Photo Credit: The Hill
By: William Haynes, Columnist
Increasing sophisticated and rapidly evolving cyber attacks continue to threaten a global financial system that is slow to change, unwilling to properly invest in cyber security and employee education, and resistant to cooperation and information sharing. On October 11th, the Group of 7 (G7) released a non-binding set of guidelines for the global financial sector to assist in combating cyber threats. [i] The move was a response to the growing concern over cyber attacks, particularly in the wake of the numerous Society for Worldwide Interbank Financial Telecommunication (SWIFT) attacks and data breaches in the last several years. However, the G7 guidelines fail to stress the importance of education and training, the need for capacity building, and how institutions will be held accountable for security failures.
While the G7 guidelines stress the need for companies to continuously review their cyber security framework and strategies, it fails to mention of the importance of employees and basic training as the first line of defense in mitigating cyber theft. The recent cyber attacks on the global financial system should be viewed as an extension of theft, and employees must be adequately trained to respond to this type of threat. Card skimmers, phishing, ransomware, malware, and spam have all been used for years to steal and extort money. When companies invest in and implement cyber security education for employees, they can “reduce an organization’s risk by as much as 70%.” [ii] However, statistics show that businesses often fail to provide adequate training. According to the Verizon 2016 Data Breach Investigations Report, “30% of phishing messages were opened…[and] about 12% went on to click the malicious attachment or link.”[iii] This underscores that employees are not always empowered with the knowledge and skillset to avoid a basic system breach, much less a sophisticated attack. Financial institutions are responsible for properly training employees and implementing protocols to detect and prevent hacks and breaches.
The G7 guidelines ignore the risks that small and midsized businesses (SMBs) pose to the global financial system and how these risks can be mitigated through Public Private Partnerships (PPP). More than 44% of SMBs do not believe they are at risk for cyber attacks and invest little in cyber security. [iv] However, this could not be further from the truth, as SMBs are the “principal target” of cyber attacks. [v] Most SMBs have relationships with large financial institutions and other businesses. For this reason, cybercriminals are using SMBs’ lack of cyber security as a gateway into larger financial and business institutions. [vi] For example, in 2013, cybercriminals gained access to Target’s financial systems through an SMB that worked with the company, resulting in over 40 million credit and debit cards numbers stolen. [vii] While the G7 guidelines support cyber security norms in the financial sector, the G7 must also be willing to “engage in PPP and capacity-building effort” with the cyber security industry to provide SMBs with the tools and expertise needed to reinforce these norms. [viii]
The G7 guidelines do not hold the financial industry accountable for consumer losses from cyber attacks, which is key to incentivizing stronger cyber security in the industry. Many larger corporations are reluctant to invest in cyber security because there is little “financial incentive to do so.” [ix] In a globalized world, the cost of cyber crime is spread throughout society and does not fall solely on a financial institution or organization. A study at RAND found that “the typical cost of a breach was about $200,000 and that most cyber events cost companies less than 0.4 percent of their annual revenues,” which can be further reduced through insurance claims and tax deductions. [x] Moreover, banks often keep cyber attacks secret out of fear of damaging their reputation. [xi] The unintended effect of this secrecy is that other financial institutions cannot mitigate similar attacks if they are unaware of them. Since the consumer is most often the real victim in organizational hacks and breaches, a lack of financial pressure and the ability to hide breaches creates little incentive for businesses to change their behavior or invest in cyber security. This was demonstrated in the Bangladeshi bank SWIFT Hack, which was partly caused by the bank not investing in basic cyber security measures and using cheap second-hand switches to connect to the SWIFT network. [xii] The G7 must be willing to hold companies and the global financial system accountable for their failure to protect both their systems and the consumers.
While the G7 guidelines for the global financial system are a step in the right direction, the guidelines themselves are similar to what policy makers and the cyber security industry have stressed for years, but were often ignored. A more delineated set of guidelines is needed to underscore and define the role and responsibility of SMBs, organizations, financial institutions, and governments in the global financial system in addressing proper training and protocol, PPP, and information sharing. Until these sectors can work together to mitigate financial crime in cyberspace, hacks and breaches will continue to occur at an alarming rate, threatening the security of the global financial sector.
[i] “G7 Fundamental Elements of Cybersecurity for the Financial Sector.” U.S. Department of the Treasury. https://www.treasury.gov/resource-center/international/g7-g20/Documents/G7%20Fundamental%20Elements%20Oct%202016.pdf
[ii] “Monte Carlo Analysis Reveals that Changing Employee Behavior Reduces the Risk of Security Breaches by 45% – 70%.” Wombat Security Technologies. Jan. 13, 2015. https://www.wombatsecurity.com/press-releases/research-confirms-security-awareness-and-training-reduces-cyber-security-risk
[iii] “2016 Data Breach Investigations Report.” Verizon. http://www.verizonenterprise.com/verizon-insights-lab/dbir/
[iv] Ben Lobel, “Businesses do not believe they are at risk for cyber attacks.” SmallBusiness.co.uk. Jan. 27, 2016. http://smallbusiness.co.uk/businesses-do-not-believe-they-are-at-risk-of-cybercrime-2503796/
[v] Luis A. Aguilar, “The Need for Greater Focus on Cyber Security Challenges Facing Small and Midsized Businesses.” U.S. Securities and Exchange Commission. Oct. 19, 2015. https://www.sec.gov/news/statement/cybersecurity-challenges-for-small-midsize-businesses.html
[vii] Natasha Bertrand, “Here’s What Happened to Your Target Data That Was Hacked.” Business Insider. Oct. 20, 2014. http://www.businessinsider.com/heres-what-happened-to-your-target-data-that-was-hacked-2014-10
[viii] Ilias Chantzos and Shireen Alam, “International Cyber Norms: Technological Integrity and the Role of Industry in Emerging Cyber Norms.” Tallinn, Estonia: NATO Cooperative Cyber Defence Centre of Excellence.
[ix] “Why some companies don’t invest in cybersecurity.” Columbia Magazine. Fall 2015. http://magazine.columbia.edu/explorations/fall-2015/why-some-companies-dont-invest-cybersecurity
[x] Sasha Romanosky, “Cost of Cyber Incidents Not Large Compared with Other Business Losses; May Influence Responses by Businesses.” RAND Corporation. Sept. 20, 2016. http://www.rand.org/news/press/2016/09/20/index1.html; “Why some companies don’t invest in cybersecurity.” Columbia Magazine.
[xi] Lawrence White, “British banks keep cyber attacks under wraps to protect image.” Reuters. Oct. 14, 2016. http://www.reuters.com/article/us-britain-banks-cyber-idUSKBN12E0NQ
[xii] Serajul Quadir, “Bangladeshi Bank exposed to hackers by cheap switches; no firewall: police.” Reuters. Apr. 22, 2016. http://www.reuters.com/article/us-usa-fed-bangladesh-idUSKCN0XI1UO