect at OneSpan. "Firstly, criminals are adapting to existing security measures and improving their attacks" Murdoch said in conversation with SC Media "secondly, instead of trying to reduce overall levels of risk, some banks are applying security techniques that facilitate new business opportunities while keeping threats at bay."
This is down, in large part if Oz Alashe, CEO of CybSafe, is to be believed "because there’s a disjunction between perception and action: while many financial firms correctly recognise that cyber-crime is a greater threat than ever before, many do not believe that it will actually happen to them." This is what you might call optimism bias in action.
The last word goes to Adam Brown, manager of security solutions at Synopsys who sagely suggests that before the risk can be managed, current approaches must be measured. "Then if we can compare and collaborate with peers and leaders" Brown continues "we can start to understand where to best apply better effort. Based on the outcome of that measurement, we know that we are making the most efficient use of our resources and spend by addressing the practices that needs the most effort..."