Cybercrime – A Threat And An Opportunity
More choice, greater convenience and new possibilities are at our fingertips in the era of the touch screen and the digital phone. These new tools give banks and companies the opportunity to understand their customers better and serve them at their convenience anywhere, at any time.
But these tools bring with them new challenges. It's estimated that there are 1,000 cyber attacks every hour in the UK, many – but not all – of them aimed at the financial sector. Attacks are often motivated by financial gain, to obtain customer credentials in order to try and defraud them, for example. But some are purely malicious, by preventing customers from logging onto online accounts, while others are designed to test the defences of a company's own systems, to identify weak points or perhaps as a prelude to more serious attacks.
Cyber-fraud is big business, and increasingly it is the province of professional criminals. Losses due to professional cyber-fraud are believed to run to millions of pounds. Identity fraud is particularly concerning, with thousands of people affected every year. Fraudsters are using increasingly sophisticated techniques, and as one avenue of attack is closed down or made more difficult, they open up another. The convenience that the new digital tools offer is compromised by the growing need to ensure the safety of banks, companies and their customers. As technology creates new opportunities for banks and companies it also creates opportunities for them to improve security both in the cyber world and in more traditional forms of commerce. And improved security itself can deliver competitive advantage.
Low hanging fruit
Fraudsters go for easy targets. If there are obvious weak spots in a company's digital security, they will exploit them. There is a huge range of types of cybercrime, ranging from attempts to compromise an entire business's operations, to simple scams aimed at exploiting the vulnerability of customers and staff. Obvious things to do to protect against cybercrime include:
- maintaining up-to-date anti-virus software;
- regular testing of firewalls and anti-virus software;
- enforcing sensible policies for password strength and protection;
- physical security and tracking both for servers and for mobile hardware such as laptops and memory sticks;
- maintaining up-to-date versions of operating software and office applications;
- setting robust rules for staff regarding access to external sites, downloading from the internet and use of external media, with penalties for non-compliance.
And there are some less obvious ones, too:
- monitoring usage and transactions for unusual patterns and events;
- monitoring activity inwards and outwards.
New focus on companies
The financial industry has been a traditional target for cybercrime, but as financial institutions are becoming better at security, fraudsters are turning their attention to easier targets – such as retailers.
Customers expect both physical and, increasingly, digital security from their banks; the levels of security to access online accounts equating to the feeling of being in a secure place when walking into a branch.
But customers in other sectors are perhaps less aware of the need for security in online transactions, and more irritated by inconvenient and time-consuming security checks. For example, the customer who regularly purchases items from the same internet site may store payment card details there, without thinking about who may be able to access that data and what they might do with it.
Customers want the convenience of storing frequently used personal and financial data and expect companies to protect that data from misuse. And they want to be able to make online and mobile payments quickly and easily without intrusive and time-consuming security checks. The challenge for companies is how to protect themselves and their customers from digital fraud or data theft while providing the fast, convenient service customers have come to expect.
Tougher regulatory environment
Regulators are introducing new rules and guidelines specifically designed to combat cybercrime. They are also enforcing existing laws more strictly and this not only affects financial institutions but also non-financial companies operating and accepting payments in the digital space.
Among the regulations are:
Data protection legislation
- Companies storing customer data in digital form are subject to UK and EU data protection laws. This includes online sites storing personal and financial data for regular customers.
- Customers whose data is transmitted worldwide are entitled to the same level of data protection as customers whose data remains within the EU.
- Compliance and reporting, therefore, apply to all online sites transacting with customers in the EU.
The FCA's thematic review of mobile banking and mobile payments
- Mobile banking and mobile payments are the newest areas of e-commerce. The FCA's welcome intervention requires banks and mobile payments providers to focus on security and customer protection as customers increasingly use smartphones to manage their bank accounts and make and receive payments.
The ECB's PSD2 framework for internet payment security
- A wide-ranging set of rules and guidelines covering all forms of payments with the aim of protecting both companies and customers. It is currently undergoing review and will in due course become part of UK law.
The Bank of England's CBEST testing framework
- CBEST uses intelligence from government and accredited commercial providers to identify potential attackers to a particular financial institution. It then replicates the techniques these potential attackers use in order to test the extent to which they may be successful in penetrating the defences of the institution, allowing a firm to understand where they are vulnerable and prepare and implement remediation plans.
What do companies need to do to protect themselves?
Companies must stay aware of developments in their own sector. The one whose security is behind that of competitors will be a target for fraudsters. The following are protection policies that should be brought in:
- Build the capability to recognise risks and respond to them quickly and effectively. Think ahead – try to anticipate what fraudsters will do next and prepare for it.
- Develop in-house skills in risk management and security among technology staff.
- Provide all staff with general security awareness and “best practice” training.
- Have clear policies and practices to protect systems from external attack, defend against both human error and “insider crime”. Develop clear, tested and communicated procedures for dealing with emerging threats.
- Be consistent across business lines. Different approaches to security from different areas of the business are frustrating for customers and may offer opportunities for criminals.
- View cyber-security as an opportunity as well as a threat. Companies that are recognised as strongly protective of customer data or innovative in security provision may be preferred by customers: Spain's sixth largest bank, for example, is attracting hundreds of customers because of its retinal scanning security technology.
- Aim to achieve a balance between convenience for customers and secure provision of services.
- Have ongoing and planned communications with your customers about cybercrime to build their awareness. The weakest point of any security is always the user.
What are banks doing to protect companies?
In addition to taking steps to protect their own systems and customers from fraud, banks aim to help companies protect their own customers. Measures introduced in recent years include:
- rolling out updated chip cards in the UK and chip-and-pin technology worldwide;
- working with retailers to improve awareness of fraud risks arising from online and mobile payments technology;
- encouraging use of online verification tools such as Verified by Visa and fraud detection software;
- providing advice and information to companies and their customers on good security practice with regard to transactions and payments;
- acting promptly and fairly to support companies and customers who are victims of fraud.
Fraud is costly to banks, companies and the UK economy in terms of money and, even more importantly, reputation. Banks are used to providing security in the physical space and are now the front line in the battle against cybercrime as well.
January 2014: The ACT, along with other bodies including the ICAEW Corporate Finance Faculty and the UK Cabinet Office, was part of a taskforce that has launched a guide Cyber-Security in Corporate Finance