Scott Nicholson Director at Bridewell Consulting
Cyber attacks are a threat to all industries, but financial sector organisations are of particular interest to threat actors due to the value of the information they hold. In fact, financial services firms fall victim to cyber security attacks 300 times more frequently than businesses in other industries, according to Forbes.
And the rise in the number of attacks is not likely to slow down. Indeed, according to the Financial Conduct Authority (FCA), companies reported 145 breaches in 2018 compared to 25 in the previous year.
In 2017, NotPetya malware infected thousands of computers worldwide within hundreds of businesses, including several global organisations such as Maersk, Merck and FedEx. However, financial services companies did not feature heavily on the list. This has nothing to do with fate — the FCA reports that 90% of financial companies operate a cyber awareness programme and many describe themselves as having effective cyber controls. Yet, it also reports that businesses are struggling to identify and manage high-risk staff, including those who deal with critical and sensitive data. And with socially engineered attacks being reported as the most common type of cyber attack, this is of particular concern.
Additionally, the World Economic Forum (WEF) now regards cyber crime as one of the biggest threats to businesses and the economy as noted in its 2019 Global Risk Report. But it can be difficult for financial services organisations to assess their own individual risk. Red teaming is one way to overcome this.
When hacking needs a red team
Ethical hacking is a way for companies to test a particular element of their business and see how resilient it is to attack. Essentially, the ethical hacker will assess the system’s security and report back to the business in terms of what they saw, what they were able to do and how much went unnoticed. Typically, the test will involve web application penetration testing, infrastructure penetration testing or mobile device and mobile application penetration testing.
A red team engagement takes things a step further. It doesn’t just focus on the technology elements. A full-attack simulation focuses on all areas of your business and could include social engineering, physical access attempts, active reconnaissance and the full suite of technical penetration testing techniques.
A typical engagement is likely to take several months and should include some typical milestones such as an assessment with agreed objectives and safeguards, start and end dates, as well as a time to present the findings to the Executive Board. But how does it work in practice?
Attacking for success
Looking at one particular example, a cyber security and data privacy company performed a red team assessment for a financial services organisation who was looking to undertake a real-world test of their security controls.
The cyber security company developed a remote access device using a Raspberry Pi. It was able to connect this to the client network after successfully cloning a client badge to gain physical access. By exploiting vulnerabilities within the internal infrastructure and gaining access to various services, eventually, the main customer databases were accessed which contained approximately five million customer records.
In addition, the cyber security company decided to focus on the human resources department. It created fake LinkedIn profiles and CVs and contacted the department to discuss various job roles. The cyber security company was able to discover that the financial services organisation was using a well-known email filtering product. However, it exploited a particular configuration of the product and sent email attachments which deployed malware onto the client’s laptops, providing access to a large set of personal data files.
The final part of the assessment involved presenting findings back to the board and then working with the financial organisation to improve its internal security architecture.
Staying ahead of the threat
Having an effective cyber security strategy is not just a technology problem. It needs full involvement and support from the C-suite and board, but senior leaders do not always fully understand all the risks — particularly the risks from employees themselves.
A red team assessment is a way to get everyone’s attention and gain perspective from a hacker’s point of view. The G7 Cyber Expert Group, of which the FCA is a part, advises threat led penetration testing for the financial sector in light of the increasing persistence and sophistication of cyber risks which have the ability to disrupt our global financial systems.
The costs associated with an attack are often difficult to fully quantify but The Ponemon Institute calculate the average total cost of a data breach to be $3.86 million in its 2018 report. And with attacks becoming more sophisticated and prevalent, red teaming is one way to stay ahead — identifying and mitigating weaknesses in both cyber and physical defences in order to remain as resilient as possible.
WHY DIGITAL TRANSFORMATION IN FINANCIAL SERVICES IS ABOUT CULTURE FIRST, TECH SECOND
Stuart Templeton, Head of UK at Slack
In today’s world, there’s no such thing as a ‘non-tech fin’. Every financial services company needs to consider itself a fintech in order to bring about the innovation, speed, and transparency that customers expect, and that’s why most are pumping significant investment into their digital transformation efforts.
Part of the challenge faced by traditional incumbent banks is that they rely on legacy core systems that stifle the speed of change. These core systems were not built in an API first era. The good news of course is that the obligations of PSD2 and open banking have gone some way to facilitate future innovation.
While legacy banking platforms do continue to present a technical challenge, the human one can be even greater. Traditional institutions are often faced with the prospect of rebuilding their culture from scratch in the pursuit of becoming digital-first. Like many industries, the fundamental challenge is one of coordination: the creation and maintenance of alignment over time.
Couple this with the fact that the expectations of today’s workforce are changing, then companies in the industry have a real job on their hands. A growing percentage are digital natives, and millenials – who greatly value trust and transparency – make up the largest proportion of the workforce today. So how have businesses in the industry historically ingrained culture, and how does this need to change?
Old ways of working – Team A, and Team B
Traditionally, the culture within large financial organisations has been separated by two distinct teams: operations, and tech. They are driven by seemingly opposing forces – one by GANTT charts and lofty business goals, the other by agile software delivery and customer obsession. Often, the two don’t even speak the same language, let alone collaborate and share ideas. Of course there are digital projects, but they aren’t the embodiment of the business, and often tech teams find themselves battling to get buy-in from internal stakeholders who are somewhat removed from those that drive innovation.
Part of the problem is even the notion of having digital transformation projects – there is no such thing in today’s environment – as digital is an overarching movement, and financial services institutions must think of themselves as ‘digital factories’ in order to see a marked change. It is no longer enough to deliver tech updates both internally and externally once every few months, with speed diminished by layers of bureaucracy.
What needs to happen, then, is that these two business segments need to find a way to blend that helps the old incumbents forget their binary ideas of teamship from time gone by and instead let them come together to become one unit. Flattening the established hierarchy so that workers from across all lines of the business can communicate, share ideas and identify problems in real-time is, after all, the key to addressing the transformation gap. They need to think on their feet and iterate as they go: it’s agile thinking, but permeating outside of just the software delivery cycle.
Eating the elephant – one bite at a time
The solution, in theory, is relatively simple: companies need to break open the silos of information created by technologies like email and ensure anyone within a business has access to the knowledge and skills they need to make their projects a success. But of course, in practicality, this can present a seemingly insurmountable task.
Using technology to create an agile and transparent working environment that fosters collaboration is key for many financial services organisations that want to see real tangible results from their investments. Digital natives such as TransferWise and Starling Bank are getting this right by prioritising a decentralised business model, one that empowers collaborative working and knowledge sharing that in turn has a positive impact on employee satisfaction and retention.
They do this through collaboration hubs that provide a rich, permanent, searchable record of knowledge for everyone in the organisation.
Looking ahead: Team ‘us’
Predictions are very difficult, but in five years’ time we can expect to see a greatly altered perception of the financial services industry. We can expect that digital communications tools will continue to play an integral role in the evolution of their workforce culture, helping to bring the right people together internally within the business, as well as strengthening relationships externally with partners and customers alike.
Ultimately, in order to keep learning and improving, banks need to ask questions of themselves as competition and customer demand becomes more fierce: “Why are we doing this?” “What’s the benefit here, and who are we considering in the pursuit of this goal?”
To answer these things, a culture of collaboration and openness is key – underpinned, of course, by the tools that empower it.
DISPELLING BIOMETRIC MYTHS AND MISCONCEPTIONS
By Lina Andolf-Orup, Head of Marketing at Fingerprints
Gangsters cutting off enemies’ fingers to access secret locations and spies lifting fingerprints from martini glasses – the imagination of the entertainment world has been running wild ever since biometrics entered the scene.
Couple that with the limitations of some early biometric solutions from fifteen years ago, still anchored in the minds of many consumers, and you have the perfect recipe for an apprehensive and uncertain public.
Thawing lukewarm attitudes with a biometric touch
The biometrics industry has made great strides in the last few years – something particularly true for smartphones. Fingerprint authentication has replaced PINs and passwords as the most popular way to authenticate on mobile, with 70% of shipped smartphones now featuring biometrics.
And it doesn’t end there. Many adjacent markets are now eager to benefit from the secure and convenient authentication solutions that biometrics offer. Take the payments industry, for example, where biometrics payment cards are currently gathering real momentum.
However, some consumers are still uneasy about accepting biometrics. A recent study found that 56% of US and EU consumers are concerned about the switch to biometrics as it’s not enough understood to be trusted.
Although attitudes are shifting for the better, stats like this demonstrate there is still some work to do to disprove common biometric myths and showcase just how smart today’s solutions really are.
Dispel, adopt, repeat
The evolution in consumer biometrics in the last two decades has been phenomenal. And today’s solutions are far more advanced and safe than many may think.
To help bring an end to the myths, let’s expose some of the most common misconceptions around biometrics.
Myth: Biometric data is stored as images in easy-to-hack databases.
A leading myth about biometrics is that when a fingerprint is registered to a device, it is stored as an image of the actual fingerprint. This image can then be stolen and used across applications. In reality, the biometric data is stored as a template in binary code – put simply, encrypted 0s and 1s. Storing a mathematical representation rather than an image makes hacking considerably more challenging. In most consumer applications, this template is also not stored in a cloud-based location, its securely hosted in hardware on the device itself for example in the smartphone, in the payment card. Thus, it stays privately with its owner.
Myth: Fingerprints can be easily replicated to ‘trick’ devices.
The internet is full of articles and videos that claim it is possible to use materials from cello tape to gummy bears to craft fingerprint spoofs and access biometric systems. Although there may have been a time where gummy bear spoofing was the go-to party trick, todays’ consumer biometric authentication solutions have too many technological defences, such as improved image quality and matching algorithms, to simply ‘trick’ devices. Plus, on top this, the criminal needs to have access to the person’s device where this fingerprint is enrolled e.g. smartphone, payment card, before he/she notices and blocks it. This is not scalable nor common, in comparison to gaining access to someone’s PIN code or skimming a contactless card.
Myth: Physical change will prohibit access to my device.
Although our irises don’t change as we age, our fingerprints can and our faces will. Does that mean we have to update our biometric devices every few months to capture these changes? Not quite! Unless there are drastic, sudden changes, the ‘self-learning’ algorithms in modern-day biometric systems are able to keep up with our developing looks.
Who you gonna call? Mythbusters!
These are just some of the common biometric myths and misunderstandings perpetuating in consumer mindsets. Thankfully, though, while we’re working hard to rid the world of the myths, belief in the value of biometrics is only expected to grow. But as solutions expand and diversify, the myth-busting fight will continue.
Fingerprints has been a leader of innovation in biometrics for the last two decades. We’re proud of the expertise and R&D we’ve been able to pour into our biometrics solutions to deliver stronger security and a better user-experience. To learn more about the most common biometric misconceptions and the modern-day technology that allows us to dispel them, download our eBook here.
CUSTOMER CARE TODAY WILL BUILD RESILIENCE FOR FUTURE CRISES
Cathal McGloin, CEO of ServisBOT writes, “The COVID-19 pandemic has created major spikes in calls to financial sector helplines dealing with customers...
THE CO-BRAND CREDIT CARD MARKET – SINK OR SWIM
By Chris Vinnicombe, VP Financial Services at Acxiom The co-brand credit card market is the result of the partnerships between...
HOW TO MANAGE YOUR CASH FLOW IN UNCERTAIN TIMES
While the world is constantly changing, probably at a faster pace now than ever before, businesses need to manage cash...
NEW IVALUA STUDY SHOWS TECHNOLOGY CHALLENGES ARE HINDERING PROCUREMENT TEAMS FROM ACHIEVING BUSINESS OBJECTIVES
Lack of system integrations and actionable insights are stopping organisations from accurately measuring performance Ivalua, a leading provider of global...
WHY DIGITAL TRANSFORMATION IN FINANCIAL SERVICES IS ABOUT CULTURE FIRST, TECH SECOND
Stuart Templeton, Head of UK at Slack In today’s world, there’s no such thing as a ‘non-tech fin’. Every...
STOP THE CONFUSION: HOW TO KNOW IF YOUR BUSINESS MAY BE INSURED AGAINST COVID-19
By Alex Balcombe, Partner at Harris Balcombe The last few weeks has seen businesses in hospitality, tourism, retail, leisure...
BRAVE NEW WORLD: A FUTURISTIC VISION OF PAYMENTS
James Booth, VP, Head of Partnerships in EMEA for PPRO Over the last ten years, the retail e-commerce ecosystem...
A PROPTECH FOUNDER’S BEGINNING, THE START OF KLEVIO AND HOW ACCESS-TECH IMPROVES FACILITIES MANAGEMENT
An interview with Klevio’s CEO and Co-Founder, Aleš Špetič What is Klevio? Klevio is a smart intercom that allows...
HERE’S HOW YOU CAN LEARN TO TRADE RISK-FREE DURING THE COVID-19 MARKET CRASH
Trading app BullBear has launched new features to support budding investors looking to hone their skills against the backdrop of...
ENTERPRISE BLOCKCHAIN: DRAGGING INSURANCE OUT OF THE DARK AGES
Ryan Rugg, Global Head of The Industry Business Unit at R3 The history of insurance traces back to the development...
DISPELLING BIOMETRIC MYTHS AND MISCONCEPTIONS
By Lina Andolf-Orup, Head of Marketing at Fingerprints Gangsters cutting off enemies’ fingers to access secret locations and spies lifting...
FUTURE FX PROMO
FOUR WAYS OPEN BANKING AND AI WILL REVOLUTIONISE ACCOUNTANCY
Ed Molyneux, CEO and co-founder of cloud accounting software company, FreeAgent It’s been just over two years since the...
HOW FINANCIAL SERVICES CAN GET TO GRIPS WITH RISING SUPPLY CHAIN RISK
By Alex Saric, smart procurement expert, Ivalua UK businesses have never been more dependent on their suppliers to help...
TWO TO TANGO? MARKET DATA AND OPINIONS IN INVESTMENT MANAGEMENT
Sebastien Lleo is Associate Professor of Finance at NEOMA Business School (France) Analyst views and expert opinions matter. They...
AN ULTIMATE GUIDE TO TURNING YOUR EARLY RETIREMENT DREAM INTO A REALITY
Rick Pendykoski is the owner of Self Directed Retirement Plans LLC, a retirement planning firm based in Goodyear, AZ. ...
WHAT EVOLUTIONARY AI MEANS FOR FINANCIAL SERVICES
by Babak Hodjat, VP of Evolutionary AI at Cognizant Many banks and other financial services institutions (FIs) are beginning...
HARNESSING ANALYTICS IN THE FIGHT AGAINST FRAUD
By Anna Lykourina, EMEA Fraud Analytics Expert at SAS In the past, the fight against fraud has been a...
ERSTE BANK HUNGARY IMPROVES AND SECURES THE REMOTE BANKING EXPERIENCE WITH ONESPAN MOBILE SECURITY
Leading Hungarian bank deploys OneSpan’s Mobile Security Suite to one million customers to make mobile banking convenient while fighting fraud...