How to Move From Cyber Risk to Business Resilience

By Madhvi Mavadiya | 21 April 2016

Yet again, cyber attacks are the banking industry’s top target - and this was emphasised at this year’s SWIFT Business Forum where industry professionals came together to discuss the challenges that the traditional financial sector is facing. With trust being such a fundamental part of most of our lives now, financial institutions need technology to be secure and reliable, as well as ready for when an attack might occur. However, with the ever changing and adaptive characteristics of hackers, it is difficult for banks to manage day to day demands and build defences that work.

Director of Security at Payments UK, Craig Rice, highlighted that the interesting part of defending against cyber threat is in the working out, - “like long division,” Rice said. “Risk is adaptive, much like Space Invaders, and we now need a different approach to what we’ve had. One that is intelligence led and threat centric, so we can concentrate on recovery.” Rice acknowledged that this is a difficult problem, but we have moved from the first step of authorisation, to competition, to collaboration and soon, we will move further forward beyond collaboration to federation.

Cyber security is as much a tech problem as it is a people and process problem. We cannot continue to look for technology fixes when people are the attackers,” William Brandon, CISO for the Bank of England said. Brandon went on to say that most attacks start with a change in the engineering of a company, like phishing, but we can mitigate cyber risk by leading people and managing processes. Elements of cyber security need to be emphasised at a higher level so that all employees realise the importance of good governance, which will in turn, result in good patching and better organisation.

There is change occurring in the security space, but it is not actually security people driving this change. The bad guys who are behind these attacks are innovating all the time,” Brandon said. Security companies are trying to drive response to these external responses, but the threats are coming through different factors and that is because hackers are getting better at attacking through tech. Rice then used the analogy of the Red Queen from Lewis Carroll’s Through the Looking Glass to portray how financial institutions have to run as fast as they can in order to just stay in the same place.

As hackers are innovating at a rapid rate, banks are having to do the same, but a challenge is found when attempting to get the balance of risk right as there are other risks within the business to be considered. Brandon stated that whenever we see an airport security queue, we always say that we could do without this, but in reality, this would be very dangerous because of the risk. “A financial institution's ability to protect data and information is part of their competitive edge. The public only know about a firm’s data when there is a breach, but that is changing now.

Rice added that when you are travelling on the London Underground, the number of adverts of cybersecurity products that you see could mean that the corporate security sector is lagging behind. While this could be happening, it must be said that the defenders are finally waking up to the threat and are doing something about it, with programmes like the cyber accelerator, Cyber London (CyLon).

Cities like London have fully addressed that the future lies in technology, which is why the big tech giants are investing heavily in security, because trust is paramount, as Brandon said. “The future is in the Internet of Things and this needs to be trusted and secure, otherwise the public will not use it. Financial institutions are also under pressure to strengthen security, some of which is regulatory pressure.”

Stephen Gilderdale, Managing Director, UK, Ireland and Nordics at SWIFT posed the question of compromising on collaboration if cyber threat became too big a problem, which is a continuing debate among banking professionals and fintechs. Brandon reiterated that “cyber attacks are one of those crimes for which the victim is often blamed and we must be sympathetic, but it is also their responsibility.” Rice said that cyber hygiene was of the utmost importance and his advice was that you should “start flossing your system more than you are.”

Become a bobsguide member to access the following

1. Unrestricted access to bobsguide
2. Send a proposal request
3. Insights delivered daily to your inbox
4. Career development