[dropcap]A[/dropcap]s incredible as it may seem in this hyper-connected, technologically advanced era, half the planet’s population exist as “financial nomads”—those who nourish and shelter themselves without using traditional banking services. While the wealthy live at the top of a metaphorical pyramid, taking financial security and banking services for granted, there are billions of people who struggle at the pyramid’s base in an exhausting state of financial exclusion and insecurity. Times are changing rapidly, but despite global uncertainty, technology has the capacity to reach and equip people in all walks of life. Advances in communications have reconfigured the ease with which we interact with our money-and these advances can provide innovative financial services to the unbanked and underserved around the world.
While widespread and ever-increasing automation at financial institutions has brought tremendous production and operational efficiencies in the industry, it has simultaneously given rise to cyber threats and attacks on transactions conducted through online branches, branchless banking and the internet; payment systems for intra/interbank settlement and credit information of consumers etc. are also at risk. Meanwhile, a large-scale hacking attack may involve stealing a company or an individual’s intellectual property; seizing and unauthorized usage of online bank accounts (leading to monetary loss); creating and distributing malware on the Internet (networks, computers, laptops, smartphones, tablets, smart TVs etc.) and illegally accessing and then disclosing confidential business information to the detriment of the firm’s reputation.
Financial institutions, a major constituent of the national critical infrastructure, are the key target for cyber criminals and malicious insiders because they are the richest source of intellectual property and offer direct access to monetary assets. The multi channel and distributed environment of financial firms offers a fertile ground for cyber crimes. However, the threat is not only from outsiders, as in many cases,insiders (with deep knowledge of security protocols) are also involved.
Globally, numerous institutions have faced multiple types of cyber heists and attacks over the last 15 years; these include AT&T, British Airways, Citigroup, Facebook, Gmail, JPMorgan Chase, HP, Saudi Aramco, Sony, etc. resulting in a loss of monetary assets, theft of confidential and intellectual information and disclosure of non public information etc. Because of the sensitivity of the damage and the consequential secrecy maintained by victims, many factors remain unknown and can only be guessed and based on reportedor alleged claims in the public domain.
In the wake of one of the largest cyber heists in history, hackers and cyber criminals were able to direct the Federal Reserve Bank of New York to transfer about US$1 billion from the account of the Bangladesh central bank in 2016. In the end, around US$81 million were transferred from the Bangladesh central bank’s account with the New York Fed to accounts in the Philippines through SWIFT. SWIFT, or the Society for Worldwide Interbank Financial Telecommunication, is a Belgium-based cooperative that is owned by 3,000 banks and bills itself as “the world’s leading provider of secure financial messaging services.” It is now used by 11,000 banks globally, every day and processes around 25 million communications that collectively account for billions of dollars’ worth of transfers.
As per multiple security analysts and experts, this breach happened through one or more threats such as:
- Insider help
- Weak systems or controls or procedures
- Exploited vulnerabilities
- Compromised credentials
This major cyber heist incident should be treated as an eye-opener and attention should be paid to the institutions automated business environment. Due to the rising global threat of cyber heists, breaches and disclosure of confidential information, all stakeholders, including financial firms, government authorities and customers must collaborate and stay vigilant and risk aware against combating emerging cyber threats, attacks and associated risks in constantly evolving threat and attack landscape.
Cyber defense mechanisms across institutions must be optimized and made proactive. These should be supplemented by the following provisions:
- Active and mandated IT Security or Cyber Security governance with consistent mindset and oversight
- Skilled and experienced IT/Cyber Security professionals (with globally recognized certification (s) preferable like CISSP, CISM, CRISC, CEH, GIAC etc.)
- Effective policies and procedures
- Defense in Depth or layered approach IT/Cyber Security Framework
- Accountable roles and responsibilities
- Strengthening controls and countermeasures
- Industry best practices and standards (COBIT, NIST, ISO, CIS, ITIL, PCI, DSS, OCTAVE, SABSA, FISMA etc.)
- Regular training and periodic risk assessment
In order to tackle the evolving cyber security challenges in combating internal and external cyber threats and attacks against institutions automated business environment, the following: Critical Cyber Security Controls for Effective Cyber Defense have been introduced by “The Center for Internet Security” (CIS) as an actionable, preemptive, conducive and enabling approach.
- Inventory of Authorized and Unauthorized Devices
- Inventory of Authorized and Unauthorized Software
- Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers
- Continuous Vulnerability Assessment and Remediation
- Controlled Use of Administrative Privileges
- Maintenance, Monitoring and Analysis of Audit Logs
- Email and Web Browser Protections
- Malware Defenses
- Limitation and Control of Network Ports, Protocols, and Services
- Data Recovery Capability
- Secure Configurations for Network Devices such as Firewalls, Routers and Switches
- Boundary Defense
- Data Protection
- Controlled Access Based on the Need to Know
- Wireless Access Control
- Account Monitoring and Control
- Security Skills Assessment and Appropriate Training to Fill Gaps
- Application Software Security
- Incident Response and Management
- Penetration Tests and Red Team Exercises
[box type=”note” align=”” class=”” width=””]The writer is a Karachi based freelance columnist and is a banker by profession. He could be reached on Twitter @ReluctantAhsan[/box]