With work practices transformed by the COVID-19 pandemic, the finance industry has an urgent need to address the associated rise in cyber vulnerabilities. A recent SWIFT webinar explored the need for organisations to turn towards technology, cooperation, and build a cyber-aware internal culture to manage and defend against institutional payments fraud in the new normal. The webinar participants were:
- Guy Sheppard, head of Asia Pacific Financial Crime Compliance Initiatives at SWIFT.
- Jay P. Spreitzer, SVP, APAC Region Information Security Lead at Wells Fargo Bank.
- Claire Hatcher, head of Business Development at Kaspersky Fraud Prevention.
- Simon Viney, Cyber Security Financial Services Sector Lead at BAE Systems Applied Intelligence.
Today's cyber picture
Cyber threats are not going away. Instead, this cat and mouse game is becoming harder to detect, as the COVID-19 pandemic has become a catalyst for cybercriminals to innovate and accelerate their attacks. With more employees than ever working outside the secure office environment, cyber vulnerabilities have grown. Organisations need to constantly reevaluate their cybersecurity policies and procedures to keep these evolving attacks at bay.
Among the most difficult attacks organisations and banks face is institutional payments fraud, where cybercriminals look to gain illicit access to an institution’s systems and steal large sums of money undetected.
“The problem with institutional payments fraud is not as simple as analysing threat actors at the highest level, as the pandemic has also brought about financial strain to a whole new level of participants," said SWIFT's Sheppard. "Whether it is nation-state sponsored, highly organised and sophisticated cybercriminals injecting frauds into the systems, or individuals trying to fraudulently gain government grants, the attack surface is dynamic and constantly growing.”
Working remotely and managing new threat vectors
With many organisations employing work-from-home initiatives, security processes need to be re-evaluated. Working from home has made it easier for cybercriminals to conduct spear phishing campaigns that target individuals within companies and gain access to secure systems. Furthermore, with remote onboarding and meetings now an everyday occurrence, cybercriminals are adapting their methods for account impersonation and takeover, challenging banks that were not digitally enabled ahead of the pandemic. Capable of faking video and audio, criminals are changing the modus operandi to compromise areas of the work environment that were previously thought to be secure.
Cybersecurity’s new normal
As organisations shift towards using more nuanced technology to better defend themselves against cyber threats, there will also be parallel criminal development, where technology is used to improve their processes and automate their attacks. Bots are now becoming sophisticated enough to bypass even biometric anti-fraud solutions. While these attempts can still be detected, it is more important to consider the human element in each stage of the cycle.
“Technology is able to help reduce attacks from the systems and processes between organisations," said BAE Systems' Viney. "However, fraudsters are now also realising that if they cannot directly attack the systems, then they can just target the end customers, tricking them into making what appears to be an authorised payment. Unfortunately, that has been successful, and customer education has a role to play in addressing that.”
Cybersecurity employee hygiene practices
With the business’ secure perimeter now extending to employees’ homes, employee education and understanding is of equal importance to technology in the fight against the latest threats. The goal for businesses and organisations is to find that critical balance, ensuring that while the right technology is in place to secure internal processes, the human element must also be looked into.
As most employees are still working from home, employers need to assist them in staying vigilant and making sure that a cyber-aware mindset is cultivated. Running internal tests and programmes were put forward as a good way to gauge cyber awareness in organisations. Through emails masked as phishing campaigns and a series of internal security accreditation programs, employees can learn to be more careful with their data, ensuring that they still undergo the right operating procedures despite very different circumstances.
“Your employees are either your strongest or your weakest link, and that’s why it’s important that we send these internal emails and checks," said SWIFT's Sheppard. "Data and metrics that are measurable help us to track gaps in our processes, and make sure we improve.”
“We developed a threat intelligence portal that allows authenticated team members to log into," commented Wells Fargo's Spreitzer. "It has basic general information of threat activity, and some analysis of how it impacts us, and areas that the team need to be aware of tied to that.”
Organisations play a huge role in assisting employees with strong cyber hygiene practices. Through daily reports highlighting the threat landscape, awareness on the current issues can be kept front of mind, ultimately staving off potential attacks and threats to the organisation via its employees.
Fraud prevention as a community effort
The fight against cybercriminals must become a collective effort, and the onus of security falls across all organisations. Cybercriminals all share information among themselves, across different geographies and channels to improve their methods of attack. It is up to organisations to also become more effective at information sharing to form better defenses against these new threats.
In the past, there have been concerns about information sharing between competing organisations due to the fear of providing competitive advantage to rivals. There are also legal implications of sharing threat information between different organisations to consider. However, it is important for organisations to remember that the only opposing parties in this battle are the criminals themselves, and there is no legal implication to sharing threat information on a threat actor that has launched an attack against the organisation.
“Knowledge sharing, among peer groups and across the board is critical," noted Kaspersky's Hatcher. "The only people we’re fighting against are the fraudsters themselves. By sharing information, it helps us all tune our own risk models, and learn from different verticals. The only way to get access to learning how varying industries protect and react against threats is through intelligence sharing and discussion.”
Future of cybersecurity
Moving forward, the banking and financial sector should prepare for new attack vectors. Cybercriminals are going to continue innovating and automating their attacks, possibly employing Artificial Intelligence together with the use of robotics to scale more aggressively.
The webinar made clear that the responsibility for cybersecurity falls on everyone. From employers to employees, strong cybersecurity practices must be set in place and grow alongside threats, putting a stop to cyberattacks before the damage becomes irreversible.
Like this item? Get our Weekly Update newsletter. Subscribe today