By Alex Fagioli, CEO of Tectrade
So, the FCA has spoken and it’s now official: banks in the UK are under-equipped with the tools or knowledge to deal with the cyber risks they are being faced with. Of course this is no news to us, or anyone who has been paying any attention to the news over the past year. 2018 was a year that was dominated by stories of cyber security failings, whether it’s alleged Russian political hacking or a Facebook data leak that has left the photos of 6.8 million users exposed. The finance and banking sector was no different, with TSB’s cyber meltdown that saw users unable to access their accounts for up to a month and 1,300 accounts hit by fraud. To put a bow on the entire year, the FCA has plainly stated that it is “deeply concerned” with the under preparedness of banks and that their board members “have limited familiarity with the specific cyber risks their organisations face”. But while it might be a cathartic exercise to point the finger at ignorant board members and bemoan the lack of IT infrastructural integrity at financial institutions, what we need to do now is come up with solutions.
For starters, banks need to invest more, not less, on cybersecurity and day-to-day IT operations. Cutbacks are understandable as organisations look to maximise profits, but that Lloyds made nearly 100 CIOs redundant earlier in 2018 when it suffered 19 outages between May and June is indicative that this is not an area that should be neglected. Before looking to do anything to infrastructure, banks should ensure that they have the personnel on board to maximise their cybersecurity efforts.
From that point banks can audit their infrastructure. How up to date are the systems? How are storage and data backups being handled? What is the disaster recovery strategy? That latter point is particularly important, as we are consistently surprised by just how few organisations actually stress test their systems in a controlled environment for how they handle outages. Administrators are incapable of having a full understanding of the systems they are responsible for without testing them in a controlled and simulated environment. In the same way that you don’t want to discover you have a faulty fire alarm when you most need it, banks can quite easily carry out a ‘cyber MOT’ in order to keep systems in check and give IT teams a full working knowledge of any potential issues.
From a board level, there is evidently a disparity between executives and those on the ‘front lines’ of dealing with cybersecurity. A senior regulator at the FCA has accused such firms of being ‘overly confident’ and, as the old saying goes, the fish rots from the head down. By contrast, the people who deal with cybersecurity on a daily basis are well aware of the issues facing the sector: rapidly advancing threats and infrastructure that is not equipped to keep up with that rate of development. Employing a greater number of board members with this level of expertise would not halt cyberattacks, but would help to put banks on the front foot.
But while it’s one thing to say that banks should hire such people, finding that right individual with enough business acumen to complement their technical knowledge is another. Rather than employing someone at a board level, the FCA points out that many firms have brought on the third-party advisors to help educate the board to independently advise on how they can improve their systems and mentality to cybersecurity. This approach can make a lot of sense, particularly when hiring a board member in such a sector can take a couple of years – unfeasible when the issue is so pressing. However, the FCA also warns that retaining such services can result in an over-reliance on third parties and affect the development of in-house cyber capabilities. Teach a man to fish, as they say.
Things clearly aren’t working right now, whether it’s due to failings of internal procedure or an inability to deal with external threats. Look at, for example, the ‘routine upgrade’ at TSB that saw 1.9 million customers locked out of their accounts for up to a month, or Visa’s ‘blackout Friday’ where 5.2 million transactions failed across Europe because of a faulty switch.
On the other hand, it is estimated that cybercrime is costing banks in excess of $600 billion globally. Ransomware alone was responsible for $5 billion in losses in 2017, a figure we expect to see rise for the 2018 summaries (although it’s worth noting that the plunging price of cryptocurrencies across the board may mean a lower financial cost across an increased number of attacks).
Sadly, with any form of IT outage it is not a question of if, but when. As such, banks should adopt a zero day recovery architecture as the best means to mitigate risk and minimise downtime in the event of any outages, without having to worry about whether the workload is compromised. An evolution of the 3-2-1 backup rule (three copies of your data stored on two different media and one backup kept offsite), zero day recovery enables an IT department to partner with the cyber team and create a set of policies which define the architecture for what they want to do with data backups being stored offsite, normally in the cloud. This policy assigns an appropriate storage cost and therefore recovery time to each workload according to its strategic value to the business. It could, for example, mean that a particular workload needs to be brought back into the system within 20 minutes while another workload can wait a couple of days.
Adopting this kind of approach is not, however, a silver bullet. It will not prevent you from getting hacked, or stop a faulty switch shutting down the entire operation. What it does do is make sure that any downtime – and lost revenue that comes as a result – can be minimised. It is only by identifying the problems that have caused the kind of outages that the sector has experienced, that anything can actually be achieved. Pinpoint the issues, invest properly in preventing them, and banks will go some way to restoring confidence from the public and saving millions of pounds.