By Alex Fagioli, CEO of Tectrade
With a statement shortly before the turn of the new year, the FCA made it unambiguously clear that banks are underequipped and underprepared with the tools or knowledge to deal with the cyber risks they face on a daily basis. In a direct statement, the financial regulatory body – which is financed by members of the financial services industry – said that “most [boards and management committees] continue to have limited familiarity with the specific cyber risks their organisations face” and that “incident management plans did not always appear to reflect the likely impacts of a successful cyber-attack in a variety of ways”. Essentially this statement set an agenda for 2019: sort out your IT, or things will get worse.
Cybercrime is not a minor issue for the finance sector that can be ignored. To get a sense of scale, it was predicted that cybercrime is costing banks in excess of $600 billion globally, with ransomware alone responsible for $5 billion in 2017. And these are numbers we can expect to see increase as 2018 figures are totalled. Simply put, it is not sustainable for banks to continue to underinvest in cyber security and IT infrastructure.
But it’s not just cybercrime that is a problem. This under preparedness extends to seemingly banal things like routine system updates – see TSB’s cyber meltdown that saw users unable to access their accounts for up to a month and 1,300 accounts hit by fraud. In fact, Britain’s five biggest banks had a total of 64 security or operational incidents that cut customers off from telephone, mobile or online banking in the second quarter of 2018, and that’s not all just because of cybercrime.
With this in mind, it is plain for all to see that banks must increase ongoing investment in cybersecurity and day-to-day IT operations. But before considering the state of the infrastructure, the key factor to be considered is the personnel responsible. As stated earlier, the FCA believes that while boards are ‘more sensitive to the topic than in the past’, the vast majority still fail to have an adequate knowledge of the issues facing them. In a slightly more aggressive tone, one senior regulator was quoted accusing such firms of being ‘overly confident’.
One way to contribute towards a fix for this is to employ a greater number of board members with this level of expertise. However, as hiring someone with the combination of technical knowledge and business nous can prove difficult, many firms have brought on third-party advisers to help educate the board and independently advise on how they can improve their systems and mentality. One downside to this approach is that it can lead to an over-reliance on third parties and affect the development of in-house cyber capabilities. But as it can take a couple of years to hire a senior board member, the use of a third-party can be a more attractive prospect.
Having addressed the issues of expertise and an adequate knowledgebase, banks can audit their infrastructure to identify any weaknesses. Are all the systems up to date? Are storage and data backups being handled appropriately and efficiently? How do we react in the event of disaster? Many organisations are unaware of the need to stress test their systems in a controlled environment for how they handle outages. Disaster recovery testing is vital if administrators are to have a full understanding of the systems they are responsible for. Much like testing a fuse or a fire alarm, it is much easier to fix the problem when you’re aware that the problem exists. A ‘cyber MOT’ is a must for banks if they want to combat cybercrime.
With a full understanding of the system, a solution must be deployed to mitigate risk and minimise downtime. Unfortunately, it is not a question of ‘if’ but ‘when’, and there is no ‘silver bullet’ for eliminating cybercrime. As such, financial institutions should adopt a zero day recovery architecture to make sure their systems can get back online quickly without having to worry about whether the workload is compromised. An evolution of the 3-2-1 backup rule (three copies of your data stored on two different media and one backup kept offsite), zero day recovery enables an IT department to partner with the cyber team and create a set of policies which define the architecture for what they want to do with data backups being stored offsite, normally in the cloud. This policy assigns an appropriate storage cost and therefore recovery time to each workload according to its strategic value to the business. It could, for example, mean that a particular workload needs to be brought back into the system within 20 minutes while another workload can wait a couple of days.
At the start of this new year, firms can either continue on its same course when it comes to IT, or look to remedy the issues that are becoming increasingly apparent with every year. ‘Digital transformation’ is a trendy buzzword in the banking and finance sector, but what needs to happen isn’t just a passing fad. Taking measures to employ the right people, identify infrastructural IT issues and remedy those with a zero day recovery architecture will go some way to restore confidence and save millions – if billions – of pounds.