Cybercrime has soared during the pandemic – not least because, with many employees working from home, banks and their customers have become more vulnerable to attacks. Abi Millar speaks to Yuval Illuz, group chief information security officer of Standard Chartered Bank, who explains how banks can defend themselves against the new and rapidly evolving risks.
Over the past year, we have seen an unprecedented shift in working practices. Remote working, previously a minority pursuit, became the norm almost overnight, with the majority of white-collar workers now doing their jobs from home.
Much ink has been spilled over the benefits and drawbacks of this shift – whether you love your home office set-up or are itching to get back to physical meetings really comes down to personal preference. However, remote working comes with one definitive disadvantage for organisations: the increased risk of cyberattacks.
“In June last year, about 70% of our 85,000 staff across the world were working from home,” says Yuval Illuz, group CISO of Standard Chartered Bank. “This means we are more digitally connected than before. As a result, we now have a much larger and complex attack surface – where employees operate in different locations, from different networks or outside of the organisation’s perimeter and on both corporate and personal devices.”
Simply put, remote working creates all kinds of security weaknesses that opportunists can exploit. Home devices may be more vulnerable to malware, secure file sharing isn’t always secure enough, and home users may engage in riskier behaviour (including sharing devices with family members) than they would in the office.
On top of that, individuals are spending longer on their devices than they did pre-pandemic, and more customers have migrated to online banking. Taken together, these shifts pose significant new risks. The pandemic itself, as an emotive subject, has also created opportunities for malicious actors.
“Cyberthreat actors are capitalising on the sentiments arising from the pandemic by disguising as legitimate Covid-19-related emails or applications,” says Illuz. “They are tricking individuals into disclosing their personal information and credentials that allows them to gain unauthorised access to networks, or to make financial gains.”
A key example is vaccine-related phishing campaigns, in which scammers send a text or email inviting the recipient to get their vaccine. One such message, purporting to be from the NHS, asks the recipient to click on a link, before asking them for their bank card details.
A perfect storm
Although this has created a perfect storm of dangers, and led to a drastic rise in cybercrime. According to research by McAfee, cybercrime costs are expected to top $1trn for the first time in 2020, a 50% rise on 2018 and over 1% of global GDP.
Other research, from VMware Carbon Black, found a 238% increase in cyberattacks between February and April 2020, along with a ninefold increase in ransomware attacks. What’s more, the sophistication of these attacks has increased since the start of the coronavirus pandemic.
“Cyberthreat actors are increasingly opportunistic in leveraging emails, instant messaging platforms, short message services and websites to support their malicious activities and reach end-users and businesses,” says Illuz.
“Some cybercriminal groups have also moved their infrastructure to the cloud to hide among legitimate services. They are taking advantage of organisations and people’s propensity to do good during times of crisis to encourage them to make mistakes.”
We might think of coronavirus charity scams, in which bad actors pose as a charity or person in need in order to solicit donations. Illuz adds that organisations have become more susceptible to polymorphic phishing attacks, in which a bad actor modifies the phishing email slightly to evade detection by automated network security measures. These emails sometimes slip through to end-users and the likelihood of compromise is higher.
During the first wave of the pandemic, Google said its systems detected 18 million malware and phishing Gmail messages a day, plus 240 million spam messages, all relating directly to the pandemic. It also flagged up “more than a dozen” attacker groups backed by governments, which were using Covid-related themes as bait.
“From January to April 2020, our Cyber Defence Centre noted a significant increase in cybersecurity incident reports – the lion’s share of those were suspected phishing incidents, of which some were confirmed Covid-19 themed phishing emails,” says Illuz.
What is to be done?
So what can financial institutions do to defend themselves and their customers against these new cybersecurity risks? At any rate, it is clear they are taking the threat seriously, with many ramping up investment in the field. According to a study by Deloitte, financial institutions spent an average of $2,700 per employee on cybersecurity in 2020, up from $2,300 in 2019. This is shadowed by work at specific banks.
In November, for instance, Lloyds Banking Group announced it had introduced a £500m technology project to enhance protection against hackers. Through improving its two-step verification process and providing branch staff with the latest technologies, the British lender hopes to make it harder for malicious actors to hack customers’ bank accounts.
NatWest, meanwhile, has partnered with two companies, Featurespace and Malwarebytes, to protect its customers against fraud. Featurespace develops enterprise financial crime prevention software, while Malwarebytes provides advanced cybersecurity solutions for online banking.
Standard Chartered, for its part, has invested in a start-up called Secret Double Octopus that offers multi-factor authentication without passwords. The idea is that business users can log into their system via techniques like facial recognition. This cuts the costs associated with repeated password changes and tightens security – passwords are responsible for 81% of breaches, according to Verizon.
The bank has also been using tools like machine learning to enable better screening of suspicious activity and has increased its virtual private network (VPN) capacity by 600%.
“The bank aims to look at the business from a ‘threat-led’ lens to reduce the impact of new and increasing cyberthreats,” says Illuz. “We do this by identifying critical assets and sensitive data; determining the value cybercriminals could gain; exploring how these assets and data are currently stored and accessed; and pinpointing potential weaknesses and implementing resolution plans.”
This said, he believes technology and processes are just one piece of the puzzle – while a predictable world can be effectively mastered with algorithms, a messy world requires human input. “Even the most stringent of plans are only as effective as the resilience of our first line of defence – our employees,” he says. “We continuously strengthen our ‘human firewall’ through training and awareness. We have also steadily increased our communications with our clients to keep them abreast and allow them to stay vigilant against the fast-evolving cyberthreat landscape.”
The so-called ‘human firewall’ – a group of employees coming together to follow best practices, has been a point of weakness for many organisations during Covid. One commonly used tactic is the ‘spear phishing’ scam, in which an individual employee is targeted directly. They might receive an email, supposedly from their CEO, which asks them to make payments or supply sensitive information.
To fix this problem, many banks are training a broader base of employees than they did before, with a greater emphasis on remote cyberthreats. “With a significant number of our people working from home, we now communicate and collaborate online more than ever,” says Illuz.
“Therefore, we need to work harder to ensure the tools used meet the stringent security standards. Continuous upskilling and reskilling of our talent to bridge the cybersecurity talent gap will continue to be a priority as we focus on enhancing our human wall against cyberthreats.”
Aside from these very practical, day-to-day concerns, Illuz also thinks Covid-19 has occasioned a larger shift in the way we look at cybersecurity. The emphasis is moving away from preventative ways of managing risk (preparing for an incident before it occurs) and towards reactive ways of managing risk (adapting instantly to incidents).
“2020 has taught us that the path to an overall stronger cybersecurity is agility,” Illuz explains. “This means having a more flexible cybersecurity architecture, helping our technology teams easily deploy the appropriate network controls. It also means investing in operational resilience as we grow trust and loyalty with our clients. And it means implementing a multi-cloud strategy, which enables us to better withstand the next threat to business continuity and prepare for the multiplicity of unknowns we faced all of last year.”
A zero-trust model
Ultimately, then, Illuz thinks we are moving towards a zero-trust model, in which organisations are viewed less as a single entity and more as part of a wider ecosystem of different parties (including partners and cloud service providers, among others). Zero trust is how it sounds – a security concept predicated on the belief that you should not trust anything inside or outside your organisation. All users must be verified before access is granted.
“The same applies for solutions we implement, or apps we write – the zero-trust model will need to be embedded from the start,” says Illuz. “The challenge in doing this is how we keep our clients at the heart of it all – balancing a user-friendly experience with the complex requirements of various enhanced security practices.”
While we have no way of anticipating what lies beyond the pandemic, it would be safe to assume that today’s cybersecurity risks aren’t going to fade away as we all get vaccinated. Threats will continue to evolve, and the risk landscape will remain dynamic and dazzlingly complex.
Banks, in other words, will need to be vigilant if they want to quash tomorrow’s threats. They will also need to embrace this new reality as it is, rather than harking back to outmoded models of defence. “A survival mindset views disruptions as point-in-time crises to be addressed with the expectation that the organisation will revert to business as usual once the crises are over,” says Illuz.
“To be future fit, we need to adopt a thrive mindset that recognises that disruption is continuous rather than episodic and embraces disruption as a catalyst to drive the organisation forward.”
This article originally appeared in Future Banking summer 2021.