Tackling cybercrime - A shared threat needs a shared response

The cyber threat landscape continues to change at a rapid rate. As the Cisco 2017 Annual Cybersecurity Report *) notes, the dawn of the zettabyte era will see an explosive growth in speed, digital traffic, and mobile endpoints, creating “a broader attack surface with more choices of targets and approaches”.

By Rob Bening, global head of IT Security, ING


At the same time, under the revised Payment Services Directive (PSD II), banks must open up of their customer accounts and transactional data to a wider variety of third parties. These developments are creating an environment in which risk dynamics constantly change and require reassessment.

The identity of cyber attackers and their methods of operation also continue to evolve – as do the ways in which they can be defeated. However, it is clear that attackers are now able to stage cyber attacks with less preparation than in the past. It is now easier to attack via networks, not only due to the evolution of technology but also because of network effects caused by the interconnection of individuals and companies. As a result, the risks for everyone have increased.

Cybercrime activity and costs soar
The threat of cyber disruption affects every part of society; during the US elections there were fears that online voting systems would be hacked; in February 2016, hackers stole $81 million from the Central Bank of Bangladesh in an e-banking fraud (and tried to steal $870 million); and in December 2016, Yahoo disclosed that 1 billion of its user accounts had been compromised in the biggest data breach in history.

According to market analysts Juniper Research, cybercrime will cost businesses over $2 trillion by 2019. Behind this total are hundreds and thousands of affected companies. In 2015, research body the Ponemon Institute estimated that the mean annualised cost for 252 benchmarked organisations was $7.7 million per year, with a range from $310,000 to $65 million. Each attack has real implications: reputations are put on the line and business disruption is inevitable. The criminals care little for collateral damage and define targets in a ruthlessly efficient way.

Investing and partnering for innovative technology
Cyber security is a key concern for ING given the growing threat of crime. The security of clients’ assets is a primary objective for the bank, especially as recent attacks have shown that the larger transactions handled by investment and wholesale banks make them a more attractive target than retail banks. The objective for ING is always to stay one step ahead of cyber criminals and prevent threats from becoming crimes.

ING takes a multi-faceted approach to cyber security. In terms of technology, ING’s digital-first approach means that the safeguards deployed around assets change in line with the evolving threat landscape. The bank has developed security and communication monitoring capabilities that utilise behavioural analysis, machine learning and rules engines, and which have proved highly successful. ING is also partnering with fintech companies to build a framework to support security innovation within the bank.

A virtual team that bridges silos
Within banks and companies, it is essential to have a joined-up approach to cyber security. If compliance, anti-fraud functions and the cyber security function do not work together within an organisation, there is a risk that cybercriminals will slip through the gaps.

ING has responded to the increasing level of cyber fraud by creating a single virtual team, which reviews and addresses fraud prevention for the whole of ING Wholesale Banking. Regular weekly calls take place across geographies to ensure information is shared throughout the organisation.

Similarly, to ensure that clients receive the best service and security, ING has developed bank-wide systems rather than offering multiple platforms for different solutions and services. The development of a single platform means that clients can use one secure access ID to reach ING services, maximising security while minimising inconvenience. By overcoming the siloed approach to technology that is common in banking environments, gaps in data and information flow that can be exploited by hackers are eliminated.

Sharing knowledge is critical
While innovative technology is essential, ING regards knowledge – and sharing it with clients – as the bank’s first line of defence. Clients frequently approach ING for advice on how to safeguard themselves. ING is able to offer assurance regarding the bank’s controls and proactive approach to new threats. However, the bank also always emphasises that cyber security is a shared responsibility. The entire financial and corporate ecosystem – including banks, corporates, regulators and others – must play their part in ensuring a safe environment. Central to this approach is the sharing of knowledge.

As businesses and individuals become more digitised and inter-connected, new targets and methods of attack emerge almost daily: exploits such as zero-day vulnerabilities, malware on mobile and botnet using Internet of Things-connected devices are growing in magnitude and constantly evolving. Increased accessibility to knowledge on how to breach cyber defences is fuelling the volume of attacks. In response, ING publishes a Risk Radar, which highlights the changing risk picture and shares this information with clients: specialist teams also engage in face-to-face meetings to brief clients.

Other ING initiatives to share knowledge include awareness sessions to help clients understand fraud and cybercrime-related developments. ING’s fraud and cybercrime department recently held a joint presentation with London’s Metropolitan Police for clients. The event shared the latest insights from law enforcement and discussed collective ways to tackle cybercrime and the crucial role a ‘human firewall’ – an educated workforce alert to cyber threats – should play.

Working with the authorities and other banks
As well as sharing information with clients, ING recognises the benefits of working closely with regulators and across the banking industry in order to combat the threat of cybercrime.

Many regulators are now dramatically increasingly their focus on cyber security. For example, the UK government recently announced £1.9 billion to fund cyber security over a three-year period and has consolidated its resources into the National Cyber Security Strategy. Equally, many regulators are trying to mitigate systemic risk to the industry by introducing security benchmarks and regulator lead testing.

ING is engaged with multiple cyber security initiatives worldwide, including the Bank of England’s CBEST Vulnerability Testing Framework, and also works with De Nederlandsche Bank in the Netherlands, the European Central Bank and the Securities Industry Financial Markets Association in the US.

In addition, ING is a member of the Investment Banking Special Interest Group (IBSIG) for Information Security, which gives the bank a comprehensive shared view of the threat landscape. By sharing knowledge about emerging risks, threats, innovation and compliance with peers, ING’s senior management and bank strategy are kept fully up to date. Moreover, the sharing of information and best practice among peer banks provides a useful benchmark for ING to evaluate the strength of its own cyber security programme and identify areas for improvement.

The sharing of information about attacks and risk via IBSIG and other organisations is valuable, enables organisations to learn from each other and improves the maturity of the entire industry. However, the scale of the cybercrime challenge means that the industry must constantly work harder to develop and adopt common standards for threat sharing and communication.

Raising resilience across the ecosystem
The increasingly distributed nature of every firm’s data across the cloud and third-party services makes the ecosystem around businesses more open. Meanwhile, the advance of cybercriminals’ capabilities continues unabated. As a result, banks, companies and others must continuously look at ways of enhancing controls.

ING engages with clients constantly to keep them safe. The bank invests and collaborates with others to stay ahead of the curve in cyber security. Attacks target the weakest link in a chain of relationships. ING believes that its role in the ecosystem is to share its expertise with partners and work with clients, law enforcement, regulators and other financial industries. By doing so, the bank can raise the collective resilience of its community of clients and partners to the highest possible level.

*) https://blogs.cisco.com/security/announcing-the-cisco-2017-annual-cybersecurity-report