In the recent science fiction film Inception, protagonist Dominic Cobb infiltrated his victim’s dreams to gain access to business secrets and confidential data. He would then use this knowledge to influence things in his (or his client’s) favor. Cobb’s success depended on his ability to manipulate victims through greater understanding of their human vulnerabilities. Just like Cobb, cyber crime perpetrators begin by identifying their targets’ vulnerabilities and gathering intelligence required to breach their systems. Armed with this intelligence, they navigate their targets’ complex systems, establish covert presence and often remain undetected for a long time.It is clear that the growth in cyber crime has continued, if not accelerated, in the financial services industry. U.S. financial services companies lost on average $23.6 million from cybersecurity breaches in 2013, which represents the highest average loss across all industries. This number is 44% higher than in 2012, when the industry was ranked third, after the defense and utilities and energy industries. While this trend is not to be ignored, these actual losses are sometimes not meaningful to firms’ income statements. The potentially greater impact from cyber crime is on customer and investor confidence, reputational risk and regulatory impact that together add up to substantial risks for financial services companies. A recent global survey of corporate C-level executives and board members revealed that cyber risk is now the world’s third corporate-risk priority overall in 2013. Interestingly, the same survey from 2011 ranked cybersecurity as only the 12th-highest priority.
In Inception, although Cobb succeeded in conning most of his victims, he faced stiff resistance from Mr. Fischer, whose strong automated self-defense mechanisms jeopardized the attackers’ plans several times. However, every time Cobb’s team faced an obstacle, they persevered, improvised and launched a new attack. Real-life cyber attacks are, of course, far more complex in many ways than the challenges and responses between Cobb and Fischer. That said, the film does provide an interesting analogy that in many ways illustrates the problems that financial services companies face when dealing with cyber crime.
The interplay between attacker and victim is, indeed, a cat-and-mouse game in which each side perpetually learns and adapts, leveraging creativity and knowledge of the other’s motives to develop new offensive tactics and defensive postures. The relatively static compliance or policy-centric approaches to security found in many financial services companies may be long outdated. The question is whether today’s industry can create a dynamic, intelligence-driven approach to cyber risk management not only to prevent, but also detect, respond to and recover from the potential damage that results from these attacks. As such, transformation into a secure, vigilant and resilient cyber model will have to be considered to effectively manage risks and drive innovation in the cyber world.
The evolving cyber threat landscape
Although cyber attackers are aggressive and likely to relentlessly pursue their objectives, financial services companies are not passive victims. The business and technology innovations that financial services companies are adopting in their quest for growth, innovation and cost optimization are, in turn, presenting heightened levels of cyber risks. These innovations have likely introduced new vulnerabilities and complexities into the financial services technology ecosystem. For example, the continued adoption of Web, mobile, cloud and social media technologies has likely increased opportunities for attackers. Similarly, the waves of outsourcing, offshoring and third-party contracting driven by a cost-reduction objective may have further diluted institutional control over IT systems and access points. These trends have resulted in the development of an increasingly boundary-less ecosystem within which financial services companies operate, and thus a much broader “attack surface” for the threat actors to exploit.
Cyber risk is no longer limited to financial crime
Complicating the issue further is that cyber threats are fundamentally asymmetrical risks, in the sense that oftentimes small groups of highly skilled individuals with a wide variety of motivations and goals have the potential to exact disproportionately large amounts of damage. Yesterday’s cyber risk management focus on financial crime was — and still is — essential. However, in discussions with our clients, we hear that they are now targets of not only financial criminals and skilled hackers but also increasingly of larger, well-organized threat actors, such as hactivist groups driven by political or social agendas and nation-states, to create systemic havoc in the markets. An illustrative cyber threat landscape for the banking sector suggests the need for financial services firms to consider a wide range of actors and motives when designing a cyber risk strategy. This requires a fundamentally new approach to the cyber risk appetite and the corresponding risk-control environment.
The speed of attack is increasing while response times are lagging
Threat actors are increasingly deploying a wider array of attack methods to keep one step ahead of financial services firms. For example, criminal gangs and nation-states are combining infiltration techniques in their campaigns, increasingly leveraging malicious insiders. As reported in a Deloitte Touche Tohmatsu Limited (DTTL) survey of global financial services executives, many financial services companies are struggling to achieve a level of cyber risk maturity required to counter the evolving threats. Although 75% of global financial services firms believed that their information security program maturity is at level three or higher, only 40% of the respondents were very confident that their organization’s information assets were protected from an external attack. And that is for the larger, relatively more sophisticated financial services companies. For mid-tier and small firms, the situation may be much worse, both because resources are typically scarcer and because attackers may see them as easier targets. In a similar vein, the Snowden incident has perhaps increased attention on insider threats, as well.
Multipronged approach can supplement traditional technologies that may now be inadequate
Given that 88% of attacks are successful in less than a day, it might be tempting to think taht the solution may be found in increased investment in tools and technologies to prevent these attacks from being successful. However, the lack of threat awareness and response suggests that more preventative technologies are, alone, likely to be inadequate. Rather, financial services companies can consider adopting a multipronged approach that incorporates a more comprehensive program of cyber defense and response measures to deal with the wider array of cyber threats.
Financial services firms have traditionally focused their investments on becoming secure. However, this approach is no longer adequate in the face of the rapidly changing threat landscape. Put simply, financial services companies should consider building cyber risk management programs to achieve three essential capabilities: the ability to be secure, vigilant and resilient.
— Enhancing security through a “defense-in-depth” strategy
A good understanding of known threats and controls, industry standards and regulations can guide financial services firms to secure their systems through the design and implementation of preventative, risk-intelligent controls. Based on leading practices, financial services firms can build a “defense-in-depth” approach to address known and emerging threats. This involves a number of mutually reinforcing security layers both to provide redundancy and potentially slow down the progression of attacks in progress, if not prevent them.
— Enhancing vigilance through effective early detection and signaling systems
Early detection, through the enhancement of programs to detect both the emerging threats and the attacker’s moves, can be an essential step toward containing and mitigating losses. Incident detection that incorporates sophisticated, adaptive, signaling and reporting systems can automate the correlation and analysis of large amounts of IT and business data, as well as various threat indicators, on an enterprise-wide basis. Financial services companies’ monitoring systems should work 24/7, with adequate support for efficient incident handling and remediation processes.
— Enhancing resilience through simulated testing and crisis management processes
Resilience may be more critical as destructive attack capabilities gain steam. Financial services firms have traditionally planned for resilience against physical attacks and natural disasters; cyber resilience can be treated in much the same way. Financial services companies should consider their overall cyber resilience capabilities across several dimensions. First, systems and processes can be designed and tested to withstand stresses for extended periods. This can include assessing critical online applications for their level of dependencies on the cyber ecosystem to determine vulnerabilities. Second, financial services firms can implement good playbooks to implement triage for attacks and rapidly restore operations with minimal service disruption. Finally, robust crisis management processes can be built with participation from various functions including business, IT, communications, public affairs and other areas within the organization.
For the full report on which this article is based, click here.
Kevin Bingham is sharing this excerpt on behalf of the report’s authors, his colleagues Vikram Bhat and Lincy Francis Therattil. They can be reached through him.