Things are particularly bad among investment banks, which saw a tenfold increase year-on-year (from 3 to 34), and retail banks (from 1 to 25).
But it’s not as though cybercrime is a new thing in the industry. You might remember that in April 2017, seven British banks, including Santander, Royal Bank of Scotland and Barclays, were forced offline following a series of attacks.
Meanwhile, Tesco Bank was fined £16.4 million in October 2018 for failing to prevent a cyber attack that occurred the previous year.
Why have things have got so much worse? And how can banks take back the initiative?
‘More threat actors’
The increase in data breach reports doesn’t necessarily mean that the financial industry’s cybersecurity measures are regressing. It simply means that banks haven’t invested in defenses at the same pace that crooks have spent on attacks.
A CISO at one UK bank told the Financial Times: “We are seeing a lot more threat actors knocking at the front door… it ranges from individual kids to, increasingly, the criminal fraternity and national states. You have to constantly improve to keep up and protect yourself.”
This mindset can be hard to accept because it shows how much the odds are stacked against you. Organizations need to be vigilant, continually looking for vulnerabilities and keeping up to date with criminal trends.
Crooks go to the same lengths, but they have a much higher margin for error. The consequence of a failed attack is negligible (it’ll cost them only time and resources), and it only takes one success for them to recoup their investment many times over.
As such, it’s practically impossible for any half-decent cyber criminal not to make money. The only thing stopping them is the possibility of being apprehended, and that’s, unfortunately, easier said than done.
According to Richard Breavington, head of RPC’s cyber instance and breach response team: “We know that the number of cybercriminals prosecuted under the Computer Misuse Act is below 100 annually.
“When you compare that to the number of cyber crimes being reported across all industries, you can see that it’s a very lucrative criminal enterprise.”
The nature of cybercrime makes it incredibly difficult to bring perpetrators to justice. Criminal investigators are getting better at forensic analysis, in which they can trace an attack back to a specific computer or location, but crooks can obfuscate this information using botnets, which allow attackers to hijack a device and its connection.
Another problem is that the majority of attackers operate internationally, complicating the logistics of policing cybercrime. Proceedings will inevitably be slower when units from different countries must work together, and they can practically grind to a halt when those countries don’t have dedicated cybercrime units, which is often the case in eastern Europe, where many cybercriminals reside.
Assume that you’ll be breached
The picture we’ve painted so far is bleak, and it gets even worse when you factor in what’s actually at stake when it comes to cybersecurity.
The best-case scenario when implementing defenses is that you stop an attack before it does any damage. But that’s a short-term win, and it’s only a win if you consider keeping the status quo a victory.
After all, you’re no better off than before the attack. There’s no reward for thwarting a crook’s attempt, only the satisfaction of a job well done and the relief of knowing things could have been much worse.
But given the current climate, the idea that things could be worse is very much worth celebrating. There are simply too many threats, from the growing horde of cybercriminals to negligent employees and technological failures, for you to stay safe for long.
That’s why it’s essential to work with the assumption that security incidents are a matter of when, not if, while also remembering that they can be delayed through effective defenses.
That way you’re prepared for when an incident occurs and have realistic objectives. The aim shouldn’t be to avoid being breached, because that’s impossible.
Instead, you should be assessing whether you’re doing everything in your power to stay secure. In other words, is your cybersecurity budget appropriate to the size of your business and the threat you’re facing?
Banks should have proportionately tougher cybersecurity defenses than other organizations because they deal with financial information, which cyber criminals prize for its inherent value.
Unlike other forms of data, which is worth only what someone is willing to pay for it, financial information can be used to access funds directly. All crooks need to do is transfer and then launder the money, which they often do by purchasing and then returning gift cards or luxury goods.
This tactic has become increasingly popular in recent years, due to the changing economics of the dark web. With cybercrime increasing, there is more personal information for sale. The number of buyers has also increased, but not to the extent that supply has, meaning the going rate for personal data has decreased.
However, this is moot if you’re stealing payment card data, because you avoid the marketplace altogether.
Any organization that stores payment card information is, therefore, a prime target, hence the spike in attacks against banks in the past year. If those institutions are going to fight back, they need to react to the changing threat landscape and invest more heavily in their defenses.
Follow the Bank of England’s initiative
If you’re reluctant to overhaul or invest heavily in cybersecurity, look no further than the BoE (Bank of England), which recently admitted it needs to significantly improve its IT systems.
The statement was a humbling moment for the BoE, which criticized UK banks’ cybersecurity practices in June 2018. Nine months later, a Public Accounts Committee inquiry found that the rate of modernization at the BoE lags behind both the private and public sectors.
“Many of the Bank’s processes are overly complicated, inefficient and very costly to administer,” the committee said.
If there’s a positive to be taken from this revelation, it’s that the BoE is aware of its shortcomings and stated its intentions to improve its operations – something many other organizations refuse to do.
It also demonstrates the pitfalls of information security spending. Technology operations at the BoE cost £101.4 million in 2017–18 (of a total budget of £647 million), which seems excessive.
The BoE argued that it needs to invest heavily in IT, given that £600 billion passes through its systems each day, but conceded that its processes could be more efficient.
The most obvious room for improvement was in the “high levels of manual processors and legacy IT systems”, as well as the duplication of applications that occurred as a result of the BoE incorporating the Prudential Regulation Authority’s systems in 2014.
This shows cybersecurity spending isn’t simply a case of more equals better. It’s easy to say that you’re spending a certain percentage of your budget on defense, but that doesn’t say anything about whether the money is well-spent.
The problem often stems from processes being bolted on to existing systems. This can cause you to lose track of exactly what systems you have in place, with new processes being duplicated and old ones being made redundant.
This is often hard to see if you are evaluating your security systems purely on whether they meet their objective. The BoE’s systems, for example, did their job superbly. Last year, its services went down just 0.01% of the time, compared with 0.37% in central government.
However, that doesn’t necessarily justify the amount of money that was spent. The BoE admitted as much, vowing to make it’s systems more efficient both financially and for employees.
Can you improve your security defenses?
Find out how prepared your organization is for a cyberattack by taking our self-assessment questionnaire.
This five-minute survey quizzes you on your current set-up and identifies potential gaps that you need to address.
When you’re finished, we’ll show you how your organization ranks compared to your competitors and how you can improve your cybersecurity posture.