This is the first part of a three-part series exploring the rise and power of cyber-criminals; anatomy of cyber-attacks targeting banks; and defending a bank against cyber-criminals

Today banks are under threat from increasingly audacious and highly networked cyber-criminals attacking from within; exemplified by the February 2016 attempted theft of $951 million at Bangladesh Bank’s account with Federal Reserve Bank of New York (source).

Cyber-criminals are now behaving like determined, resourceful, and innovative adversaries – leveraging know-how, technology and insights to seek lower costs and higher returns. At the same time risk and security professionals at banks are still thinking primarily in terms of compliance. While banks do consider cyber-crime as a threat to their brand as well as profit-margins, it doesn’t take a rocket scientist to realise that mere focus on compliance is not going to keep the new cyber-criminals at bay.

The question remains whether banks are prepared and equipped to start understanding the cyber-criminals as intimately as the cyber-criminals are starting to understand banks?

Traditional security approach of banks has outlived its utility

Security has always been and will continue to be a major factor shaping how banks operate – after all keeping our money ‘safe for us’ is a core value proposition of a bank. Still there is no general consensus among concerned parties about what is important for banks when it comes to security. Part of the reason is evolving expectations of the many involved stakeholders – it is not just sufficient for banks to hold value safely in store; instead customers expect banks to enable more convenient and safer transfer of value while maintaining privacy. At the same time financial regulators expect banks to better prevent financial economic crime and reduce barriers to trade. When it comes to security, shareholders expect banks to retain customer trust and relevance. Finally, employees expect a more enriching work environment with greater autonomy over how and where they work.

Historically, driven primarily by stringent compliance, banks have evolved into conservative and segmented organisations with multiple layers of check and balance mechanisms and an over-cautious approach to change. This conservatism is also reflected in banking IT landscape in terms of reliance, to a great extent, on segregation, compartmentalisation, and audits for security – often leading to avoidable complexity. While so far this has served the banks reasonably well, it is precisely this approach to security that puts the banks at great risk – not just from cyber-criminals but also from innovative new entrants (FinTech’s), neither constrained by organisational or technology legacy and both exhibiting a strong drive to do whatever it takes to succeed.

Cyber-criminals are the new (dark) competition

Compared to regulators and competition from FinTech’s, cyber-criminals and cyber-crime threats are hard to understand. After all, criminals do not share business plans or publish results or invite outsiders to conferences. However, one thing is clear, they are after easy economic gain at the cost of banks.

Cyber-criminals also need to be exceptionally skilled at staying under the radar for as long as it takes because those that get detected early don’t survive. And like with drug resistance, ultimately ineffective security measures only help weed out the ill-equipped cyber-criminals leaving the potent to thrive and proliferate from target to target.

Ever since people learned to store grain for later consumption, plundering has been an attractive career choice for some. In over more than ten thousand years we have come a long way – today our most valuable possessions are stored as bits representing capital, ownership, and even relationships – and yet not much has changed when it comes to defending our modern barns. Deep wisdom condensed by Sun Tzu holds as much true today as it did twenty-five centuries ago – “If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.”

To effectively protect against cyber-threats, banks need to start developing a working understanding of cyber-criminals; protect efficiently against known attacks; learn to identify and foil unknown attacks; and be prepared to respond vigorously.

While this sounds hard to do, surprisingly it is not any different from making sense of competition – analyse known actions of the opponents; access relevance and impact; make reasonable hypothesis about motives and resources; plan and execute counter-moves; and make adjustments as the play unfolds.

Source: Blog where Vikas Munshi publishes