The report published by the FCA does not specify how much detail FS providers will be forced to go into. However, a major incident is classed as one that prevents customers from using banking services. In January 2017 Lloyds Banking Group suffered a 48-hour online cyberattack which saw hackers send millions of fake requests to the Groups’ servers in order to grind systems to a complete halt. The ‘denial of service’ (DOS) attack was ‘geo-blocked’ by Lloyds IT security experts effectively blocking access to the server. However, this also blocked legitimate requests from consumers. The information that FS organisations hold is hugely sensitive, and therefore when an attack like this happens they are held to a higher account by consumers than other organisations.
The incident came just months after the Tesco Bank cyberattack that saw an unprecedented loss of £2.5 million from 9,000 accounts. The threat to the UK’s financial infrastructure has meant that FS is under scrutiny, with a higher need for accountability directed at them from consumers whose trust has inarguably been eroded.
Outdated legacy software is allowing cyber criminals to target everyone – from the C-Suite to everyday consumers in their own homes. Legacy programming language is not being taught to today’s engineers with middle and back office systems only able to report transaction failures and risk triggers after the fact.
All companies that hold credit card details, particularly retailers, have to be compliant to regulations which have been drawn up by FS companies, such as Visa. The fact that FS organisations have drawn up standards for other sectors, and yet remain so prone to attack is ironic and perhaps worrying.
The lack of transparency within organisations is also an issue. This has meant that the C-suite cannot see the build-up of risky positions or business practices, simply because they are either not aware or do not understand it.
This, coupled with the fact that Business Email Compromise (BEC) targets specific individuals within companies impersonating C-level exec emails, rather than a mass phishing approach, means that it’s far harder to differentiate between the real messages and the fake ones, meaning that scams are more likely to be successful and are far harder to prevent.
The ‘internal threat’ or rather the internal infrastructure and the employees, are the biggest problem within organisations whose security controls are not sophisticated enough to match the threat. With legacy or simply ‘poor’ coding in place, as well as merged technology adding to the complexity of decaying infrastructure, less refined threats like SLQ injection and XXS are still able to get through.
As cyber security attacks in FS increase and with safeguarding regulations becoming more stringent, the key to success is ensuring that IT security is depicted properly across the organisation. The previously isolated role, offered purely technical and practical support and whereas there still is a need for this, the role of the CISO should be far reaching across an organisation, where they are increasingly operating in a dynamic digital environment with the growth of online processing and cloud services.
To comply with the FCA deadline, assessing operational resilience is key, and FS companies need to understand its assets and be constantly evaluating where they are vulnerable through rigorous testing.
Red and blue team testing, as favoured by military and government organisations, uses role-play testing to simulate dummy cyber-attacks in order to allow FS organisations where its weaknesses lie and where to neutralise threats. With each IT team playing the role of attacker and defender, they get to practise both how to identify an attack and how to deal with it.
Having a response prepared ahead of a cyber-attack is also critical and by using software analytics and forensic techniques such as reverse malware engineering, host-based intrusion and detection and network analysis, helps to define the breach vector and how it took place. This information will in turn help the CISO determine the aims and impact on FS and report back at board level.
FS has no choice but to consider the people behind the data because once the FCA rules are enforced, any FS found wanting will find that its customers will be doing the talking with their feet. Therefore, cyber vulnerabilities need to be the top priority for companies rather than an afterthought, or even worse, when disaster has struck.