If the network security of a bank is breached it stands to lose more than money. Certainly some attacks from cyberspace are intended to defraud banks, but when hackers try to steal sensitive customer data or bring down a bank’s website, the damage to the financial institution’s reputation is just as damaging as any loss of money.
In the past year, banks have become the focus of protests that have sometimes resulted in attempts to paralyse their online services, as was the case with the actions of online activism group Anonymous, which was behind Operation Payback – an attack that brought down the website of a bank that had frozen funds held by Wikileaks founder Julian Assange, and also threatened online payment service PayPal.
It is testament to the growing number of network attacks that there has been no reduction in cyber security investment since the global financial crisis began. The growing spend on network security is a firm indication that banks are taking all threats seriously and acting to maintain the financial services industry’s good track record in mitigating these risks.
"It used to be the case that in hard economic times security was cut back, but our leadership values this form
of security too highly for that to happen," notes Tim Hind, head of intelligence at Barclays Bank (Global Retail Bank – Technology). "Investment in it has risen over the past few years."
The investment is needed because the nature of the cyber attacks is constantly changing, and banks must remain agile and proactive.
"I look at things from a retail bank perspective and there are some big threats out there, and they are evolving all the time," he says. "Hackers want to defraud banks, but they also target customer data."
Plagued by denial
Hind also notes that the industry witnessed a big rise in denial of service (DoS) attacks towards the end of 2010. DoS attacks are attempts to make online computer resources unavailable to their users, often by sending a huge number of external communication requests to the target server, which becomes slow or even paralysed by the sheer volume of traffic. DoS attacks consume so much of the server’s resources that it cannot respond and may have to reset. Websites become inaccessible and, from a bank’s perspective, all online transactional and information services might shut down.
Hind warns that such an attack is not just an annoyance for the customer trying to access online services.
"From a regulatory perspective, such an attack could have serious consequences," he says. "A bank could lose its licence if its electronic services are down for more than 72 hours. Then there is the damage to reputation to consider. We operate in 60 countries worldwide, so this is a global threat.
"DoS tools have been made available online by groups like Anonymous, so this is the big threat now. Such an attack could mean that customers could not rely on a bank’s online services. Fortunately we have not had any successful DoS attacks yet."
The increase in DoS attacks is just one reason why cyber security is still very much on the agenda of the financial services industry.
"The industry is very aware of the threats and there have been some high-profile events that have been widely reported in the media, but it is doing its best to deal with them," says Hind. "Threats are always evolving, whether they are in the physical world or the virtual world, so we must anticipate those threats and adapt our technology to defend against them.
"That said, there are some threats that appear so suddenly and evolve so fast that we have to be able to respond quickly," he adds. "There is a wide range of measures that we can use, not just software. We need to be good security practitioners in the round, which means focusing on people, processes and technology."
Collaboration is the key
Increasingly, cyber security is one area in which banks are starting to work more closely together.
"Collaboration is making a huge difference, especially with new and evolving threats," remarks Hind. "The endgame might be different for each kind of attack – the originator might be after money or they might be after customer data – but the tools and methodologies of the attacks are the same. So, it is important to share information within the banking sector and beyond. We also talk to government and the military about cyber security issues."
There are formal information-sharing networks in place, with vetted members, to enable better collaboration. Through them, banks can look at what has happened in the past, what lessons can be learnt and how threats might evolve in the future, in order to develop proactive countermeasures.
"There is a consensus that collaboration is the way forward," says Hind. "There are some good initiatives supported by government because no one can work in isolation. This is a global industry and the tools used for attacks transcend borders. The value of information sharing is that is has enabled us to take measures to save on cost and protect our customers, and there have been tangible results from the process.
"We must embrace new technology to ensure that we have the best level of service and we must have the right people to work on technology processes. Security must be at the heart of the agenda for all business decisions. I have been very heartened by the way competitors are willing to share information and experience. It is very encouraging and the industry has got tangible results from it."