Cybercrime-in-a-box: ‘Wannabe’ criminals are the new threat to financial institutions



Phil Rodrigues, Vice President, BT Security, Asia-Pacific, Middle East and Africa, BT, shares why amateur criminals will be the bane of banks and how to ward them off

The financial services industry is wising up to the threat of cybercrime. Security has shot up the board room agenda of many large financial institutions in recent months, and banks have boosted their defences to ward off attacks, and are better prepared than before. However, as banks and other financial institutions get smarter, criminals outsmart them by changing tactics.

Rising threat of crime-in-a-box
An example of this is the creation of malicious and harmful services by hackers, or crime-in-a-box, sold to the highest bidder. Any individual with malicious intent but without the intellectual capital or technology experience to do it themselves, can easily purchase ready-made cyberattack packages, deploying them where they please. Often referred to as crime-as-a-service (CaaS), it lowers the barriers of entry into cybercrime, opening the door to those who were previously incapable of launching these types of attacks. It is flat-packed cybercrime with a price tag, and puts financial organisations at a greater risk.

BT LogoA typical crime-in-a-box toolkit includes malicious software, supporting infrastructure, stolen personal and financial data and the means to monetise criminal gains. With every aspect of this toolkit available to purchase or hire as a service, it is relatively easy for cybercrime amateurs to launch cyberattacks not only of a scale highly disproportionate to their ability but for a price similarly disproportionate to the potential damage. They can gather resources quickly and easily – as soon as authorities discover and take down cybercrime services available online, they pop up elsewhere.

Bogged down by legacy systems and regulations
As attackers are armed with a more sophisticated arsenal of tools and techniques including crime-in-a-box, the traditional approach to security is outdated. Traditional compliance processes are out of step with the new digital age – adding more and more controls at the cost of flexibility and agility only increases risk, not reduce it.

Furthermore, many financial institutions are facing budgets constraints and trying to keep legacy systems running as long as possible to avoid capital spend. But these legacy systems are often more vulnerable to cyberattacks and are less reliable.

To top it off, regulators are toughening their stance on companies suffering breaches in their cyber defences and imposing greater fines for their shortcomings. Taking all these factors into account, it is understandable why some organisations are choosing to buy rather than build their own defences. Superficially, it seems easier but it is often more expensive and can open up a whole new can of security worms.

Security never sleeps
While financial services firms have taken significant strides in the right direction, they now need to go further to protect the security of their networks from this growing threat. A joint study by BT and KPMG found that only half of the CEOs surveyed felt their companies were prepared for a cyberattack.

The financial stakes are high. Digital crime currently costs the world $400 billion every year (Centre for Strategic and International Studies and Intel Security, 2016). No one doubts that an attack by digital criminals is a real and present danger, but the scale, rapid growth and ever-changing nature of the threat are often not fully comprehended. The recent $81 million attack on the Bangladesh central bank, which but for the vigilance of other central banks might have been $951 million, is a clear example of the scale of damage.

Financial institutions can no longer afford to sleep walk into a disaster. The industry needs to take action, and quickly before risks become a drag on the digital economy. There are a number of steps that financial services firms should take to combat the rising security threat:

  1. Think like a criminal: Financial institutions need to treat cyber criminals the way they treat challenger brands – by understanding and disrupting their business model. One way to do this is via ethical hacking. Real life hackers are unpredictable and driven by impulses, such as trying to make a name for themselves. Ethical hackers counter this by imitating them, and in doing so test systems, report and fix possible vulnerabilities, helping organisations to stay ahead of the threat curve.
  2. Set the culture: Forward-thinking CEOs should approach the role with the mind-set of the potential hackers, whereby cyber security is a customer experience and revenue opportunity, not just a risk that needs managing. This approach turns cyber preparedness into a competitive advantage for organisations rather than a cost.
  3. Train employees: Raising awareness within an organisation and encouraging best practices amongst employees is an effective first step towards shoring up lines of defence. With newer technology comes more complex systems, creating new avenues for cyber criminals to exploit. Regular training for employees will help plug these gaps.
  4. Ask the experts: Working with specialist solution providers who have a deep knowledge of securing the entirety of an organisation’s IT infrastructure, can help firms remain prepared in an ever-changing threat landscape.
  5. Choosing the right cloud: To minimise risk, organisations should move towards a cloud environment that allows easy and secure consumption of internal services and external solutions. Wrapping multiple cloud environments (private, public and hybrid) into one single secure cloud helps firms take control of applications performance, manage multiple cloud systems and most importantly, reduces the number points of vulnerabilities that cyber criminals seek to expose.

Reining in the many-headed monster
CaaS is going to spread because it is easy to take up and commercially lucrative for the criminal involved. At a time when the financial industry is becoming far more complex, security solutions have to be updated at the same pace. The financial industry as a whole must also play a part in ensuring that it continues to enjoy the trust of its customers. Institutions must work together by sharing information and intelligence on new threats to make everyone better at defending against attacks, and in doing so, limit the pernicious effects of cyber-crime.