Barely a day goes by without news of a new cybersecurity attack. The issue is more widespread than ever and the cybersecurity landscape has never looked more threatening than it does today especially in the financial services sector.
Recently banks and financial services companies were targets of coordinated cyber-attacks and were forced to reduce operations or shut down systems. This led Bank of England to issue guidelines to the financial organisations to issue guidelines to protect themselves from such possible attacks.
The problem is partly attributable to fact that the finance sector is perceived to be a high-value target and partly the result of the plethora of
communication channels we use and the pace at which they are evolving. Case in point: the prevalence of images on the Internet. The average size of a web page has grown six-fold, and 67% of that page is likely to be comprised of images. Chances are most cyber defence systems do nothing to combat threats concealed in images. Equally, the ubiquity of social media provides an ever-increasing number of routes through which malware can be introduced and used.
The other reason financial services organizations need to take a long hard look at their cyber-security defences is the levels of sophistication demonstrated by today’s cybercriminals. Yes, well-known and simple techniques are used every day to compromise organisations. But if those fail, cybercriminals will readily resort to the kind of sophisticated and evasive attacks that were once the preserve of government agencies.
Bottom line: the financial services sector is now under near continuous attack. With that in mind, here are four key focus areas for anyone in the sector intent on transforming their cyber security defences and thwarting even the most determined and sophisticated cyber-attacker.
Content is King
From documents and spreadsheets to images and PDFs, digital content is the carrier of choice for the cyber-threats used by today’s attackers. Regardless of the nature of the attack, in 99% of cases, it will start with the attacker attempting to infiltrate the organisation with an exploit concealed in seemingly innocuous business content. Virtually any piece of digital content, whether an Office document, PDF, or image can be used or “weaponised” in this way. Whatever the attack, from ransomware and identity crime to remote access and cryptocurrency mining, it will likely gain a foothold because it was introduced in weaponised content through regular internet usage.
It is therefore essential for businesses to look at how best to ensure that digital content can be handled safely. Here it’s important to acknowledge that, historically at least, the cyber-security industry has failed to deliver the levels of protection that a business might reasonably expect.
The vast majority of cyber-security defences operate using the principle of detection. Threats and exploits are identified by examining content for indicators (signatures) that suggest the presence of something malicious. The detection paradigm was effective to a point, but it has proved wholly ineffective in the face of ever more sophisticated threats that are constantly evolving and virtually always concealed in seemingly harmless business content.
In March of this year, industry analyst Gartner published a report entitled, “Beyond Detection: 5 Core Security Patterns to Prevent Highly Evasive Attacks”. The author called out Pattern 4: Content Transform as key to building defences that deal with the threat landscape going forward and financial sector organisations need to embrace this concept.
Transform your Defence
Content Transform defeats not only known but also ‘zero-day’ and unknown threats in content. Because it crosses the network boundary, it doesn’t rely on detection or “sandbox detonation”. Instead, it uses a unique process of transformation that ensures protection.
Transformation works by extracting the business information from the documents and images crossing the network boundary. The data carrying the information is discarded along with any threat. Brand new documents and images are then created and delivered to the user. Nothing travels end-to-end but safe content. Attackers cannot get in, and the business gets what it needs.
Transformation is the only way to ensure that threats are removed from content because it assumes all data is unsafe or hostiles. It doesn’t try to distinguish good from bad. It cannot be beaten; as a result security team satisfied because the threat is removed. Business teams is appeased because they get the information they need.
Image steganography is the covert hiding of data within seemingly innocuous image files. For instance, hidden content could be encoded in an image by subtly varying shades of colour – obscure to the naked eye – that when decoded reveal an entire customer database. Put the original, and the compromised image side-by-side and one would not tell them apart, but the latter is worth millions. The popularity of image steganography amongst cyber-attackers is on the rise – malware exploit kits, and malware-as-a-service offerings now include steganography as standard – and the reason for this is straightforward: image steganography is easy to implement and totally undetectable!
Image steganography has been used in Malvertising campaigns to extort money from thousands of users and bring reputable news sites to their knees. It has also been used in conjunction with social media tools to steal high-value financial assets with the criminals using innocuous images to mask a sophisticated Command and Control (CnC) channel over which the data could be exfiltrated without the theft being detected.
Existing perimeter web defences (web gateways and firewalls) cannot protect businesses from exploits concealed in images using steganography. The presence of the exploit has no signature and is completely undetectable. Fortunately transforming the content does provide a defence as the image is completely re-written and subtly changed, destroying whatever was concealed in the picture. If the organization is not using content transformation and social media is allowed into the corporate network, it must be kept away from sensitive data and systems.
As the financial sector comes to terms with the current threat landscape, it is imperative that organizations re-evaluate their defences, understand that detection is not the answer and formulate a strategy for content transformation.
HOW CHARITIES CAN MEET TOMORROW’S DIGITAL CHALLENGES?
By Steve Georgiou, Business Consultant at Xpedition
Charities are under constant scrutiny for how they handle their finances. Budgets are often squeezed and as a result, it can be hard to justify spending on mediums such as new technology, which aren’t always seen as “necessities.”
And yet, there’s a new generation of workers waiting in the wings who have grown up using technology in all aspects of life. There are also 57% of charity employees who believe the sectors’ development is being hindered by lack of embracing new technology. For those that are willing, a digital strategy has never been more important for a charity’s future outlook.
The Next Generation
Many organisations are not prioritising the technological expectations of today’s younger generation. -. Everything outside of the workplace for the upcoming generation is already technology-driven, including the skills they’re learning right now. It’s already disrupting industries and career plans, and by the time this generation steps into employment, the way we live and work will have become even more advanced.
Competition in the Third Sector has always been on the up. Donation methods have changed, securing funds has never been more competitive, reporting is now a lot more stringent, and the next generation of employees have defined efficient methods of ensuring the organisation they are employed by is not left behind.
For charities that are using legacy financial systems that are often old, outdated and costly to maintain, if they do not take the steps now to digitally transform, they’ll fall further behind. Good governance dictates Charities should be investing in modern technology to support the organisation in both its medium- and long-term digital strategy. Ultimately, Charities want to engage stakeholders and employees, simplify processes, streamline efficiency and guide change – but they cannot do this without investing in modern technology to enable change in this fast-moving digital world we live in.
A Digital Future
In times gone by, financial systems were predominantly used to support the back-office finance function. This has all changed. With advances in technology, such as the latest all-in-one financial management solutions, there are now tangible benefits that add value to the whole organisation.
These tools can strengthen decision making, reduce administration time and provide real-time, accurate reporting, all of which are valuable assets for tomorrow’s demands.
There is a real case to be made for a fully digital third sector using financial technology one which thrives and gives not-for-profits huge benefits:
Data Management and Analysis
The contemporary digital landscape is all about big and beautiful data. Job roles are evolving to cater for the data boom, organisations are now hiring increasing numbers of Data Analysts and Business Analysts. And one of the most significant benefits that the third sector can expect to see by taking on digital methods is greater data transparency.
The world’s most valuable resource is no longer oil, but data. Data is being transformed into a core asset, one which is being used to tackle charity-wide challenges. Daily admin duties such as data analysis and entry are being taken over more and more by financial management solutions. This not only removes the need for online time-heavy tedious tasks, but also reduces the number of different sources people have to use to find and analyse data.
Whether it is finance, fundraising, HR or anything else, the efforts of the organisation should be in the analysis of the data to make better informed decisions in the best interests of the charity.
Use Cloud to Reduce TCO
The resistance to change and the associated investment have been barriers to digital transformation for charities. Every organisation wants to achieve greater efficiency and free-up further funding for their frontline
Activities, such as maintaining hardware and the disruption of upgrading are all a thing of the past.
From maintenance to mobility, cloud computing can help you to significantly reduce the Total Cost of Ownership (TCO). With the cloud, there is no need for onsite hardware or expensive upgrades – you are simply sent a URL for storage. This offers you the flexibility to scale your data storage capacity depending on your needs at the time, avoiding the need for expensive hardware. This on-demand, “pay as you grow” approach avoids hedging your bets on unnecessary data storage. The cloud also has greater mobility, allowing for remote workers to access communications from anywhere, with no further technology needed. Backup and restore can be initiated from any location, using multiple devices, and does not need maintenance – reducing the need for a dedicated IT person.
Consider Digital, before your Charity becomes marginalised.
With a new generation of workers waiting in the wings, and financial management technology that has the power to provide value for all aspects of the organisation, a digital strategy has never been more important for a charity’s financial efforts. They will not settle for a business that is stuck a decade behind due to not embracing change.
COUNTING THE COST OF SILENT CYBER
– Akber Datoo, Founding Partner, D2 Legal Technology
Damaged reputation. Financial loss. Punitive capital adequacy provision. Silent cyber is one of the biggest issues facing the insurance industry. Yet despite the Prudential Regulatory Authority’s (PRA) demands for robust action plans, few firms have put in place the document digitisation required to truly understand the level of risk. Further, it is somewhat ironic that an industry that is predicated on pricing risk, is failing to assess and understand this risk that exists today in its back catalogue. From determining the current silent cyber position to identifying policy wording changes and analysing the legacy book, Akber Datoo, Founding Partner, D2 Legal Technology, highlights the need to digitise policy documents.
Non Affirmative Loss
“Silent Cyber” is the term given to cyber related losses that may/or may not fall under a traditional property and liability policies that were not designed for that purpose.
The concerns of silent cyber have recently come to the fore and the shock waves created by the Mondelez / Zurich Insurance case have reverberated around the market. Whilst publicity may have temporarily abated over the past few months, very few insurance companies have begun to truly address the risk posed by silent cyber. In an industry predicated on strong reputation, the decision by Zurich to reject a claim from a client whose business had been devastated by the NotPetya cyber-attack in 2017 made headlines around the world – not least for citing exclusion for ‘hostile or warlike action in time of peace or war’ by a ’government or sovereign power’.
Yet as the cost of such attacks are being counted, the impact of silent cyber on the industry as a whole is becoming painfully apparent. PCS Global Cyber has recently attributed 90% of the insurance industry’s losses relating to the NotPetya cyber-attack to non-affirmative (silent) cyber, and the rest to affirmative losses.
Certainly, the PRA believes the UK insurance industry can do more to ensure the effective management of affirmative and non-affirmative cyber risk exposures. It has ordered firms to develop an action plan, with clear milestones and dates by which action will be taken.
Despite the cost to the industry, there remains a concerning lack of consistency in terms of risk awareness and planning as well as risk appetite and understanding. The PRA’s own survey in 2018 revealed significant divergence in firms’ views of the potential exposure to silent cyber. Within Marine, Aviation and Transport (MAT), Property and Miscellaneous lines, exposure was rated at anywhere between zero and the full limits.
With PCS Global Cyber believing the cost to the industry of NotPetya associated claims has now exceeded $3 billion, there is ever greater focus on insurance companies’ cyber stress tests. Fears that gross losses could run into the multiples of annual cyber premiums are very real. However, to date such exercises are based on minimal fact: firms lack robust or reliable claims data relating to silent cyber. As a result, models are immature and there is little faith in the resultant capital adequacy calculations. Just how much capital should the regulator demand firms to set aside against possible exposures when the silent cyber risk is so poorly understood?
In addition to the model and assessment demanded by the PRA, firms need to look closely at existing policy documentation to gain better insight into risk. What is the current position? Does wording need to be amended to address silent cyber risk? How can the legacy book be analysed and key data and wording from the contracts extracted to assess the potential silent cyber exposure going forward?
In many ways, the insurance industry is better placed than many for the challenges ahead. Document digitisation has been on the agenda for some time and the industry has already created clause libraries to make it easier for firms to gain access to vetted policy wordings and regularly used clauses. However, the low take-up of these libraries is disappointing. Not only do firms have a somewhat confusing choice – between the Lloyd’s Wording Repository, the IUA (International Underwriting Association) Clauses Document Library and the Xchanging Model Wordings Library, but the checklist structure is not providing the required solution.
Insurance companies and brokers need to better understand how to use these clause libraries within current business models, preferably in tandem with a document generation tool to improve data management. The goal is to create data driven contracts, where documents are drafted based on known outlooks. But to get to that point, firms need to actively embrace document digitisation to gain a better handle over the current risk position and create a foundation for rapidly changing wording to avoid any ambiguity regarding silent cyber. Moreover, we need the link wordings in clause libraries to classified business outcomes, and then derive business intelligence from policy portfolios.
No firm wants to risk the reputational damage associated with refusing a high profile claim – nor endure the huge losses associated with attacks such as NotPetya. With the rise in cyber attacks, this is an issue that has to be addressed immediately: firms need to act now and embrace the opportunity of digitisation strategies within policy documentation to mitigate the potentially devastating silent cyber risk.
HOW ENTERPRISE INFORMATION MANAGEMENT, CLOUD AND ANALYTICS WILL IMPACT FINANCIAL SERVICES IN 2020
Richard Mill, director at Business Systems (UK) Ltd Business Systems’ Will Davenport on which drivers of change will most...
CAPITAL MARKETS PARTICIPANTS HAVE HIT A WALL WITH COMPLIANCE, NEW INTERNATIONAL STUDY FINDS
The research suggests that many broker-dealers and other trading entities have come to a fork in the road, where they...
BANKS UNDER ATTACK: HOW FINANCIAL INSTITUTIONS CAN PROTECT DIGITAL GROWTH
By Victor Acin, Threat Intelligence Analyst, Blueliv Financial services firms are increasingly being told to embrace disruption in order...
THE ROLE OF NEW TECHNOLOGY IN DEVELOPMENT OF MYANMAR’S BANKING INDUSTRY
U Htoo Htet Tay Za, Managing Director, AGD Bank Myanmar’s economy is one of the fastest growing in Asia...
WHY 2020 IS THE RIGHT TIME FOR FS MODERNISATION
Chris McLaughlin is chief product and marketing officer at Nuxeo Few would argue against the notion that the UK...
WHAT DOES 2020 LOOK LIKE FOR P2P LENDING?
By Roberts Lasovskis, Investment Platform Lead, TWINO It’s a new year; time for resolutions and forward planning, positivity and...
WHY MAKING MONEY ON YOUR MOBILE IS EASIER THAN YOU MIGHT THINK
Aaron Brooks, Co-Founder of Vamp For Millennials and Generation Z, becoming a social media influencer is an increasingly desired...
DIFFERENTIATION – THE KEY TO THRIVING IN A SATURATED MARKET
Graham Glass, CEO of Cypher Learning What has enabled Cypher to continue to grow in an increasingly saturated market?...
WILL BLOCKCHAIN REVOLUTIONIZE FINANCE?
By Ken Timsit, ConsenSys Over the last 10 years, researchers, software developers, start-ups, and large companies have been conducting...
FIVE FINANCIAL SERVICES TRENDS FOR 2020: BIGTECHS SWOOP IN, BANKS GO ON THE OFFENSIVE AND CRYPTOCURRENCY STALLS
Rahul Singh, president of financial services at HCL Technologies We’ve just finished a very exciting decade in financial services, with new...
COMBATING INSURANCE FRAUD WITH MACHINE LEARNING
By Georgios Kapetanvasileiou, Analytical Consultant at SAS Most insurance companies depend on human expertise and business rules-based software to...
DELIVERING SUCCESSFUL IT SYSTEMS THROUGH THE POWER OF PARTNERSHIPS
By Mike Smith, Executive Director, Virgin Media Business (Direct) Is there anything more frustrating than finding out your bank account...
BATTLEFACE RECEIVES INVESTMENT FROM FINTECH VENTURES FUND
battleface Inc., a rapidly growing tech-enabled insurance startup focused on providing travel insurance products for unconventional travellers worldwide, announced today...
VANQUIS BANK PARTNERS WITH HOOYUTO DIGITALISE KYC PROCESSES
HooYu KYC digital journey deployed during the customer lifecycle on a risk-based approach Leading customer onboarding and KYC technology...
WHY NEOBANKS ARE ON THE RISE IN THE UK
New research by SmallBusinessPrices.co.uk analyses how neobanks are on the rise and why they’re so popular amongst consumers compared to...
RECOLLECTING 2019 CRYPTOCURRENCY TRENDS & LOOKING FORWARD TO 2020
Marie Tatibouet is the CMO at Gate.io It has been a bold and progressive year for the digital asset...
WILL HONG KONG REMAIN THE JURISDICTION OF CHOICE FOR OFFSHORE BANKING?
Hong Kong has traditionally been seen as a tax haven and the financial hub of Asia, if not the world....
HOW CHARITIES CAN MEET TOMORROW’S DIGITAL CHALLENGES?
By Steve Georgiou, Business Consultant at Xpedition Charities are under constant scrutiny for how they handle their finances. Budgets...
RECALL YOUR REPUTATION: HOW TO HANDLE PRODUCT RECALLS
By Alex Balcombe, Partner at Harris Balcombe John Lewis, Tesco, and Hotpoint have all been in the news in...
THE WORLD’S MOST ENTREPRENEURIAL COUNTRIES PERFECT TO START A BUSINESS IN
Latona’s has analysed The Global Entrepreneur Monitor data to reveal the world’s most entrepreneurial nation. Analysing each country by a...