The payments industry must be wary of vulnerable tech builds as cyber threats are predicted increase, according to a director of incident management at the UK National Cyber Security Centre.
“From our experience seeing some less mature organisations possibly, one of the things that we’re worried about at the moment is some of the organisations that have built up tech decks over the last few months from having very rapidly build themselves working from home solutions,” he said on a P20 conference panel including speakers from JP Morgan, American Express and FIS this week.
“Understandably they prioritised getting the system up and running and getting their staff able to work, potentially over some of the technical details that they should now be backfilling,” he said.
But other market participants believe the payments sector is in good stead to fend off attacks. Michael Papay, executive vice president, information security, American Express said he felt confident in the industry’s ability to handle additional pressures from the pandemic.
“I think financial services in particular were well prepared for this type of event. Because there’s been a lot of travel, a lot of people work from wherever – all we had to do was scale the systems. It didn’t make us any less secure by going to a work from home environment in my mind. It was simply a scaling to make sure that the operational needs were being met,” he said.
Spikes in online scams, phishing and disruptive malware during the pandemic have been reported by various organisations. In an August report, Interpol stated that a further increase in cybercrime is “highly likely” in the near future as vulnerabilities arising from a large portion of the population working from home will continue to be exploited.
According to Kara Hill, chief information security officer at FIS, while consumers expect their service providers to protect them, protections against cyber threats are a consorted effort between the private and public sectors.
“[Customers] want to hear from us, they want to hear from the private sector as they are the clients of those businesses … And then the public would be looking beyond that to make sure that we were coordinated in a response with local and potentially national governments as necessary, but it’s really about the service providers and the companies that you’re purchasing that service from and the payment card from.”
JF Legault, global head of security operations, JP Morgan agreed.
“It’s a shared responsibility model where you’ve got the organisations that need to own the relationships with their customers, but also partnering with a number of organisations to ensure that there’s trust that’s happening. So each organisation could have different impacts – I think it’s important they’re in a position to communicate them more broadly, but there’s an element of trust that needs to come from the governments, from the regulators that they’re doing the appropriate oversight to resolve the issue.”
According to Legault, governments, regulators and private institutions need to move beyond sharing “indicators of concern” and analyse tactics and procedures employed by adversaries as a group – a process which is difficult to share, he said.
“You have a number of organisations that are looking to improve the sharing mechanisms around this and make that communication between organisations much more effective.”