By Steve Rickards, Barclays
To respond to the growing threat to client, customer and employee information – and to stay one step ahead of cybercriminals it is important to take an inclusive approach that fosters cooperation with other financial institutions, as well as law enforcement agencies.
Cybercrime: a new game with different rules
The figures are telling: with 3.17 billion active internet users out of a global population of 7.35 billion, the world is moving online. It is a trend that is also being reflected in the way that banks and other financial institutions offer their services.
Customers and clients demand an online service that offers privacy, security and convenience. Mobile banking in particular is a rapidly accelerating trend, not only here at Barclays, but right across financial services.
There are currently 3.7 billion unique mobile users worldwide, and this figure is set to grow to 4.5 billion in the next few years. And while all of this means new markets and opportunities for banks and other financial institutions, it also means greater scope for cybercrime.
A whole new world
Cybercrime differs from traditional crime in several key respects. One of these is sheer scale: in the online world, crime is offered much like any other service – the opportunity is there for anyone to engage in criminal activity on the web.
As customers and clients increasingly go online to do their banking – with convenience, privacy and security their main demands – banks and other financial institutions are simultaneously facing an inexorable rise in cyberattacks.
Similarly, the volume of cyberattacks is staggering: malware is proliferating at a rate of 158 new instances per minute – that’s 227,520 every day – so just keeping up is a full-time job.
Meanwhile, unlike in the physical world, there is no geographical proximity between crime and perpetrator in the cyberworld. National borders and measures are no longer relevant, and cybercriminals leave little trace behind them.
Our response: protect, enable and innovate
Barclays are investing in, and implementing, a raft of innovative measures, led by Troels Oerting, our Group Chief Information Security Officer.
We are responding to the threat in three ways: protecting information wherever it is stored; enabling the development of the best possible products for the privacy, security and convenience of our customers and clients; and innovating to take security to the next level, rather than just providing more of the same.
We also set priorities according to the different types of threat and their potential impact. These range from mainstream attacks, such as Trojans, ‘vishing’, ransomware and invoice fraud, to advanced persistent threats (APTs) and attacks by insiders.
According to Oerting, law enforcement is now a whole new game, with different rules. The traditional role of the state in crime prevention and reduction is based on ‘the three Ps’: protect, prevent and prosecute. But with organised crime moving from the physical world to the deep web – the 96% of the internet not visible or publicly accessible via search engines – prosecution is almost out of the question.
At Barclays, we work closely with law enforcement agencies. But we also recognise – like other financial institutions – that we cannot rely on the authorities alone to combat cybercrime. As the owner of huge data libraries, we have a responsibility to protect the privacy of our customers, clients and employees – a responsibility we take very seriously.
Expect more not less; cybersecurity is not only about responding to current threats. It is also about staying one step ahead of cybercriminals. Today’s incidents, yesterday’s strategies; as digital channels continue to evolve, cybersecurity has become a risk business rather than simply a technical risk.
The increasing frequency and sophistication of cyber-attacks means that this is something which requires constant monitoring. Firms not only need to build defensive resilience to such attacks but also need to have the capability to recover quickly from the impact of a successful breach. The impact and scale of cybercrime means that it cannot be tackled solely through traditional law enforcement methods and needs focus and commitment from financial institutions and businesses themselves.
In the fund industry, advice from regulators and industry professionals suggests that executive managers need to ensure that a fund’s board has an agreed approach toward the unique risk profile of their organisation and that there is a sound knowledge of IT management and governance throughout the institution.
It is also advised that there should be relevant procedures for incident response and event management and a sound understanding of access controls and network security. Businesses also need to ensure that correct procedures for vendor management and disaster recovery are in place.
Keeping one step ahead of cybercrime
One way to tackle these issues head-on is with a specialist administration team tasked with addressing cyber risk. This team would be trained and regularly updated on cyber-threat management and able to advise on establishing some or all of the following measures:
- Implementing anti-spam and antivirus software and processes
- Ensuring spam and potentially infected emails are stopped before they get to employees
- Using a centralised in-house payment processing system – rather than proprietary online systems – to reduce online exposure
- Develop close working relations with banks to aid early identification and reaction to any potential challenge
- Maintain dynamic incident response plans with a high quality protocol for speed and quality of the decision-making process
Education the best form of defence
Technological advances have changed and continue to change the way we work; change is constant and increasingly rapid, but the genie cannot be put back in the bottle. Many training programmes are available including the Barclays Digital Driving Licence programme, which is free to all and contains specific modules that can help keep your teams aware.
The best protection for all is to ensure our teams are educated at all levels to be better able to recognise the challenges that they may face.
You can read the other articles from Ipes' Private Equity update (edition 21) at the following links: