Pandemic creates new attack opportunities for cyber criminals
Recent cyber-crime trends show that criminals have been creative in exploiting emerging vulnerabilities and opportunities. To set up effective and resilient defence, banks need to build an integrated leadership driven cybersecurity hinged on technology, intelligence and collaboration.
Pandemic induced global economic downturn and unprecedented disruption in operations impacted most businesses adversely in 2020 but not the cybercriminals. If some thought that a global pandemic would wane cyberattacks, they were certainly proved wrong. Cyber-crime incidents not only increased significantly but criminals also advanced the sophistication of their techniques to exploit the emerging new vulnerabilities and gaps in the systems.
Key emerging trends in cyber-crime
Organised and well-funded criminals: The threat landscape has evolved rapidly over last few years and is now dominated by perpetrators that are sophisticated, well-funded, organised and in many cases even state sponsored. Tensions between nations and geopolitical situation can also have a bearing on cyberattacks. The cost of attacks has reduced and cybercrime is also offered in the industry as a service now. Leading attacks include malware, ransomware, and distributed denial of services (DDOS).
Increasing risk from interconnected systems: There is a rapid shift to digital systems, contactless payments, interconnected systems with open banking ecosystems and growing number of smart devices. The pandemic has further accelerated digitisation and shift towards open ecosystems. All these offer potential new entry points to fraudsters and expand the threat perimeter for institutions. 5G technology is likely to result in higher data volumes from more connected devices, a challenge that institutions need to prepare for.
Pandemic creates new opportunities for cyber-attacks: Innovative criminals rapidly adapt to the changing industry trends and security measures to target the most vulnerable. As institutions have had to resort to remote work arrangements and operate from virtual offices during the pandemic, these create new avenues for attacks by criminals and new COVID-19 related attack themes appeared. In May 2020, the US Federal Bureau of Investigation (FBI) reported that number of the daily cybercrime incidents received by its Internet Crime Complaint Center increased by almost fourfold since the beginning of the coronavirus pandemic. In 2019, it had reported an average of 1,300 cyberattacks complaints daily and a significant loss of over $3.5 billion by individuals and businesses.
The increase in devices connected through networks expanded the attack surface along with security gaps in remote working environment which contributed to data thefts. There was also a spurt in phishing, fraud email, business email compromise and home network attacks that resulted in the theft of personal data and credentials as banks face the challenge of securing remote working environment.
Ricky Woo, executive director and chief information and security officer (CISO) at DBS Bank Hong Kong shared, “The biggest threats we are facing right now are phishing attack, distributed denial of service (DDoS), ransomware and how to secure ourselves from the new norm, where we work from anywhere.”
The targets were not just financial institutions but also scams that prey on people and ransomware attacks on institutions, including hospitals. Although targets remain multisectoral, the exposure level of institutions’ sensitive processes increased significantly, as did the intensity and volume of attacks.
“There are several scams around the virus. For example, cloned government websites in UK take advantage of the people and phishing attacks asking for donations to steal the credentials. In addition, there are risks with people working from home, using personal devices to go onto corporate system and their WiFi may not be as strong as they think,” said Graeme McGowen, director of cyber and security risk at the Optimal Risk Group, and CISO of The Global Cyber Academy.
And it is not difficult to find the expertise and tools to commit sophisticated attacks.
“With increase and sophistication of cyber-attacks, the correlation between unemployment and cybercrime must never be ignored. Due to the current pandemic crisis, a segment of population with digital skills, is (or will be) subject to turn toward the darker side of the digital economy”, commented Stephane Nappo, global CISO at Group SEB and former international retail banking global CISO at Société Générale.
Recent cyber-attacks show that criminals are evolving techniques
Figure 1: Recent cyber-attacks against financial institutions in 2019-2020
Evolving techniques: Malware attacks and use of botnets to penetrate systems continue to increase. In addition, there have been growing incidents of ATM malware, cryptocurrency thefts, higher intensity DDOS and ransomware attacks in the financial industry. Criminals are also targeting vendors and third-party suppliers to institutions.
Data security continues to pose challenges: Inadequate data security remains a key issue across sectors with multiple data leaks being reported every year. While credential abuse attacks using botnets target to steal credentials to gain access to systems and steal data. Internet security report by Akamai reports that the company observed over 100 billion credential stuffing attacks between July 2018 and June 2020, over 60% of these are targeted on retail, travel, and hospitality.
Data remains a key target for attackers and the data breaches continue unabated across sectors
Figure 2. Biggest data leaks reported in 2019-2020
Rethinking cybersecurity and building effective defence
An integrated approach: An effective cyber defence requires top management driven and integrated initiatives across the organisation, spanning people, process and technology. Technology security needs to be accompanied with converged teams and platforms, customer education and training. A rethink towards an integrated approach across systems, data, departments and stakeholders may be required for effective security.
“It is important to remember that cyber security is not an IT issue, it is a boardroom issue and the CEO of any financial institution has to take the responsibility for this. The institutions need a stronger, awareness, training and education programme”, pointed out Mc Gowen.
With the growing prevalence of interconnected open ecosystems, Woo emphasised the importance of governance structure and processes to review partners and third-party risks.
Cyber resilience practices: The cyber-resilience of many institutions still depends on the level of their security hygiene basics and ability to link external sources of alert, with internal detection-reaction mechanisms. Emerging new methodology to manage cybersecurity is predicated on ‘zero trust’ in defending perimeter and granting access.
Shift to the home office paradigm requires banks to strengthen their identity and access management while the tokenisation and anonymisation of data ensures that it is masked. Biometric and device intelligence are being used increasingly by banks to improve authentication and account verification. A bank in India set up specialised channels for micro level monitoring as a large section of its workforce is accessing its systems from home.
Nappo warned that one of the main cyber-security vulnerabilities is complacency among management that assume that such risks don’t exist. However, at the other end of the spectrum management may also spread its resources and capability too thinly if it attempts to stop all potential risks regardless of materiality and impact. He recommended, “Fix the basics, protect first what matters for the business and to be ready to react properly to pertinent threats”.
Threat intelligence: Banks also need to strengthen data security and proactive preventive measures including data integration, behaviour monitoring and threat intelligence. It requires close monitoring and extremely fast reaction to any anomalies. Artificial intelligence (AI) and machine learning based fraud intelligence and real time controls are proving to be effective in threat intelligence.
For example, Ping An Bank collects internal and external intelligence using modeling and knowledge map technology, and multiple correlation analysis as part of its vulnerability and threat assessment. It implemented a platform that improves the overall automation in risk, audit and compliance management, and access to extensive internal and external database that result in greater efficiency of early warning and faster response to emerging external vulnerabilities.
Ambank in Malaysia implemented an end-to-end fraud and cyber security risk protection and management solution to analyse data across channels, products and sources. While many other banks in the region are investing in AI to improve their threat intelligence.
“AI can figure out threats in real time in transactions and stop payments in its track, provide better screening to reduce operational level of frauds as well as from a regulatory point of view enable a much smoother ride” commented Shrey Rastogi, senior payments strategist at Temenos.
Besides these, a critical success factor for the effective cyber-security is greater information sharing and industry collaboration. It not only helps to recover funds faster in case of an attack but enables proactive prevention of such events occurring in the first place. It is equally important to remember that humans still remain the weakest link in the chain and therefore user education will continue to remain a cornerstone of cyber-defence.