This is an interview with Mark Weir, Regional Director – UK & Ireland at Fortinet. Fortinet is a global cybersecurity firm based in California.
How real is the threat of cyber-attacks to the financial services industry?
Weir: Financial services are about as big a target as the cybercriminal community has, if the pure amount of attacks in 2016 is anything to go by. Due to the sensitive nature of its data and the value it holds for the cybercriminal community, it will likely remain in the crosshairs moving into 2017 and beyond. As the attacks grow in both number and complexity, financial institutions will have to prepare to better detect and mitigate threats in order to protect their organisation.
What is the level of understanding of cyber risk in financial institutions?
Weir: Whilst financial institutions are generally quick to adopt new technologies, every large retail bank is still hamstrung by legacy infrastructure and applications. To address that, they need to start examining their technology from a base level. This means understanding which platforms are under threat and ensuring they are fully up to date with security patches. But that is just a first step. What banks need to ensure is that they build upon that initial perimeter defense and start putting a ring around key applications. It is web applications that have long been favourite targets of hackers because they have access to valuable information and they are relatively easy to exploit.
Is enough being done across the industry to protect against cyber-attacks?
Weir: Industry players, their partners, big players in other verticals and vendors; all of them have little pieces of the jigsaw making up the bigger picture of protection against cyber-attacks. Only by them all being more co-ordinated and collaborative will defense be on par with the levels of attacks. Cybercriminals are certainly very well-organised, well-funded and well-regimented. They also benefit from having more time to prepare their attacks than those defending, so a more co-operative partnership between sectors, where organisations share intelligence is key to counteracting the threats.
As cyber threats are continuously evolving, what can financial institutions do to stay ahead of the curve?
Weir: Cyber threats evolve continuously, much like a fashion collection. Last year, Distributed Denial of Service (DDOS) attacks were in vogue and financial institutions are scrambling to ensure applications are protected from a DDOS point of view and ensure that the perimeter is fully patched and up to date. This way they can mitigate financial loss resulting from customers being unable to access their accounts and make online transactions.
And yet this can’t be done at the expense of more granular layers of application level security. Even if a hacker gets through those perimeter layers, there must be protection at the application level, for services such as checking your balance on a banking application. Cybercriminals can be hiding malware at this level, behind what would appear to most people to be legitimate requests.
It’s important to ensure a fully comprehensive response, as cybercriminals will already be working on the next big thing to attack your organisation.
What should the role of regulation be in ensuring that the FS industry is cyber resilient?
Weir: Banking is heavily regulated, and rightly so, but sometimes banks can wrongly go down the path of simply trying to meet compliance. That can all too easily become a minimum standard for security. It becomes a tick-box exercise. But the issue is, it may or may not be what is actually required for a particular application. Banks need to go on a security journey that is not only cost-effective and helps them towards compliance goals, but this journey first and foremost needs to be pragmatic. Cyber threats change on an hourly basis and cybercriminals are a moving target. Meeting the minimum standards of compliance can only go so far in helping financial institutions combat them.
In the past few years, we have seen increasing levels of collaboration between large financial institutions and fintechs. What security considerations should banks and insurers have in mind when looking to work with fintech start-ups?
Weir: Large financial institutions are always looking at new ways of fixing problems and fintech start-ups can provide innovative solutions to these issues. However, security forms part of a bigger business consideration which needs to be made when collaborating with a start-up. The future for that particular organisation needs to be considered heavily. A financial institution may build a strategy based on a particular start-up’s technology but you need to make sure they’ll still be in business for years to come. Is there a likelihood of them going bust?
Another consideration is their global footprint. There may be some areas of the globe you may not want to work and do business. Do they have a footprint in the right geographic locations, and do they have security operation centres in the geographies you operate in? We should embrace new ideas and new technologies from new companies, but also consider the security implications.
What are the most exciting trends in cyber security sector?
Weir: Due to the sensitive nature and value of the data associated with it, the financial sector will undoubtedly remain a top target for cyber criminals in 2017. Whilst typically the finance industry has lagged behind other industries when it comes to moving data to the cloud, we expect to see more and more financial services institutions making the move. We have already seen some large banks and organisations making the move to public cloud providers such as Amazon Web Services (AWS) and Microsoft Azure. But they shouldn’t forget basic principles around the security of public clouds, and whether or not they have the ability to audit these services.
In 2017, we should also expect malware to get smarter. At the moment, malware can hide in a device or a network, but it is only programmed with a specific objective. A hacker simply points it at a target, and hopes that it will accomplish its goal. But now, threats are getting smarter and adapting to operate autonomously. We should expect malware designed with adaptive, success-based learning to improve the success and efficacy of attacks. The new generation of malware will be situation-aware, meaning that it will understand its environment and make calculated decisions based on this. Such as evading detection, choosing methods of attack and identifying targets.
How do you think the tech landscape will have changed in 5 years’ time: will the FS sector be more cyber resilient?
Weir: The FS sector is gradually starting to move towards the cloud to deliver the best customer service they can. Some organisations are moving entire systems and platforms to the cloud whilst others are opting for a hybrid approach. In five years’ time, I expect that a large majority of organisations will be operating in the cloud. With this increased migration, security is imperative, and with it comes many more factors to be considered when selecting a cloud security vendor. Data security, scalability, visibility and control as well as openness are necessities to be kept in mind in order to protect data, and mitigate reputational damage which can be devastating for any FS institution.
However, it’s important to note that the threat landscape from the last two years is unrecognisable now, and predicting the next big innovations in tech is impossible. In the cyber security industry, the fast-paced environment means that 5 years is equivalent to 20 years in any other industry! We will be more cyber resilient if we find better ways to communicate with other organisations and sectors and put data security at the heart of this.
If you could give one piece of advice to a financial institution on its cyber security strategy, what would it be?
Weir: For all financial institutions, every application and the data held within it is important, but it’s up to them to understand and prioritise what is important to customers. The trust financial institutions have with customers is critical to preserve brand loyalty and their reputation in the industry. They should build a security strategy around that trust, and the data held within their organisation.
If they don’t have an understanding of this, they need a plan to get there. In order to make this plan, organisations should pull together key stakeholders in the business, not just from IT and security but from all lines of the business. If the IT function acts in silo, without insight from other departments, this can lead to making an application which is unsuitable for particular use cases. This is why Line of Business representatives across departments need to be present in security workshops in order to create a high level plan which all stakeholders can buy in to. This is a problem which is particularly faced by financial institutions, the larger the business the more difficult it is to have these kinds of meetings to ensure that everybody is on the same page when it comes to cyber security.