Banks—It’s Time To Start Talking To Each Other, Say UK Police
Published: May 01, 2017
Author: John Loveland
For a city founded by the Romans, London doesn't dwell on its past. You'd have to dig deep (literally) to find any physical remains of the Roman presence, but traces of the capital’s history sit alongside today’s skyscrapers and electric buses as its busy inhabitants rush by without a second glance. The best example, perhaps, is the narrow and complex web of medieval streets in the City—the capital's former heart and London's modern financial district.
Last Thursday, 200 security professionals from the City’s banks, law enforcement, and cybersecurity industry met to discuss 21st-century crime at Mansion House—an 18th-century building, full of Victorian statues of Greek and Roman Heroes, and located at the junction of medieval streets.
Banks and other financial institutions are attractive targets for cyber criminals. Compromise a bank’s security and you’ll likely have access to money, or at least sensitive information you can sell on the black market. Aside from that, because they are often well defended, hacking a bank carries great kudos amongst hackers. Indeed, a recent study by the National Crime Agency suggests that young people are attracted to cybercrime not for the financial reward, but for bragging rights.
Peter Goodman, deputy chief constable at Derbyshire Police and national lead for cybercrime opened by explaining how UK police forces are cooperating on an international, national, regional and local level to counter what he called “a tier 1 threat to national security”. On the positive side, Goodman said that this cooperation was some of the most joined-up policing in the country, but stressed the importance of private sector organizations reporting incidents, saying that current cyberattack levels are “right at the extreme” of what law enforcement can tackle alone.
This was echoed by his colleague from the City of London police, David Clark, the national lead for fraud. He encouraged banks to tell police if they had been breached, because it’s in the interests of the wider industry. An attack on one bank has an effect that goes beyond that one institution. He gave the example of a jigsaw puzzle: without the final piece, the picture doesn’t make sense, and it could be a bank who’s holding on to that final piece.
If the event had a common theme, it was collaboration is key to making strides in financial cybersecurity. Collaboration between organizations, collaboration with law enforcement, and collaboration with umbrella organizations like the Global Cyber Alliance and the Cyber Defence Alliance. The latter’s director Maria Vello warned that: “Our adversaries are outpacing us in every way, and unless we work together and collaborate, we are not going to be effective against the global and systemic problem of cybercrime.” For that, the private sector has a vital role because it has “the best information, bar none.”
And just how big is that problem? We’ve just released our tenth annual Data Breach Investigations Report, a study of tens of thousands of security incidents across the globe, and we can tell you that nearly a quarter—24 percent—of all breaches affected financial organizations.
This year, for the first time, the report has in-depth sections on key industries, with financial services being one. We recommend downloading the report, but here are some interesting takeaways:
- Six percent of incidents involved internal threat actors.
- 88 percent of security incidents involved denial of service, web applications or card skimmers
- Hackers look to steal personal credentials above banking credentials. Perhaps they are aware of the breadcrumb trail left behind when transferring money and would rather use personal information for other fraudulent activity.
At the event in London, Peter Goodman made a striking comparison between “old” and “new” crime. A traditional bank robbery would have netted the perpetrators around £25,000, if they were lucky, and carried the extremely high risk of getting caught, not to mention the need for violence and the difficulty of executing the raid. Today, someone with high-school computer science skills can carry out a bank robbery from the comfort of their bedroom to the tune of £1.3 million, with a much lower risk of being prosecuted.
To make cybercrime riskier for the perpetrators, law enforcement needs your help. Here are three things you can do today to help both your organisation and the wider industry.
- Know your enemy. Download Verizon’s 2017 Data Breach Investigations Report, learn about the changing risk landscape, and understand your vulnerabilities.
- Cooperate. Information shared is a powerful shield. All speakers at the event understood that banks often fear reputational damage for disclosing breaches, but stressed that they treat all disclosures with the strictest confidence. Visit the websites for the Cyber Defence Alliance, the Global Cyber Alliance, and the National Cyber Security Centre to find out more
- Take responsibility for what you can control. If you’re reading this blog, chances are you have a better understanding of cybersecurity than most. Get the basics right, like protecting all of your own accounts and devices with strong passwords, the right levels of encryption, two-factor authentication—the basic stuff. Then, if you have responsibility for security in an organization, educate! If you’re a business in the UK, the government-backed Cyber Essentials certification is a good place to start.
John Loveland is the Global Head of Cyber Security at Verizon. He is a seasoned technology industry executive and leader who has experience working with public, private, start-up companies and governmental agencies. John has led global teams in the delivery of cyber security, data privacy, compliance, and e-discovery, and enterprise content management solutions for clients.
Find out more about Verizon Security Solutions