Opinion: Balancing online risk & opportunity
Proactively addressing growing threats of cybersecurity and technology risk can pay dividends in protecting and enhancing banks’ operations and brands. By Mike Codling, PwC Banking Leader.
|
Mike Codling, PwC
|
The modern banking industry is built on hundreds of years of experience, punctuated by economic downturns and market shocks, global catastrophes and high-profile business failures. At the same time, banks have been a persistent target for criminal enterprises.
Nowadays, there are global regulatory and legal systems to deter and prosecute traditional financial crime. The industry is informed by markets that determine prices, agencies that advise on risk, and central banks and regulators that monitor behaviour. Our financial institutions take a very mature and serious approach to managing their business risk. Comparatively, cybersecurity and technology risk management is relatively underdeveloped.
Openness creates problems
Part of the problem is that the internet is not controlled by a single entity, has little governance and oversight, is very complex and is not well understood. What’s more, organised criminals are clearly attacking online finance channels and are increasingly sophisticated and motivated in their ability to exploit flaws in the way the internet operates and in specific products.
For example, for some time criminals have targeted online consumer banking services using the Zeus Trojan, which records passwords to online banking sites, so that organised groups can then access accounts and transfer money to where it can be laundered. More recently, the Zeus Trojan has developed to infiltrate the short message service used by many online banks as an additional control, further undermining many online authentication schemes.
RSA, a leading security provider of authentication tokens to many banks around the world, was recently targeted and the secrets of its encryption stolen, weakening what has been a trusted method of protecting access to key systems in the last decade.
There is also now a large black market for the tools used by criminals to attack companies. This is supplemented by the sophisticated illicit trade of stolen personal information, credit card numbers and intellectual property. Both are operated by criminal networks from jurisdictions where there is a limited legal framework.
Additionally, underground hacktivist groups have begun using the internet to create mischief or disseminate ideological messages, which can cause serious harm to corporate images, sometimes unintentionally and sometimes deliberately. These attacks have focussed on both denial of service to disrupt online services or stealing corporate information and posting it publicly to damage the company’s brand.
Visa and MasterCard were recently targeted by the “Anonymous” group of online vigilantes in retaliation for their involvement in restricting payments to Julian Assange’s WikiLeaks organisation. The attacks disrupted their ability to process payments for several days and disrupted merchants’ ability to take payments.
The cybersecurity threats and vulnerabilities are multifaceted, growing and serious – and it would be easy to fear the uncertainties. Having said that, many of you will be reading this article on your iPhone, Android or iPad – and new technologies must continue to be (and are being) embraced by banks.
Responding in a confident fashion
Most financial institutions see the digital revolution as an important opportunity. This is in spite of emerging new competitors, such as Sony, who announced recently it was considering launching an online banking business in Australia.
The reality is no institution can reasonably expect to stay ahead of cybercrime. What steps should be taken so organisations are more resilient, and better placed to respond to an attack? You might consider one or more of the following:
-
Bring cybersecurity into operational risk – Cybersecurity and technology risks are business risks, so treat them as such. Do not isolate your technology people. They are your inside track for understanding and protecting against cyber risk and are plugged into the right ecosystems. Bring them into your operational risk functions and embrace anaging technology and cyber risk as part of your overall risk framework. Teach them about structured risk, while they teach you about technology and cybersecurity. Create an inclusive culture that empowers your cybersecurity professionals with a “seat at the table” and brings their innovation into your risk management capability.
- Predict the future rather than monitor the past – Monitor leading indicators that help predict your ability to manage emerging risks, rather than just tracking past performance. Leverage the experiences of others. For example, when you learn that other organisations are under attack or leaking information, it is likely your own faces similar risks. Most financial institutions are built on the same set of standards, principles and technology, and when these fail for a competitor there is a good chance they could fail you as well.
- Build on your trading experience – Many banks operate trading activities that engage risk in fast-moving, unpredictable global markets. This environment is surrounded by mechanisms and controls that allow the traders to take risk but manage it within an acceptable level. Learn from this experience to create an environment where your technology people can take business risks in a controlled manner.
-
Increase the speed of response – Many business and technology incident response mechanisms are not designed to monitor, detect and react at the speed necessary to limit exposure to cybersecurity threats. Assemble a cyber emergency response team and empower them with the authority to take appropriate steps to defend and protect the company in event of an attack and gather evidence that can be used to prosecute. Social networks allow brand-damaging news and rumour to spread rapidly and banks should monitor this and be prepared to respond appropriately and with authority.
Mike was joined by Stephen Quigg, who specialises in helping financial institutions combat cybercrime.
- Categories
- Banking
- Tags:
- Author:
- Mike Codling, PwC, bkellerman@financialpublications.com.au
- Article Posted:
- August 15, 2011
Review this content
Fields marked with an asterisk (
) are mandatory.