Clearswift: From customer to competitor: Mitigating the financial sector’s chief threats
Recent reports show that cyber-attacks o...
CTO at Clearswift, Dr. Guy Bunker, discusses his views on the top threats to finance and how to mitigate them.
Recent reports show that cyber-attacks on financial services sector rose fivefold in 2018 and in April 2018, seven of the UK's biggest banks suffered major cyber-attacks that forced them to reduce operations or even shut down systems. The cyber threatscape is ever-evolving and financial institutions are being targeted by cyber-criminals in new ways due to the increasingly significant value of financial data. It is therefore vital that financial institutions are not only aware of the rising threats from malicious cyber-criminals but should also go above and beyond to secure their critical data.
Today’s cyber-criminal is unlikely to be an individual, but is more likely to be part of a gang of highly trained people who will buy and sell the information they collect on the dark web, as well as information on vulnerabilities they find in the networks they are attacking. The software they use will typically be multi-purpose and ‘commercialised’ by other cyber-gangs. This is no longer the era of a ‘hacker’ in the back-bedroom trying to make a name for themselves, cyber-crime is big business and unfortunately growing.
Email is a gateway to data theft
One of the most significant risks to financial sector organisations is loss of customer data. Cyber-criminals target financial institutions in the hope of stealing customer data such as account details with credit / debit card details, including CVV numbers, social security numbers and other private financial details. While there are multiple ways in which this information can be maliciously obtained, the most prominent today are phishing emails or links in both corporate or personal email. Cyber-criminals use seemingly innocent emails and links to hide malicious code that, once activated, can compromise the individual and then use their credentials to gain access to entire databases of critical data. In depth access to transactional financial information gives cyber-attackers a wealth of opportunities to either make money by stealing from customers themselves (if they gain access to card details) or by holding the information to ransom. In the case of ransomware, then whole systems and network drives can be held to ransom as the data is encrypted.
When it comes to data breaches, there are a multitude of different financial legislations which can be used to impose fine, including the ever present GDPR with its huge fines of up to €20 million, or 4% of global turnover, that can be levied against firms who breach the regulations. While the maximum fine has yet to be imposed, the values are rising, so it is only a matter of time.
New innovations bring new threats
New assets being introduced into the financial space – such as bonds, bitcoins and other forms of crypto-currency – are also targeted by cybercriminals and with less traceability with these new technologies, are becoming increasingly popular targets. Anonymity is one of the primary reasons bitcoin became so popular with users, however that is also why its popular with cyber-criminals. It is the payment option of choice for ransomware but is also a target in and of itself. Bitcoin lets customers store their currencies remotely in offline wallets and initially appear to be more secure because cyber-criminals can’t easily attack the decentralised network. However, they are finding new ways to get around this to attack the source, including installing keylogger malware on devices in order to find the access codes. There have been a number of instances where financial institutions using bitcoin have been attacked by cybercriminals looking to gain access to codes to wallets – and succeeded, including Zaif, Mt. Gox and Coincheck. Needless to say, this doesn’t just put the customer and their funds at risk, it also jeopardizes the financial organisation's reputation and its whole asset base. The crossover and interorganizational complexity of transactions across new and old financial institutions in the future will continue to create opportunity for cyber-criminals if they are not addressed upfront and continuously monitored.
Cyber-criminals are going under the radar
However, it is not just ‘obvious’ account data which is of value, other information can also be sold to competitors or on the dark web for other cyber-gangs or hacktivists to use. Corporate espionage is nothing new, but the Internet has opened the door for attacks from anywhere. Spear-phishing where cyber-criminals target individual employees through any and all the information they can find online to build trust is commonplace. They will also target personal email, with a view that the individual will open it while on a corporate device on the corporate network. Imagine an innocuous weaponised document entitled “Job offer”, wouldn’t you open it?
Business Email Compromise (BEC) is also growing, where cyber-criminals pose as the CEO of a company, spoofing their email address, and sending emails with criminal intent. For example, asking for fake invoices to be paid, or requesting information on exchange rates from bank tellers in a certain region. In the case of the latter, the information can be sold on to competitors in order to gain commercial advantage. It’s not just the CEO, all the executive team can be targeted for impersonation, for example the Head of HR could request information on employees. A list of all employees and their salaries puts the entire organization at risk, and not just fines from a data breach. Staff poaching and reputational damage will also be a major issue.
Preparation is key
So how can financial institutions protect themselves against this plethora of threats? Firstly, education is vital. From the bank tellers to the security team, everyone needs to understand the current cyber security threats, what they look like and how to best protect against them. Data breaches can come from anywhere, even simple tasks such as opening emails, clicking a link or downloading a file can result in a breach and can therefore be directly or indirectly caused by any member of staff, no matter what their role. Every employee in a financial organisation needs ongoing training and education to teach them about the latest threats and what to do should they think they have been targeted or fallen for one.
It has recently been reported that financial institutions are 300 times more likely to be subject to a cyber-attack than other industries. Detailed processes need to be in place for all employees to follow if there has been an incident, and the correct protocol followed. Don’t shoot the messenger. The organization needs to encourage employees to report incidents no matter how small they think it might be. We are all human and if a mistake has been made, its better to know about it sooner rather than later. If there has been a data breach, then timely communication, including to customers, is essential as part of the process to resolve the incident. Ignorance is not bliss.
With the average cyber-attack costing $1 million, it is vital to have cost effective preventative measures in place. Financial organisations cannot stop working with data because of the cyber risk attached, so technology needs to be in place to underpin security. Today’s email and web solutions can provide extra layers of threat detection and prevention against the new generation of information borne threats with functionality such as document sanitization. While automatic redaction based on both content and context will help prevent exfiltration of data into unauthorised hands, whether it is sending the wrong information to the right person or sending any information to an unauthorised recipient. The latest security solutions create a seamless safety net to protect data and employees on a day-to-day basis.
Although cyber threats are undoubtedly growing, financial institutions need to be aware of the new threats and that there are solutions which can protect against them. Deploying the latest security technologies will mitigate the risks, keeping the organization, its information, staff and ultimately customers safe
FIVE things fintechs must do to keep investors onboard
New investors flocked to the stock market during the COVID-19 pandemic. Thirty-eight percent of investors said they had never had a brokerage or similar account before opening one in 2020.
Low or no-fee trading options have helped accelerate the trend – nearly half of new investors said they accessed their account primarily through a mobile app. As FinTechs, how do we create the trust needed to keep new investors in the market and create a fruitful customer experience for them?
The financial industry does a disservice to individual investors if we merely offer tools that focus on making money quickly, an approach that usually backfires. Instead, the surge of interest presents an enormous opportunity for those who want to help more consumers use financial technology to educate them on responsible spending, saving, and investing in order to achieve financial wellness current fintech tools have welcomed individual investors in the door.
Now, it’s time to focus on education and improving their experience going forward. There are several ways those of us in fintech can step up to shape the future of retail investing so that it works better for everyone, starting with the following areas.
Equal access to financial wellness education
Financial health should be available to everyone — but today, not everyone has the educational resources to achieve it. One study shows that only 3.9% of students from low-income schools were required to take a personal finance class. What they aren’t learning in school or from family members, fintech companies can provide on their platforms.
The companies should move from solely offering financial services to a more responsible model of education, advice, and prescriptive choices to help consumers develop better habits and make wiser financial decisions. Not only can they empower consumers and bridge historical wealth divides, but they can also stimulate growth by opening up new consumer segments.
Just as we’ve come to expect that our fitness routines are tailored to our individual bodies, we’re also ready for finance tools that go beyond one-size-fits-all solutions. But only six percent of financial institutions say they’re using the kind of technology that allows them to deliver a deeply personalized experience. Fintech tools need to reflect that financial success looks different for each of us.
For one consumer, it may mean providing guidance on how to pay off student loans early; for another, it may mean prescriptive actions that enable them to stick to a budget for the first time; for a third, it could look like prioritizing environmental, social and governance (ESG) investments, so that her portfolio aligns with her political beliefs.
Now, we are seeing financial technology beginning to meet the demands of personalized finance in a substantial and meaningful way.
The rise of AI-Powered Advice
Big-picture advice and predictive guidance used to be a feature of high-end financial advisory firms — a perk only available to those who could afford it. But thanks to rapid advancements in data analytics and artificial intelligence (AI), that kind of holistic advice is now more accessible than ever. AI-driven robo-advisors can parse many different streams of financial information, delivering customized answers to key questions: Is it time to buy a home, or is it smarter to keep renting? Can I afford to take out another student loan?
Intelligent connectivity powered by AI can anticipate consumers’ needs and next steps, making proactive suggestions that guide them along the path to financial wellbeing. Fintech companies can also help consumers identify when their financial picture becomes too complex for a robo-advisor, and help them find a human financial advisor to meet their needs.
Focus on financial mental health
New investors are quickly finding that the market can be overwhelming. That’s not surprising, financial anxiety is common and studies show that financial stress can have an impact on mental health for some.
It’s not enough for fintech companies to give retail investors access; they also must provide the guidance and support that help consumers manage their financial well-being. Educational tools can ensure that consumers are well informed about their options.
Predictive analytics can anticipate consumers’ questions, serving them key information and insights before they ask. Features that emphasize a comprehensive notion of financial well-being, rather than short-term wins and losses, can also help ensure that consumers are keeping their eyes on the bigger picture.
Gamification for good
The surge of gamification apps has done an impressive job making investing as engaging as playing a video game or joining a social media platform.
Much of the current use of gamification emphasizes short-term thinking, but there’s also an opportunity to help consumers think more broadly about their overall financial picture. One example is peer benchmarking, a feature that enables help consumers to see how their financial habits compare to those of friends and fellow consumers.
Gamification can also be used to incentivize making smaller, smarter choices — for example, rewarding saving over making an impulse buy.
The future of fintech is about more than just broadening access to the markets. It’s about making sure more individuals have access to the tools that can help improve their financial well-being—in the ways that suit their own circumstances and needs. The potential to act within their own set of individual priorities, with their long-term financial wellness in mind is much more empowering to a consumer than simply relying on short-term, high-risk investments.