Connect with us

Finance

BALANCING THE NEEDS OF DEVELOPING ECONOMIES

Published

on

Marc Naidoo a sustainable finance partner at international law firm, McGuireWoods

 

A child sitting with a candle in the dark learning about how hydrocarbons are destroying the atmosphere and why fossil fuels need to be phased out nigh on immediately. Perhaps that resonates with this child, or perhaps these concepts exist in the abstract, or even a combination of the two. Over 640 million Africans have no access to energy, which correlates to an electricity access rate of a mere 40%. The question this child may ask is: so where are all these hydrocarbons coming from, and who is benefitting from them?

The interplay between developed nations and developing nations is a terse one, especially in the context of sustainability. Whilst through effluxion of time the West has been through various industrial and energy booms, developing markets have not been afforded that period of sustained growth. Whether in the form of heavy handed concessional agreements with Western countries, or the challenges facing post-colonial democratic infancy, developing economies have had an almost inverted growth trajectory. Focussing on Africa, the view that its population will double by 2050, creates challenges but also opportunity. With a growing population, the need for infrastructure become paramount, and as we are all aware that is coupled with energy.

Historically developing markets were not given the chance to grow industrially / organically. However growing populations provide these economies with an opportunity to prosper in the long term. Infrastructure leads to a better quality of life, but most importantly paves the way for arguably the most important tenet of sustainability: financial inclusion. The source of all of this is energy, energy which some may argue can be in any shape or form. Developed markets are quick to assume that energy is a divine right, however the context remains different for those who are quite literally living in the dark.

The danger of the current ESG agenda is that anger and vitriol is somewhat misplaced when identifying who is responsible for hydrocarbon contribution in the global economy. Terms like “Big Banks” and “Oil Majors” are cast as if these institutions are pantomime villains trying their utmost to destroy the planet. But as with all things, there is a balance that needs to be struck in balancing the needs of the environment, with those of the people that live therein. ESG is not an acronym for: environment. Social and governance issues are just as important in assessing where we move forward as members of Earth. Even the first six United Nations Sustainable Development Goals focus exclusively on social issues that need to be addressed. The problems facing the planet go beyond climate change. Whilst it is an enormous issue, it should not detract from the fact that we want to have a planet that survives and looks after all life therein, but that is hollow if we systematically make things worse for people that live on Earth right now.

Private sector capital has always played a role in infrastructure and energy within developing economies. This is not me saying that they have done this out of the goodness of their heart, but whatever the profit margin, cash still flows through the system with the additionality of job creation and a better standard of life. If you removed this source of funding, what would happen to the developing economies who require funding for energy creation or infrastructure development? The counter position is: renewables. No, that is part of a solution but not the entire solution. Technologies are still expensive, transmission lines onto national grids (usually with one para-statal energy provider) are projects in themselves and whether these technologies can handle base load energy production for exponentially growing economies remains to be seen. Private capital should not have to operate in the shadows and conclude secret deals to provide people with basic human rights for fear of reprisal from activists and mainstream media alike. If anything, of anyone financing hydrocarbons, big banks are the most adept to do so as they have the requisite internal protocols to manage borrowers building efficient projects as well as adhere to ALL ESG standards. You cannot just cut an entire population group out because there is pressure to do so, there are other solutions which will be explored later in this article.

The same pressure faces large energy corporates directly, as well as oil companies. Forgetting the human element facing millions of workers with regard to redundancies as a result of mass, almost immediate, closures of plants and refineries. Consider the implications of what is to become of the assets in respect of which these companies are being forced to divest from. Would you rather have a large publicly accountable corporate controlling an extraction asset, or a privately owned company less susceptible to public scrutiny. By nature large energy and oil companies are required to mitigate their impact on the environment and the communities in the immediate vicinities of their operations. Removing this buffer, is tantamount to removing accountability in the sector and throwing communities in developing economies to the wolves.

So is this the article you read that denounces large banks and major oil corporates taking action against climate change? No, and far from it. There are ways in which the interests of these companies and the needs facing developing economies can be aligned, while at the same time not glossing over the issues with carbon credits and the like. Sustainability within the corporate landscape is at a point where market participants can work together to find solutions that are creative and work for both corporates and developing economies. Other metrics can be introduced to offset hydrocarbons, whilst still ensuring developing economies have the room to grow. The Central African Forest Initiative is an example of this, with Gabon pledging to protect its forests in return for financing from the Norwegian government. Countries can be asked to develop carbon absorption assets such as sea grass or forests to mitigate the damage done to the climate. These are all tools that can be easily worked into financings, especially by larger financiers. All that is required is a little creativity and a commitment to a long term view on sustainability.

Changes need to be made, but not at the sacrifice of others. We are all in this together, but most importantly each country is on their own journey, both economically and with regard to sustainability. The answer to solving the issues facing our planet is not cutting off those people that need our help the most. Perhaps we should also educate those of us who are demanding radical change, that sometimes it is not possible as there is always some form of collateral damage. Change must be managed and must happen organically. Perhaps the E, in ESG, should stand for empathy.

 

Business

A lack of training and email security solutions is contributing to a rise in email threats targeting the finance sector.

Published

on

By

Mike Fleck, Senior Director, Sales Engineering at Cyren

 

Email remains the most popular and successful attack vector in the digital landscape, the reason being because it is simply the most commonly used digital communication channel across the globe. On average, over 330 billion emails are sent every day. The sheer volume-and the fact that almost every employee within an organisation uses email- makes this channel a popular target for potential security threats. Finance organisations use email not only for internal communication but also for customer service interactions and marketing. A banking survey in 2021 showed that over 76.8% of users consider email as the primary channel for communicating with banks. That’s why financial institutions are at the frontline of email-driven security risks.

In order to attain more insight into the email threats targeting the financial sector and the potential remedies, we talked to Mike Fleck at Cyren, a leader in enterprise email security solutions.

  1. What do you see as the main reason for the continued increase in successful email threats targeting the financial sector?

Email threats have become much more dynamic over the years.  Although phishing continues to be the most common attack vector in the domain of email threats, the mix of breaches attributed to email attacks has expanded significantly in recent times. In our latest benchmark research, we surveyed 226 organisations that use Microsoft 365 for email. We found that compared to 2019, there was a 71% increase in ransomware-driven email attacks, 44% increase in phishing attacks, and 49% increase in credential compromise attacks. Phishing is no longer the only path for email threats, as attacks are now being driven by multiple sophisticated methods, which evidently leads to more successful threats.

Mike Fleck

The financial sector has always had a red mark on its back to threat actors, mainly because of the highly sensitive information and valuable assets managed by financial organisations. Email serves as the most vulnerable and easily compromised access point for threat actors, which is why the number of email breaches has massively increased over the years. Our research found that the number of email breaches across all organisations has almost doubled each year over the past three years.

Although most organisations are using email client plug-ins for reporting suspicious messages, only 22% of the organisations stated that they analyse all reported messages for malicious content, leaving a major gap in awareness and threat response. Our survey showed that inefficient threat response and a lack of urgency is the most concerning factor for security managers. Threat actors are consciously aware of these shortcomings, which is why they are able to frequently launch successful email attacks targeting the financial sector.

  1. Why is the email channel so appealing for fraudsters, and what are the techniques they use to target financial service organisations in this way?

Historically, email has always been the primary channel for business communication, and as businesses continue to attain cloud-based services, email has become a productive norm for file-sharing and communication. Email channels also integrate easily with any cloud application, facilitating businesses to pursue more productive interactions. There is also the fact that email is accessible to most personnel regardless of their technical ability.

This flexibility and continued dependency on email is also the reason why it is an appealing channel for threat actors. Because email channels are integrated with almost every organisation’s platform, breaching an email allows cybercriminals to backtrack into critical network infrastructure and compromise valuable assets. Most threat actors tend to target the user rather than the system, and email channels are used by almost every employee in a financial organisation regardless of their experience, role, technical awareness, or skills. Therefore, targeting emails allow threat actors to utilize a much wider attack surface.

Another major reason is breaching the email channel is far less complex than breaching secured network endpoints and access firewalls. With techniques like social engineering and phishing, threat actors often don’t have to use significant resources or complex methods to breach employee email accounts. Our research showed that phishing is still the most used technique by attackers; 69% of all email breaches were due to phishing attacks. Other frequent techniques were Microsoft 365 credential compromise (60%), malware (59%), and ransomware (51%).

The means of carrying out these attacks are also easily accessible and available to almost anyone. Threat actors can buy a ransomware kit for as low as $66, and phishing kits are available for as little as $20. So, even the most inexperienced attackers can use such tools to exploit the email accounts of users and gain access to the critical resources of financial organisations.

Simply put, email provides a direct and economical path to the weakest point of every organisation’s cybersecurity program – its people.

  1. How important is proactive security awareness training when it comes to defending against email attacks?

The previous consensus was that email threats thrive on the user’s lack of awareness. Cybersecurity leaders believed that the “last mile” problem of phishing attacks can be solved if employees are able to detect and avoid fraudulent emails. Frequent awareness training is important to help employees stay up to date on evolving email attacks and identify malicious content or messages more easily. Over 99% of organisations offer awareness training, but only one in seven organisations offer training monthly or more frequently.

The dynamics of the attack vectors and techniques change constantly with the emergence of new technologies and vulnerabilities. Without frequent training, employees won’t develop a conscious awareness of email threats. We found that organisations that offer email awareness training every 90 days or more frequently, are less likely to fall victims to phishing, business email compromise (BEC), and ransomware attempts.

Our research also showed a correlation between frequent training and email reporting frequency. Organisations that offer frequent training also experience a high rate of malicious or suspicious email reports – meaning that employees become more conscious and aware of the potential threats. That’s why frequent proactive awareness training is critical for protecting against email attacks. However, organisations need to appreciate that a higher volume of reported emails will result in a higher number of alerts that Security Operations Centre analysts must investigate.

  1. What are the steps you would recommend financial organisations take to implement effective inbox security solutions that bolster their cyber resiliency immediately?

Financial organisations need to act quickly when responding to a potential threat, as even a fractional security breach can cause unprecedented damage to its assets. Organisations are beginning to realise that employees fall victim to these scams because they are busy and distracted – not because they are apathetic or gullible. Also, relying on employees to spot and report suspicious messages is not a complete or efficient solution to the problem. Employees do not consistently report every threat, and what alerts they do generate have a false positive rate of at least 41%. In addition to constant awareness training, organisations must incorporate effective inbox security solutions to increase their cyber resiliency.

When implementing effective inbox security solutions, financial organisations must consider the response and reporting time.  They must choose solutions that can detect threats in real time and automate the response to those threats for quick remediation.

An effective approach for financial leaders is to invest in automated solutions that can detect and remove social engineering threats in real time. Automated inbox security solutions can continuously scan inbound and outbound email folders, including their contents such as URLs and web pages. Such solutions can detect and report anomalies, resulting in real-time detection. Automated threat response solutions can strengthen the built-in security capabilities of the email gateway, such as Microsoft 365 Defender. Combining automated solutions with the existing threat response framework can optimise the response process and significantly reduce the time and cost of threat investigation.

 

Continue Reading

Finance

Main Factors Accelerating API Security Risks in Financial Services

Published

on

By

By: Yaniv Balmas, VP of research at Salt Security

 

The API ecosystem is exploding and nowhere has API delivery accelerated as much or as fast as in financial services. Leveraging APIs, financial services organisations can innovate and quickly bring to market unique customer experiences and services. While more than three-fourths of software developers say API development is or will be a top business priority, the figure is even higher in financial services – topping all other industries at more than 80%.

Because successful attacks are so lucrative against financial institutions, they have always been a top target. The growth of the API economy has made the financial sector an even bigger target, which is why minimising API security risks has become the top priority.

Four factors are driving the urgent need for better API security in financial services:

  • API usage in financial services is increasing
  • API attacks threaten digital transformation initiatives
  • API security incidents hurt customer trust
  • Traditional security solutions don’t protect APIs

API Usage Will Increase Even More

In financial services, the high-growth trajectory of APIs will continue to rise. With each use case and new service, the number of APIs in a typical financial services company grows ever higher.

APIs provide the required data connection to support today’s mobile financial applications and peer-to-peer payment systems. APIs are at the center of open banking. APIs enable financial services companies to standardise how they connect and exchange data, allowing consumer financial information to be instantly shared across organizations and third-party service providers. With different partners and technology suppliers, API connections are being continuously added to the financial ecosystem.

For financial services, that means even more APIs and a continuously growing attack surface that must be adequately protected.

API Attacks Threaten Key Business Initiatives

Open banking gives consumers more choices and convenience to address their financial needs. It also increases competition across the financial services industry and generates new revenue avenues. In addition, open banking provides more traditional financial institutions the opportunity to compete with faster-moving fintech companies.

Moreover, in financial services, Covid has hastened the adoption of digital transformation, including mobile and remote banking. In a pandemic-mandated stay at home world, consumers made their needs clear. They want integrated services and the ability to connect their financial lives when and where they desire. This requires banks and other finance companies to roll out new capabilities or risk becoming obsolete and losing customers and revenue.

Digitalisation has become a critical business initiative and is increasingly important in financial services. However, without the ability to protect the data being used within these services, financial organisations lose that opportunity entirely. Financial data breaches can cost the business in lost revenue from new opportunities and cause irreparable harm to an organisation’s brand.

Just a single API attack has the potential to wipe out all the gains made from an organisation’s digital transformation.

API Security Incidents Damage Consumer Trust

In financial services, the costs of lost trust can be high. Salt Labs, the research arm of Salt Security, provides ongoing API vulnerability research. In its latest report, Salt Labs uncovered a server-side request forgery (SSRF) flaw on a large fintech platform that provides a wide range of digital banking services to hundreds of banks and millions of customers.

The vulnerability had the potential to compromise every user account and transaction data served by its customer banks. Imagine the leaking of customers’ banking details and financial transactions and users’ personal data or, worse, unauthorised funds transfers into the attackers’ bank accounts.

None of these nightmares came to be, because Salt Labs found the problem before a bad actor did, and all issues have been remediated. But this type of exploit, had it occurred, would have likely caused irreparable reputational damage – not to mention financial losses, theft, and fraud.

The nature of financial services applications is to exchange sensitive financial and customer data, making APIs a high-stakes asset requiring protection.

Traditional Solutions Don’t Deliver Adequate API Protection

Most financial services companies have sophisticated runtime security stacks with multiple layers of security tools, such as bot mitigation, WAFs, and API gateways. These traditional tools provide foundational security capabilities and protection for traditional applications; however, they lack the context needed to identify and stop attacks that target the unique logic of each API.

Attacker activity looks like normal API traffic to traditional tools, such as WAFs, API gateways and other proxy-based solutions. The architecture limits them to inspecting transactions one at a time, in isolation, and beyond rate-limiting. They also depend on signatures to detect well-known attack patterns. If the transaction does not match a known attack signature, the WAF will send it through. Since each API is unique with unique vulnerabilities, signatures cannot help prevent API attacks.

API security requires big data to capture all API traffic and artificial intelligence (AI) and machine learning (ML) to continuously analyse the large volumes of API traffic. Without continuous analysis of API traffic, you cannot understand normal behaviour for each unique API and gain the context required to pinpoint attackers.

In addition, while open banking defines standards around how APIs should be structured to enable predictable integrations and communications, open banking provides no standard to meet the majority of API security requirements. Moreover, basic controls, such as authentication, authorisation, and encryption, fall short of meeting API security challenges.

API Security at the Forefront for Financial Services

APIs have become essential for financial services to meet changing consumer expectations and innovate to remain competitive. At the same time, APIs are now the most frequent attack vector. In the past 12 months, 95% of organisations experienced an API security incident, and API attack traffic grew 681% – more than twice as fast as overall API usage traffic.

Therefore, financial services organisations must put API security at the forefront to protect this growing attack surface. To do so requires dedicated API security tooling for the entire API lifecycle that provides continuous attack surface visibility, early attack prevention, and automated insights for continuous API improvement.

Continue Reading

Magazine

Trending

News2 days ago

Wombat partners with Currencycloud to launch its new, free Instant Investment service to open up investing for a wider market.

UK-based micro-investment platform Wombat has partnered with Currencycloud, the experts in simplifying business in a multi-currency world, to launch its...

Business2 days ago

A lack of training and email security solutions is contributing to a rise in email threats targeting the finance sector.

Mike Fleck, Senior Director, Sales Engineering at Cyren   Email remains the most popular and successful attack vector in the...

Top 102 days ago

Insurance providers must be ready to tackle quote manipulation as potential fraud rises

Sam Marsh, director, product management at LexisNexis Risk Solutions Insurance As road fuel costs reach a record high[i]  and inflation...

News2 days ago

Urban Company rolls out health insurance for service professionals in partnership with ACKO Insurance

Health insurance plan to benefit 40,000+ service partners in India Service partners can avail up to 12 free-of-cost online doctor consultations in a year...

Finance2 days ago

Main Factors Accelerating API Security Risks in Financial Services

By: Yaniv Balmas, VP of research at Salt Security   The API ecosystem is exploding and nowhere has API delivery...

Business2 days ago

Automation: the future of supply chains?

By Andrew Scargill, Logistics Operations EMEA at Digital River   Caught between the chaos of coronavirus and fallout from Brexit,...

News2 days ago

Can intelligent automation ensure the survival of the insurance industry?

Eric Tyree, SVP of AI and Innovation, SS&C Blue Prism   The economic viability of the insurance industry’s current business...

Business2 days ago

Time to make your energy future more predictable

– Alistair Booth, MD, Ortus Energy   UK businesses have a real opportunity to lock-in some energy certainty as a...

Top 102 days ago

Signals: Simplifying Trading Experiences

by LegacyFX Trading signals are a way for investors to indicate that the market is moving in a specific direction....

News3 days ago

Rivery Raises $30M B Round of Venture Funding from Tiger Global

With data needs growing and data talent scarcity, there is huge demand for Rivery’s 100% SaaS solution to create an...

Banking5 days ago

Wealth Managers and the Future of Trust: Insights from CFA Institute’s 2022 Investor Trust Study

Author: Rhodri Preece, CFA, Senior Head of Research, CFA Institute   Corporate responsibility is more important than ever. Today, many...

Interviews5 days ago

Q&A with Andréa Jacquemin, founder and CEO of Beamy

Beamy is a fast-growing scale-up that focuses on pioneering a new approach to SaaS management for large companies. Founded in...

News1 week ago

How to reignite your store with streamlined operations and a distinctive customer experience

Colin Neil, MD, Adyen UK   Retailers know that prioritising customer experience is vital to success today. This, amongst the...

Business1 week ago

5 tips to ensure CSR efforts come across as genuine

By Mick Clark, Managing Director, WePack Ltd   Corporate social responsibility – or CSR – is playing an increasingly pivotal role...

Business1 week ago

How to Build Your Credit Up Safely

by Taylor McKnight, Author for Compare Credit   What Is Credit? Credit is money owed by a person that allows...

News1 week ago

PCI DSS Compliance in the Cloud – Everything you should know

Introduction PCI DSS 4.0 is the latest and updated version of PCI DSS that was introduced on March 31st, 2022....

Banking1 week ago

2022 ESG Investment Trends

Jay Mukhey, Senior Director, ESG at Finastra   Environmental, Social and Governance (ESG) themes have been front and center throughout...

Business1 week ago

PROTECT THE VALUE OF YOUR SAVINGS AND AVOID RISING INFLATION PRESSURE

Planning for the next financial year? Former Bank Manager and successful whisky investor, Roger Parfitt, tells us why cask ownership is...

Technology1 week ago

UK Organisations turn to artificial intelligence to fight sophisticated cyberattacks

New research by cybersecurity expert Mimecast finds that email attacks are becoming more frequent and sophisticated More and more companies...

Finance1 week ago

The power of diversity: The need for female role models in FinTech

By Isavella Frangou, VP of Sales and Marketing, payabl.   As our world is constantly evolving, it’s easy to believe...

Trending