How banks deal with growing cyber threats and stricter laws

16 March 2018

Cybercrime is putting a huge strain on banks, combined with strict new rules that severely punish data breaches. Chief Executive Officer hears from a selection of cybersecurity officials about how banks are dealing with these threats – and how a global response is vital for putting an end to criminal hacking.

Hacking started as a joke: in 1903, during an early public demonstration of the radio, John Nevil Maskelyne hacked into the technology and began sending rude messages over Morse code. To start with, he kept things general, spamming “rats” until the audience began to cotton on. Then Maskelyne took aim at the star of the show and inventor of the radio, Guglielmo Marconi, jesting, “There was a young fellow of Italy, who diddled the public quite prettily.” The incident provoked a rush of angry letters to The Times, with one correspondent complaining that the prank was nothing less than “scientific hooliganism”.

This feels rather quaint nowadays. While Maskelyne’s prank was victimless – except perhaps to Marconi’s reputation – modern hackers are able to cause enormous harm to countries and their economies from the comfort of their bedrooms. In 2016, North Korean hackers stole US military secrets from a server in South Korea. Earlier this year, criminals broke the computer systems of hospitals around the UK, causing deadlock for days.

The financial impact of cyberattacks is equally enormous. According to a report by Hiscox, cybercrime now costs the global economy $450 billion each year, a figure that is expected to leap to $2 trillion by 2019. With mountains of data on clients, as well as billions of pounds encoded in ones and zeros, banks are popular targets.

Institutions have already learned this the hard way: hackers recently compromised UniCredit, Italy’s biggest bank, stealing the details of 400,000 customers. Last year, Tesco Bank admitted to a hack costing £2.5 million.

With criminals using more sophisticated hacks, and new legislation making the cost of slip-ups eye-wateringly huge, banks have plenty of work to do. However, by combining recruitment procedures with in-house reforms, financial institutions are doing plenty to stay safe – making themselves and their customers richer.

Thieves and hacktivists

Troels Oerting is in a good position to reflect on these challenges. By the time he started work as the group chief security officer and group chief information security officer at Barclays, in 2015, he had already spent years fighting cybercrime. After 30 years in the Danish police and intelligence services, Oerting became the assistant director of the information management technology department at Europol. From 2011, he was head of the European Cybercrime Centre.

Although other groups sometimes try to breach banks’ security, Oerting’s main foes are still career criminals. “If we quantified the biggest threat to banks, it’d be from organised criminal networks. They are very active,” he begins. “We also see some activity from nation states and from ‘hacktivists’ who disagree with Barclays’ policy. These are the three main areas of danger, but we consider organised cybercriminal networks to be the biggest threat. They have real expertise.”

This assessment is supported by Nigel Harrison, co-founder of the Cyber Security Challenge UK, an annual event aimed at finding new cybersecurity talent. “Most people who attack banks do it for financial gain,” he says. “They’re after credit card details and financial transaction details, whether that’s for immediate financial gain – managing to get money directly from the bank – or whether it’s via a third party and acquiring customers’ account details.”

Industry figures have similar warnings. “This year saw a spate of high-profile malware attacks, such as WannaCry and NotPetya, as well the highly publicised breaches suffered by Equifax and Deloitte,” says Torgrim Takle, CEO of Crayon Group, an IT consultancy firm. “These risks have been exacerbated as IT struggles to keep track of assets deployed and in use within business.”

General Data Protection Regulation (GDPR)

Criminals are not the only incentive that banks have to keep data safe. The GDPR, which comes into force next year, will levy stiff fines on banks that are careless with clients’ financial information. As Harrison explains, these changes are far harsher than the Data Protection Act. “The maximum fine under GDPR is 4% of global turnover,” he says. “Currently, it’s something like £500,000. TalkTalk got fined £400,000 for the big leak it had last year. But if you think about 4% of global turnover for an organisation like Barclays, that’s a lot. So clearly, it’s focusing people’s minds on improving.”

GDPR also widens the scope of what is considered sensitive information, putting further strain on banks and companies, especially ones that have avoided their responsibilities in the past. “The requirements are consistent with best practice for handling data, so companies that handle data appropriately should not find this much of a burden,” said Matt Hancock, minister of state for digital, in a recent appearance before a House of Lords committee.

“But it will require some companies that do not have best practice to come up to speed. We want the UK to be the safest place in the world to live and be online, with our essential services and infrastructure prepared for the increasing risk of cyberattack.”

Takle believes that the legislation is an opportunity. “GDPR can be viewed as an opportunity to bring clarity and transparency to the way in which companies handle data security,” he says. “In turn, by looking more closely at securing the perimeter and the data that resides within it, enterprises will be forced to examine, log and secure IT assets.”

Human firewall

Banks and companies are rushing to tighten up their security – no matter the benefits of GDPR. One important change involves improving ‘cyberhygiene’ and squashing gaps in the system before they’re exploited. “Cyberhygiene is about making sure that we always upgrade our systems, and patch for important upgrades [and] that you must not leave open doors for criminals,” Oerting says. “We then also need to look forward with our security partners to see if this is where we're going to be in a year, and how to ensure that our systems are well suited to the threats.”

Fighting breaches can even begin before new technology is released, Oerting continues. “Before, we developed technology that, while sexy, was not strong enough when tested,” he says. “In the new concept, we very much build in security by design. Security experts are involved from the very beginning, and are part of the development process. They sit next to the programmers. In this way, the end result hardly needs any testing, because we’ve already built security into the system.”

Teaching staff about potential risks is also important. “One of the best ways to safeguard company security is to have a very clearly defined IT policy on the use of cloud services and unlicensed software within the business, especially for remote workers,” Takle explains. “It’s impossible to protect what you cannot see, so being able to prevent the use of unapproved cloud services outside of the corporate network [is vital].”

Harrison adds that customers need to be engaged too. “A major challenge is that banks face a cybersecurity threat to their reputation,” he notes. “People try to impersonate them. An email, purporting to come from a bank, will go out to a customer. I had one a couple of days ago, but it was from a lender that I don’t deal with, so I automatically knew it was a scam. But they might strike lucky, so banks have to educate customers.”

Job ready

This focus on people extends to recruitment. Although clichés of teenage prodigies hunched over their laptops are hard to dispel, modern cybersecurity is about finding people who work well together. The Cyber Security Challenge UK, promises to do just that by bringing teams of promising ethical hackers together for a day of intensive tests. Harrison hopes his events remind people that modern cybersecurity is changing. “We’re not just looking at the hard technical skills that many people associate with cybersecurity,” he says. We’re also looking at people’s soft skills. We’re trying to identify people whom I’d class as ‘job ready’.

“We want to appeal to a whole raft of different people, from those who are career changers to those who are perhaps looking to leave school and get an apprenticeship, or perhaps are just about to graduate and are looking for a graduate job in the industry. Out of 30 competitors, the youngest was 15 and the oldest was in their late 40s. The assessors identified that at least 20 were people to whom industry would give an immediate job offer.”

Barclays sponsored the most recent event and Oerting is keen to emphasise that he’ll happily take on promising ethical hackers. “If we can do anything to find and promote new talent, we will,” he says. “I don’t just mean to work for Barclays, but for any bank or any other big company that holds digital assets. We also have events to attract young people who might not be suited to an education at one of the posh universities, but still have the skills we need. If we can highlight them, I’ll be happy to take them on board.”

International response

Schemes like this have increased the number of experts in the industry, but the global shortfall of specialists is still predicted to reach 1.8 million by 2020. A need to make up the numbers is leading banks to surprising places, Harrison says. “Those on the autism spectrum have a great talent at being able to spot anomalies,” he explains. “They can see all that other minds – that aren’t wired in the same way – can’t see. So encouraging more of these sorts of people into the workforce would be great.”

But ethical hackers cannot tackle cybercrime alone. Woeful conviction rates mean that banks need to work closely with governments in coordinating a response. “The financial world is so interconnected now that governments will see it as their duty to collaborate on cybercrime,” Harrison says. “Companies need to be involved, but they shouldn’t just lobby one or two Western governments. They have to lobby the international community. I think this sort of international regulation will be a real challenge, but hopefully we’ll have made substantial progress on it in five years.”

Oerting agrees, adding that companies need to work towards making hacking a riskier career choice. “I think there’s a huge need to have a system that empowers deterrence,” he says. “Until that happens, the majority of cases will be defence cases. We can defend ourselves, but we can’t really make cybercrime unattractive. That’s why criminals tend to escalate [because], if there’s no risk in crime, [then] there’s low investment and high profit. I think these are factors that countries need to think about. We need to create international norms.”

This is great in theory, but as countries like Russia tolerate hacking within their own borders, it remains unclear if a global response to cybercrime can work. In the meantime, banks are better off training new talent and educating customers about the threat; if they get a spam email, they should probably be suspicious.

Harrison (far right) and Oerting (far left) with competitors at the Cyber Security Challenge UK.