Cyber threats pose a challenge to banks and firms operating in the financial sector, primarily due to the fact that “vulnerability really exists everywhere,” both on the technological side and the business side, says Michael Orozco, Managing Director in Accenture Strategy Security. To help improve security in the financial sector, “security really needs to be part of the product development as the application is going through its ideation phase,” explains Orozco in an interview with The Cipher Brief.
The Cipher Brief: Your recent report noted that banks are stuck in a pretty tough spot. Their users want things to be easy to access, but they also want them to be secure, and you can’t have both realistically. So how can banks better navigate between these two goals and find a middle ground that will help satisfy their customers without making their data vulnerable?
Michael Orozco: Banks race to try to keep pace with financial technology (Fintech) companies that very quickly allow people, small business, and large corporations to rapidly access financial services products and capabilities without having to go to the traditional fiduciary analysis firms. That creates an issue of understanding: Are the identities of the individuals applying for either credit, or loans, or banking, verifiable? Do these identities belong to the appropriate people representing themselves? The smartphone application makes it easy to consolidate your services, products, and all the various pieces that comprise your relationship with a bank or capital markets firm, but at the same time, it provides unprecedented opportunities and vulnerabilities for malicious intent.
As we discuss with capital market firms, security really needs to be part of the product development as the application is going through its ideation phase. This is to make sure it is user-friendly and consolidated to meet the needs of one point of access or many points of service for the financial institutions and their client, but it also means recognizing how to secure that, what systems feed into that, and where the vulnerabilities are. We work with financial institutions to help them identify a process, a methodology, and certainly an application standard that will help them stay secure while meeting the needs of their clients.
TCB: You also mention in the report shifting towards a more proactive defense, where companies can incorporate a high quality of intelligence in order to inform their strategic approach, and potentially even predict attacks. Can you describe how you would envision that working and what the primary benefits are?
MO: In the report that we published, “If You Think it’s an IT Problem, Think Again,” what we’re identifying is across the board recognition that it’s no longer just an IT weakness or a systems problem, it’s a business issue. Weaknesses and vulnerabilities can come from social engineering, in terms of individuals giving out their password, and folks who continue to work with trusted relationships within the organization or external partners and so will bypass, sometimes readily, basic security measures. What we try to bring out is that there are social engineering problems, there is nation-state sophistication, there are hacktivists who want to enter the system. The vulnerability really exists everywhere, from customer service to your document management, customer care, all the way through the individual at your local branch who may have a familiarity with you and may want to safeguard that relationship with you by bypassing some security measures. In the long term, that may create exposure and vulnerability to the financial services institution.
We recommend that there be a more comprehensive review, that there be continued due diligence in recognizing the way that all these particular pieces can create an exposure to the financial system.
TCB: What then would be the primary challenges for this kind of approach?
MO: The primary challenges really are helping to identify the key roles for all the various participants. It’s no longer just the chief information security officer. It really should involve corporate investment banking, retail banking, customer service, the various points of entry and touchpoints with customers, as well as the touchpoints that the bank has with the corresponding banks and other financial entities in their network, especially as we’re moving towards the ultra-rapid payment methods that are being requested. The challenges with that really come into play in helping everyone understand what their role is in terms of info security or cyber security. It’s typically very easy for members of the organization to say, well that’s being covered by the chief information security officer, and not recognizing that better practices, protocols, and standards within their own group can keep them from aggravating vulnerabilities, which can then be exploited.
TCB: The issue of geopolitical risk comes up several times in your report. To what extent does geopolitics influence the risk banks face in the cyber domain, and what factors have a driving influence on that?
MO: There’s a couple of factors driving it. At the end of the day, it’s the old quote, “why do you rob banks? Well that’s where the money is.” That type of crime often pays very well, not only monetarily but also in terms of business intelligence, competitive intelligence, etc. If you look at nation states that have markets that are crumbling, limited opportunities for investment, that doesn’t mean that those markets or entities are cashless, it doesn’t mean that they’re strapped for an ability to raise investment capital. It just means that their particular markets have suffered significant degradation, either through embargoes, limitations, or economic policies, which were untimely for their benefit. However, by being able to hack a corporate investment bank and recognizing who they’re underwriting and the asset that is currently on the table for acquisition, merger, divestiture, etc., can create an unprecedented opportunity to enter into a competitive scenario or potentially provide a better bid. This could generate billions of dollars in an emerging market or in a market that’s highly sensitive to technological innovation or consolidation, whatever the case might be. The question of a nation state also comes into play in a situation where nation states have unprecedented interest in facilitating this type of activity for several reasons.
One, it’s disruptive to an aggressive nation state that they regard as a competitor. Two, it is lucrative, and it does pay. Three, they have skills and abilities that could be easily recognized and focused on a particular entity, and with a relentless effort, be able to bring about quite tremendous success and capabilities for themselves.
TCB: There is often a disconnect between the leadership of a firm and the people in charge of it’s cyber security posture, although this has changed a bit recently. What can banks and capital markets do better in order to integrate cybersecurity concerns into the C-Suite?
MO: One of the terms we’ve coined is called the “threat gap.” What we found in our research, as well as the experiential data that we’ve gathered from the many vulnerability assessments, cyber security readiness assessment, resilience assessments that we’ve done for clients, is that a threat gap is the gap between your ability to make appropriate investment across various lines of your business to be able to maintain a certain tolerance between what you’re investing in, and the emerging threats.
If the emerging threats get ahead of your ability to clearly understand that it’s not just IT – that it really includes your business function, your financial organization, your customer care, etc. – then as that threat gap widens, your possibility or probability of a breach significantly increases. Areas where that threat gap is widening are most likely to be the areas in which that vulnerability will be exploited. To that end, what we try to recommend is areas where we can bring in clear cut analysis and recommendations to a C-suite organization, as well as their board. We ask, what are your ready capabilities? Based upon what measurements do you feel that you have cyber security readiness to be able to identify, to respond, to mitigate, or to prevent?
We also go through and provide clear criteria, whereby we enact roles based decision-making in the event of any particular breaches or cyber security noted weaknesses and vulnerabilities. What do you do about it? How do you measure it? How should you measure the ROI? What are the channels for discussion and appropriate question to be asked? Our recommendation is to really engage in a continuous dialogue where we have the methodologies, we have the capabilities, and we leverage metrics and data collected to give us a holistic view of the organization, which allows that organization to recognize their vulnerabilities and how to address them.
TCB: Last thoughts?
MO: Just one quick thought. I think that there is a tremendous amount of investment that continues to occur within cyber security and the financial services industry, and some of the questions that are still very prevalent are the questions that should probably be at the top of mind for executives. These are: who is going to attack us? Why are they choosing us for an attack? And what is it that they’re after?
For those three questions, the answers will differ depending on geopolitical events. If there is a geopolitical event stemming from an embargo, the attacks may manifest themselves as attempts to understand what financial positions other competitors are taking in reaction to that embargo. In the areas of competitive intelligence, as I spoke earlier about wanting to find other areas to invest, well gee, if I can’t find a suitable asset to invest in, let me see what someone else has and what they’re willing to buy, to find out if it’s an undervalued asset that I want to put a competitive bid in. Or, is it an asset that would give us some level of leverage, whether in communications, healthcare, oil and gas exploration, or utilities, that fits into our overall strategy of how we want to play into that geography. Having those questions top of mind and recognizing that executives would benefit from a structured discussion around how we can arrive at that answer in a consistent and continuous manner throughout the year, will help them to better identify if they’re best protected.
Source: The Cipher Brief