We are living in an increasingly connected and digital world and one where the delivery and consumption of financial services is moving online. This is driving a hugely positive and rapid evolution in financial services, offering customers more choice and a generally more convenient and focused experience. However this positive evolution has potential to be undermined by a break down in trust for companies, their partners, customers and regulators driven by failures to protect against cyber enabled crime. This is even more important in fledgling financial service businesses such as FinTech where hard won customers can be quickly lost via a breakdown in trust.
There is a complex dictionary that accompanies cyber security, complimented by huge numbers of confusing and expensive systems hitting the market that claim to combat the risk of cyber enabled crime. For those who do not have the depth of experience in cyber and data security it can be daunting to get your head around, never mind simplistically understand what you should be doing to better protect your customers and business. We are often asked by our clients and contacts to help them simplify the discussion around cyber and data security - so that is what we are going to do over the next few months. FINTRAIL are going to strip it back to the fundamental basics, in a language that everyone can understand and provide some useful pointers that should help readers think logically about the risks they face. Where we do use a technical term, you will find it hyper-linked to its definition.
Understand the scale of the problem
The aims of the cyber criminal will determine a business’s attractiveness as a potential target. As a general rule any business could be a target of ransomware style attack as this tends to be a volume approach - infect everyone and see who pays up. However, the nature and construct of a particular business model or system will have characteristics that make it potentially more or less attractive to cyber criminals. For example, do you provide customer accounts or facilitate value transfer? Do you collect and store lots of data on customers? Do you integrate with or have partners accessing your network/system? Answering yes to any of these may, at face value, make you more attractive to cyber criminals as the dividend or reward for them is higher than that of an individual.
In this edition we are going to focus on the logical and most simplistic place to start and forms our basic step number 1 - understand the risks and scale of the problem.
We have been watching with interest over the last few years as the boundaries between physical and digital crime have become increasingly blurred. If you read the news in any given week there are usually a number of cyber related stories hitting the headlines, whether it be well-sourced and detailed allegations of state-sponsored interference with National elections, cyber fraud targeting retail banking customers or institutional banking systems targeted. It can make for daunting and at times confusing reading but it is really important to set this issue within the context of your business.
The 2016 UK National Crime Agency (NCA) Cyber Crime Assessment made a number of interesting observations:
The accelerating pace of technology and criminal cyber capability development currently outpaces the collective response to cyber crime. This ‘cyber arms race’ is likely to be an enduring challenge, and an effective response requires collaborative action from government, law enforcement, industry regulators and, critically, business leaders.
The NCA assesses that the most advanced and serious cyber crime threat is the direct or indirect result of activity by a few hundred international cyber criminals, typically operating in organised groups, who target businesses to commit highly profitable malware- facilitated fraud.
Although the most serious threat comes, directly or indirectly, from international crime groups, the majority of cyber criminals have relatively low technical capability. Their attacks are increasingly enabled by the growing online criminal marketplace, which provides easy access to sophisticated and bespoke tools and expertise, allowing these less skilled cyber criminals to exploit a wide range of vulnerabilities.
A ‘compliance approach’ that aims to meet minimum standards does not adequately deal with intelligent and evolving adversaries, as threats are evolving faster than most defensive technologies and security practices.