Wannacry fallout: UK regulator and experts urge financials to up their cybersecurity game
23 May 2017
Wannacry’s impact on financials may have been limited but it’s still a big wake up call for institutions, with experts warning of the likelihood of sting in the tail from the attack further down the line and, moreover, a future in which quantum computers will render today’s encryption useless
The ability of financials to withstand cyberattacks is a perennial concern and in the wake of Wannacry those worries have only intensified. Certainly if a recent ear-bashing dished out by the UK regulator to City firms about their cybersecurity credentials is anything to go by, that heightened anxiety is entirely justified.
In a hard-hitting wake-up call just a few weeks before the Wannacry attack the Financial Conduct Authority’s acting chief operating officer, Nausicaa Delfas, said London firms are struggling to master even the basics of cybersecurity and lack skilled professionals to help them fix the problem. She warned: “We have witnessed some interesting changes over the last 12 months, with the re-emergence of some old foes (such as ransomware) and the development of some innovative and dangerous criminal networks."
Delfas, who previously led the FCA’s approach to IT and cyber resilience, says financial services firms need to have "good detective capabilities" and the ability to recover and respond to attacks. Yet the regulator's work "has shown firms continue to struggle to get the basics right”. Tools to enable effective management of vulnerabilities are well established, and yet organisations either don’t use them, or don’t use them effectively, she added.
The FCA is by no means alone in urging institutions to up their cybersecurity game – there have been many excellent reports highlighting the problem over the last few years. A particularly revealing one recently by Accenture surveyed 275 security executives from the banking sector globally and found clear evidence that many financials are less secure than they think. The research uncovered a “dangerous disconnect” between institutions’ perception of the efficacy of their cybersecurity and the reality.
Nearly 80% of large enterprise security executives surveyed by Accenture reported confidence in their cybersecurity strategies and 76% said cybersecurity is embedded in the culture. Yet Accenture found these same banks fending off an “astounding” 85 targeted breach attempts per year, on average. One third of these are successful, equating 2 to 3 breaches each month.
Failing their prevention, breaches are a problem if they are not detected. But the length of time being taken by institutions to spot them in the first place is a major concern. Attackers spend an awful long time inside the organisations: nearly 60% of banking respondents surveyed admit it takes “months” to detect successful breaches, while another 14% identify them “within a year” or longer.
A high profile case in point here is the incredible $80m cyber heist of Bangladesh Central Bank in early 2016. The heist resulted in funds being siphoned off in the blink of an eye via wire transfer but experts have pointed out that the hackers spent six months roaming around the bank’s network, learning about all the objects, privileges and domains they needed in order to actually launch their attack. Only when they had all the information in hand did they create the malware armed with everything that was needed to carry out the attack - even the means with which to hide the wire transfers that had been actioned.
Amateurs hack systems, professionals hack people
Discovery of breaches as quickly as possible is a critical task for internal bank security teams yet the Accenture study says these in-house cyber detectives discover only 64% of them, with employees, law enforcement or “white hat” players such as “ethical” hackers responsible for alerting institutions to the rest of them. Fully 99% of surveyed bank respondents say that they most frequently learned about breaches not detected by the security team from employees.
A company’s people represent its best form of defence, says the report authors, but they add: “In our view, many attacks are successful because they exploit employees’ login credentials. That points to the importance of security training at every level of a firm and of continuously refreshing cyber talent across the business.”
Another big challenge for in-house security teams is prioritising where to focus resources to adequately protect their organisations from cyberattacks. Accenture says most firms continue to focus a majority of their resources on external security issues – 62% of financials surveyed prioritise heightened capabilities in perimeter-based controls against outsiders, the aim being to control access to all entry and exit points of the network.
Accenture, however, warns this heavy focus on network boundaries can potentially compromise the ability to address high-impact internal threats. Nearly 50% of banking respondents cited internal breaches as having the greatest cybersecurity impact but 52% also say they lack confidence in their organisations’ abilities to monitor internally for breach activities—whether those are careless mistakes, failure to follow proper procedures or the result of malicious intent.
“The widespread belief that you can “trust” your employees is a curious position for financial services companies to assume,” says Accenture. “After all, firms have not traditionally taken that passive sort of view when it comes to customers’ financial assets. Strong controls have always been in place. Creating a strong culture of cybersecurity is critical—a culture extending from the newest hires all the way up to the C-suite. Training and communications have an important role to play, but culture change is really about changing behaviours…security is not just an IT problem. It’s a company problem, and even a people problem.”
No quantum of solace in sight
But if today’s classical computing technology is so prone to attack via the web then imagine, as cybersecurity entrepreneur Andersen Cheng does, the damage quantum computers, with their potential to obliterate today’s encryption with ease, could wreak. Quantum computing used to be in the realms of science fiction – some argue it remains so – but with national governments (good and bad) as well as tech giants like Google, Microsoft and IBM all busy trying to build the technology, the race to build these monsters is well and truly on.
Cheng, co-founder of Post-Quantum, a firm focused on developing cybersecurity for the quantum computing world he believes will arrive in the near future, echoes Accenture’s concerns over the banking sector’s lack of confidence and ability in addressing insider attacks. He says: “When dealing with sensitive data, we [at Post-Quantum] find that too often businesses rely on broad role-based permission systems to regulate access. This needs to change to an authorisation-based approach, in which auditable access is granted to sensitive data only when needed and justified. This is the surest way for businesses to maintain control over their high-value data and protect it from internal and external threats.
He adds: “When it comes to cyber security, preparation is key. Accenture’s report highlights the risk of leaving machines unpatched, and the damage that can result from this was demonstrated by the recent WannaCry incident. Organisations increase their risk significantly if they do not address known incoming issues before they arrive.”
Since graduating from the Barclays accelerator in 2015 Post-Quantum’s commercially-ready cybersecurity solutions have attracted much attention from corporates, government agencies and defence bodies. It has been approached by many leading institutions in sectors including banking, legal and insurance.
“We focus on incident prevention not detection: if you can only detect when something has happened it’s already too late. It’s something we address on a daily basis regarding the emergence of quantum computers. The risk quantum poses - that it will break the encryption widely in use today - is well known. While the timing is less precise, with estimates ranging from 5 to 7 to 15 years, we can be certain that the capability will arrive in the near future. This is particularly relevant to certain sensitive government data which needs to be kept secret for at least 25 years or chips for driverless cars when such cars will most likely be still on the road in 15 years’ time”
Rather chillingly, Cheng raises the problem presented by data already stolen by hackers but not yet accessed because its encryption has yet to be broken. “In a quantum computing world the machines can be used to break into data stolen in the past if the encryption used to protect it up to that point was weak. For organisations in the financial sector - indeed any sector, public or private - with sensitive data that will still be of value to a competitor or aggressor in, say, seven years’ time, starting to migrate now is essential. The lesson businesses must take from this [Wannacry] incident is that advance preparation is required to counter known emerging threats.”
Wannacry some more?
Cheng’s call on financials to always expect the unexpected is echoed by Ofer Israeli, founder and CEO of Illusive Networks, another cybersecurity fintech making waves. The firm is at the cutting edge in applying deception-based technology, the new kid on the block in cybersecurity. Financials may not have been hurt much by Wannacry but Israeli is clear about its implications and its potential to wreak yet more damage.
Israeli says: “The Wannacry attack demonstrates that cyber-criminal organisations are now equipped with the best nation-state tools and capabilities to create crises at organisations worldwide. I believe this is just the tip of the iceberg.
“In the case of Wannacry, we are seeing an opportunistic ransomware operation. But we can expect the exploit is already being used for more surgical targeted attacks, the outcome of which will only be revealed in a few months due to the amount of time required to execute those of such complex nature. Financial institutions always draw the most sophisticated of attackers as the prize is so big. Their in-house security teams should be continually assessing and strengthening their cybersecurity strategies to maximise protection.”
He adds: “These days, breaching enterprise networks isn’t a matter of if but when, so the prime focus is now how fast an attack can be detected prior to any real damage being caused. It has been documented that financial organisations invest heavily in perimeter defences but have only recently started to detect threats that are already present in their network. The trust model of 'whatever is in the network is OK' no longer holds.
“Attackers are innovating and evolving at a very high pace. Financial organisations must therefore go beyond traditional security measures and embrace cutting-edge solutions if they want to be effective against the sophisticated adversaries of today.”