15-10-2015 | POINT OF VIEW
Cyber: Safe today may not be safe tomorrow

The revelation earlier this week that UK retail banks may have lost some £20m as a result of cyber attackers once again focused attention on our banks’ defences against online criminals.

We should not be surprised at the attention.  Banks are custodians of some of our most valuable assets and, not surprisingly, protecting these assets – whether our money or the rich personal data that they hold about us – is a priority for them. Gaining access to those assets is, equally unsurprisingly, a priority for those with very different objectives.

Should we be worried? No… and yes. Thankfully, news of major cyber-breaches is rare enough still to make headlines but this is an unreliable indicator of the intensity and frequency of the attacks against which banks have to defend themselves.  Ask a bank about its security and it is likely to point you towards a list of the regulations with which it complies and a plethora of processes that are in place, but these show only part of the picture. If we want to get a more complete assessment of a bank’s security performance, and how it changes from day to day as attackers become both more sophisticated and more tenacious, we must interrogate data that show what is really happening on the front line.

The trouble is that, for obvious reasons, banks do not publish details of attempts to breach their defences. However, their responses to attacks leave traces – almost like a digital echo – on the internet, if you know where to look.

Using new analytical tools it’s possible to assess risk and provide objective, evidence-based measures of security performance. For our report, “Safe Today May Not Be Safe Tomorrow”, we used data from BitSight technology to evaluate the online security performance of 48 of the UK’s Retail Banks.  Analysing consolidated data from a number of globally accessible sources, BitSight can quickly measure the effectiveness of almost any organisation’s cyber security controls. The data include indicators of possible breaches, system infections, improper configurations and evidence of poor security hygiene.

We found that around three-quarters of the banks we analysed had fallen below the most advanced level of security at some point during the past year. That isn’t to say that they were compromised, necessarily, but that their response to being attacked could have been better.

For example, almost a third of retail banks had been exploited by malware, of the kind used in the cyber attacks publicised this week, at least once in the last year.  For some, it was far from an occasional inconvenience. On average, exploited banks were taken advantage of 29 separate times in the last 12 months, with the worst offender (or most vulnerable victim) exploited on 181 occasions – virtually every other day. Each event took an average of two days to resolve, although some exploitations took as long as five days to fix.

The good news for customers – and regulators – is that the banks are very focused on maintaining security.  At Barclays, for example, security guru, Troels Oerting, deploys his own team of hackers to probe and test the bank’s defences on a daily basis. But increasing connectivity, mobile technology, an exponentially growing volume of information and, indeed, our own demands for Triple-A (Anywhere, Anytime, Anyhow) access to our bank accounts mean that vulnerabilities are constantly changing.

Regulations can provide some boxes to be ticked, but can never hope to keep up with the constantly mutating nature of the threat. Vulnerabilities change and vary by organisation. Traditional strategies and tools for measuring security risk are also inadequate against the constant stream of new and emerging cyber threats. Compliance to a regulatory standard is therefore unlikely to address all the unique vulnerabilities a bank has to deal with. You can be compliant and still vulnerable.  An unintended consequence is that investment that could potentially be allocated to anticipating new threats is instead consumed by regulatory compliance.

So, although the regulatory requirements on banks may be considerably more robust than for other businesses, they can no longer assume that just because they are safe today they will still be safe tomorrow. In a world in which they have to run hard to stand still, against determined competition fuelled by steroids, the banks are going to have to run a lot faster in the future.

 Safe today may not be safe tomorrow

For more information contact:

Michael Soppitt
Michael Soppitt
Email: msoppitt@pfg.uk.com
Phone: +44 (0) 207 100 7575

@p_f_g - Parker Fitzgerald