A New York Times article last week examined in depth what those of us in financial services security already know to be the case – that within banks the fight against cybercrime now closely resembles a war.
“This is not that different from terrorists and drug cartels,” says Matt Nyman, the leader of Mastercard’s digital command center, in the article – and he isn’t wrong. Often we hear about script-kiddies and lone hackers who are just breaking into networks for fun or to prove they can. However, the reality is that most cybercrime – especially in the financial sector – is orchestrated by sophisticated criminal gangs. These gangs are organized and attack institutions on multiple fronts, hundreds of thousands of times a day. And they only have to get through once.
With an estimated minimum of $445 billion lost to cybercrime last year, and the Treasury Department recently designating cyberattacks as one of the greatest risks to the financial sector, it is no surprise that banks are adopting an increasingly militarized approach.
Former government spies and counterintelligence officers have been given some of the top jobs in the industry, and they’ve brought their techniques with them: digital combat exercises, intelligence hubs, and threat analysts monitoring the web.
In the article, this is further confirmed with Bank of America’s CEO saying that his cybersecurity team is “the only place in the company that doesn’t have budget constraint.” And it is especially encouraging to see financial services organizations collaborate on digital combat drills and developing procedures to help each other, behavior that has definitely not been the norm in a hyper-competitive industry.
UK Banks Urged to Innovate
However, on the other side of the pond, the director of supervision at the Financial Conduct Authority (FCA), Megan Butler, has urged UK banks to take more innovative approaches in the fight against cybercrime and fraud – suggesting a very different cybersecurity environment.
Butler said that, while banks are spending more than the UK prison system on fighting crime, they have been slow to roll out the latest technologies because they were afraid of backlash from regulators. She urged that financial institutions would, in fact, be judged on the outcome of their tools, not on how much they spend on them.
Choosing the Battleground
When it comes to technological adoption, there is a military tactic that both US and UK banks should adopt to give themselves the advantage against cybercriminals: moving the battlefield to ground they know best.
With the pervasiveness of online banking, banks collectively must allow millions of unmanaged endpoints to connect to their web applications – for the explicit purpose of conducting sensitive financial transactions. A common approach in securing the transactions has been to ensure the endpoints are free of malware – but it has become utterly apparent that this is simply a battle they cannot win. It’s a battlefield that’s littered with mines – banks can’t rely on customers to install security software, it’s an inconvenience to the users when they do, and its effectiveness against modern threats is questionable at best.
Some banks have given up on malware-free endpoints, assume that fraud will happen as a result of compromised customer endpoints, and just rely on fraud-detection solutions to help them identify when it happens (after the loss has occurred).
But what innovative banks have realized is they have a huge advantage over cybercriminals in that they control the conduit for each online banking session, which means the battleground belongs to the good guys. Banks have learned it’s irrelevant if an endpoint has been compromised by malware, as long as the malware can’t access the information it needs to do harm. This means that by simply placing the focus on protecting the transaction stack, a bank can render cybercriminals’ malware useless.
Moving the battleground to the transaction stack is exactly how Protector Air operates. To learn more, click one of the buttons below.