The UK has one of the most successful financial services sectors in the world but it is under threat like never before.
As the banks embrace more digital on-the-go banking to enhance customer experience and platform choice for customers, they open up up to new threats from attackers looking to exploit vulnerabilities in legacy and unpatched systems.
The seminar at IP Expo Europe 2015 by Chris Gould, Ernest & Young's cyber-partner and head of fraud investigation and dispute services, evaluated the systemic risks the financial sector faces and the implications of successful and sustained attacks.
Citing a mixture of demanding customers, a heap of new rules and regulations, cost and competitive pressure, and extending supply chains, Gould remarked about how banks have had to become more innovative to satisfy customer ‘wants'. Notably, Barclays was the only major bank in the UK not to offer its customers Apple Pay, a position it later changed when it announced a 2016 launch date for the service.
According to Gould, 56 percent of organisations are unlikely to detect sophisticated cyber-attacks. Major corporation average response times to incidents, including damage remediation, has gone up to nearly 60 days, he said.
Unlike hackers, most banks don't communicate with each other and share info on how to beat cyber-attackers and compared it to the hacking communities that regularly share their knowledge on the ‘dark web'.
When asked how banks can get ahead, Gould explained that banks must “activate - adapt - anticipate”:
- Activate - the organisation must have a solid foundation of cyber-security. This comprises a comprehensive set of information security measures which will provide a basic defence against cyber-attacks. This is where an organisation would typically establish their fundamentals.
- Adapt - organisations change, threats do, too. Therefore the foundation of information security measures must adapt and keep pace with changing business requirements, otherwise over time the foundation will be less and less effective.
- Anticipate - organisations must develop tactics to detect potential cyber-attacks. They must know exactly what they need to protect their “crown jewels”, and rehearse appropriate responses to likely attack scenarios. This requires a mature cyber-threat intelligence capability and an experienced incident response mechanism.
“Cyber-security needs to be embedded across the organisation," he said. "This requires significant awareness, training, resources and commitment from leadership”.