IBM Security leader talks political impact on Fintech
As a partner director within IBM Security Services, Corey Hamilton oversees IBM’s global financial services sector. That task includes overseeing the state of cybersecurity within banks, financial markets and insurance companies. His day-to-day role involves working with the C-suite of the global 2000 to enable their digital transformations through security programmes, enhancements, advancing their maturity, deployment of software technology and providing overall consulting services. Hamilton also has an internal role that sees him lead global practise within IBM.
How is the current political instability globally affecting cybersecurity and the rate of attacks in relation to FinTech?
You can't ignore the geopolitical climate of the Russian war in Ukraine. We've certainly seen various attacks within the financial space as well as within the government. Within Ukraine and Russia, banks have been impacted on both sides or within both countries. We've actually seen some of the largest distributed denial of service attacks ever reported due to this kind of political instability.
We have not observed widespread retaliatory attacks against the West or the Western financial banking system due to the wars. But we have certainly seen an uptick in general organised crime.
The onslaught of attacks are no longer, immature people in basements. These are highly functional organisations that are focused on organised criminal activities within the cyber realm.
There is also the political climate of inflation as a result of the COVID 19 era. The political instability, as well as just the global economic landscape we're in, has certainly been a ripe environment for more impactful breaches, by an increase in the amount of breaches that we're seeing.
The fintech and banking industry has become far more interconnected over the past two years. What’s your take on open banking and embedded finance in terms of the levels of vulnerability to cyber attacks? Have these innovations made things easier for cyber criminals?
In terms of open banking and embedded finance, organisations are implementing these largely driven by customer demand. Increasing the availability and the ease of processing transactions is an opportunity for organisations to grow market share and to better serve their customer.
It has certainly been a challenge when it comes to securing that for a couple of reasons. One, through open banking, when you open up through the use of APIs, customer data and potential processing data, there is a risk that as it becomes more open, you are by nature giving others access that traditionally would not have it. The fintech space, through open banking, was pushed down through regulations. Many fintech providers are not regulated or certainly not regulated to the same level that traditional banking organisations are.
Essentially, you've got startup organisations that really grow from nothing within a matter of each weeks, And they're successful because they've got a new tool, a new process, something that's very quick and easy - and can enable that customer journey. They're concentrating on speed to market and the ease of the solution.
Well, if you've got speed and you've got ease that doesn't necessarily make it the most secure thing. And typically, these organisations, fintech providers, are providing applications, are providing software, but they're not security companies.
You can either have it [success] very quickly, but ease of use and security might be lacking. Its a delicate balance that we're seeing where fintech, certainly due to the limited regulatory requirements for controls, may not have the same level of security or practise the same protocols and rehearse the same scenarios as a more traditional banking institution would.
IBM recently released the Cost of a Data Breach Report. It states that a year after the Biden administration issued a cybersecurity executive order that centres around the importance of zero trust to strengthen the nation's cybersecurity, only 21% of critical infrastructure organisations studied, adopted a zero trust security model. 17% of those critical infrastructure breaches were due to a business partner being compromised, highlighting risks that over trusting environments pose. What does this mean for businesses going forward, especially in light of the expansion of the IOT and digital ecosystems?
This year, the 2022 cost of a data breach, is our 17th year of releasing this report and the Biden administration, cybersecurity executive order pushing for critical infrastructures and zero trust. On that topic of the Biden administration cybersecurity executive order pushing for critical infrastructures and zero trust, I'll say that the critical infrastructure is a wide bucket.
It's not just financial services. It's also healthcare, manufacturing and energy. The financial services industry probably makes up a majority of that 21% that have adopted a zero trust model. Financial services has traditionally had the most to lose. Since the beginning of banking, they've always had a currency, they've had that money, attackers go where the money is. It's only been within the past decade or so that the IOT devices have began to create data.
But data is the wealth that everybody's after. That's the new currency of the 21st century. As far as the expansion of the IOT and the digital ecosystem goes, it is certainly a concern… This is an opportunity to get security right. Traditional organisations via the buildup of the internet, made the connections, and then added security on after the fact.
Now, as organisations are joining the cloud through the use of regulated clouds or industry specific clouds, security is built in through design.
The challenge is that other critical infrastructures that are less mature (such as healthcare, manufacturing and energy) as those legacy IOT systems come online, we're going to see a significant jump in the overall security posture of those organisations because of the shift from legacy infrastructure, which was never meant to be connected online, is now moving to cloud. Therefore, having integrated security by design, along with regulated cloud structures.
So what type of breaches are most likely to occur specifically within fintech at this time and possibly going forward?
In terms of cybersecurity, fintech is one of the areas that's probably going to see the most success. But the most popular method of infiltration is phishing - and that is going to continue to occur. As people join some of the new fintech technologies, they may not be as familiar with how that organisation reaches out to them. A simple phishing email that reads; “Hey, this is such and such org. Just want to confirm that... Please respond back with your account number and passwords so we can ensure that this transaction goes through”, is very common.
Stolen and compromised credentials are absolutely a concern with organisations because they may not have a very robust security programme. The security personnel could be one or two personnel working within that fintech. Cloud misconfiguration is certainly a concern for fintech too.
In terms of ransomware and malware, that is a concern. We've seen instances where ransomware attacks have occurred, although I wouldn't say fintech is any more susceptible to a malware or ransomware attack than a traditional bank.
What percentage of US fintechs are doing enough to protect themselves? How are they doing it? And, what is the key thing that is going to fortify those companies, especially going forward?
So the US is probably a little bit unique in that 97% of the US population is serviced by community banks. These are the very small local credit unions, banks - not the big four, the Bank of Americas and so on. These are organisations that have smaller maturity programmes that are traditionally a little bit slower to integrate various technologies, whether that's online banking, mobile banking. Often, these organisations lack the staff and expertise to build their own offerings. So they rely on a fintech provider to deliver those services.
Because they rely on an external fintech provider, there are concerns that if there is a vulnerability or an issue with the software, they will certainly be more influent or more impacted than a more robust or larger banking organisation.
Are they doing enough? Fintechs don't have the scalability that a traditional bank may have. So in the event that there is a breach, there is a stronger likelihood that'll take longer to identify, and longer to contain.
What, at this point, would make a serious difference to the financial industry, given the raised threat levels?
An iterative zero trust framework is particularly important in this space, given the hybrid cloud environment and distributed workforce. Assuming least privilege, implementing multi-factor authentication is absolutely critical.
I'll also call out the need for a defined, documented incident response plan and ensuring that incident response plan is rehearsed both through some sort of tabletop exercise or a more immersive cyber range experience.
Understanding third party risk specifically around software is absolutely critical. There is also the need to quantify cyber risk.
The report highlights the specificities of a cost of a data breach, and by implementing risk quantification, it really allows an organisation to put those limited resources to the projects, to the initiatives that are going to buy down or reduce that cost. Those are the recommendations or the takeaways that I strongly recommend to the fintech and to the banking industry.
- Finastra: Secure, Resilient Software for Financial ServicesFinancial Services (FinServ)
- Finastra: Delivering Frictionless Cybersecurity Services
- Ericsson and INFORM Unite to Fortify Fintech DefencesFinancial Services (FinServ)
- Banks lag Criminals in Tech Race, RedCompass Labs FindsBanking