Given the massive shift to the digital world, cyber-security is something which should be front of the minds of financial institutions. But awareness needs to penetrate throughout these institutions, as well as on to their customers, and up to the executive suite. This is not just something for the IT security “experts”. It is about awareness and cultural change.
As the recent Government Cyber Strategy highlighted Australians have quickly embraced economic opportunities in cyberspace.
In 2014 alone, the Internet based economy contributed $79 billion to the Australian economy (or 5.1 per cent of GDP). This amount could grow to $139 billion annually (7.3 per cent of GDP) by 2020 as more devices, services and people are connected online.
Figures vary, but cybercrime is estimated to cost Australians over $1 billion each year. Worldwide, losses from cyber security attacks are estimated to cost economies around one per cent of GDP per year. On this basis, the real impact of cybercrime to Australia could be around $17 billion annually. These costs are expected to rise. Government, telecommunications, resources, energy, defence, banking and finance sectors are likely to remain key targets for cyber criminals and malicious state actors alike.
It is estimated that by 2020 there will be at least 50 billion devices connected to the Internet globally. This explosion of connectivity will accelerate innovation in products and services, providing new business opportunities and new jobs.
However, the more connected ‘things’ are, the more targets there are for malicious actors. Part of the problem is that online security has not been considered in the design of many of the devices connected to the Internet. This has made it easier for malicious actors to disrupt and damage networks.
As an example of how vulnerable Internet connected devices can be, in 2015 the popular technology website Wired.com reported that security researchers had hacked into the electronics of a US car through its online entertainment system, changing its speed and braking capability before shutting the car engine down remotely. This demonstration led to the manufacturer having to provide software updates for 1.4 million US cars and trucks fitted with the same entertainment system.
Increased connectivity is also changing the relationship between consumers and businesses; it is fragmenting supply chains and business models. In turn, this will affect how people live and work, and how industries and economies perform.
Australia is the third most targeted country for banking botnets.
The need to get serious was reinforced when recently The New York State Department of Financial Services announced that a new first-in-the-nation regulation has been proposed to protect New York State from the ever-growing threat of cyber-attacks. This could become a template for other jurisdictions. It imposes significant mandatory obligations on financial sector firms.
The regulation requires banks, insurance companies, and other financial services institutions regulated by the State Department of Financial Services to establish and maintain a cyber-security program designed to protect consumers and ensure the safety and soundness of New York State’s financial services industry.
The proposed regulation is subject to a 45-day notice and public comment period following the September 28, 2016 publication in the New York State register before its final issuance. It requires regulated financial institutions to establish a cyber-security program; adopt a written cyber-security policy; designate a Chief Information Security Officer responsible for implementing, overseeing and enforcing its new program and policy; and have policies and procedures designed to ensure the security of information systems and nonpublic information accessible to, or held by, third-parties, along with a variety of other requirements to protect the confidentiality, integrity and availability of information systems.
The proposed regulation by the Department of Financial Services includes certain regulatory minimum standards while maintaining flexibility so that the final rule does not limit industry innovation and instead encourages firms to keep pace with technological advances.
New York State Department of Financial Services Superintendent Maria T. Vullo said, “Consumers must be confident that their sensitive nonpublic information is being protected and handled appropriately by the financial institutions that they are doing business with. DFS designed this groundbreaking proposed regulation on current principles and has built in the flexibility necessary to ensure that institutions can efficiently adapt to continued innovations and work to reduce vulnerabilities in their existing cybersecurity programs. Regulated entities will be held accountable and must annually certify compliance with this regulation by assessing their specific risk profiles and designing programs that vigorously address those risks.”
The recent Security Innovation Network’s SINET 61 conference in Sydney highlighted the risks to banks and underscored that this was more a cultural issue, not a technical one. Banking staff need to be sensitised to potential risks around “phishing” emails. Some are being tested with cyber security “cyber security fire drills”. Many speakers suggested that the issue was just not being taken seriously enough.
This despite the 2015 CYBER SECURITY SURVEY:MAJOR AUSTRALIAN BUSINESSES” published by Australian Cyber Security Centre (CSC) with CERT (one of their partner agencies). Industry data was collected from major Australian businesses that partner with CERT Australia, and that underpin the social and economic welfare of Australia and deliver essential services including banking and finance, defence industry providers, communications, energy, resources,transport and water. This component of the survey was hosted online through an online survey platform. Most of the respondents (67%) were from large organisations (200+ employees), 23% were from medium size organisations (21-199 employees) and 10% were from small organisations (less than 20 employees).
The results highlight that cyber security incidents are still common and recurrent for Australian businesses. Half of the respondents reported experiencing at least one cyber incident that compromised the confidentiality, integrity or availability of a network’s data or systems in the last year.
They say that IT security awareness and practices of general staff appear to have improved since 2013. However, many cyber threats now feature well-crafted socially-engineered emails that make it difficult for the user to determine legitimacy, regardless of training. The rise of these threats could be behind the shift in investment moving away from awareness training toward more technical controls in an effort to prevent the user from having to make a judgement call.
The findings also demonstrate that industry organisations are yet to be convinced of the benefits of reporting incidents. Many industry organisations chose not to report incidents as there was no perceived benefit to them.
77% of respondents have cyber security incident response plans in place with 37% of these regularly reviewing it. Industry organisations were asked what other types of IT security policies, plans or procedures they were using.Basic security policies, plans and procedures are being applied by the majority of organisations. For example, 93% have an information security policy, 89% have business continuity/disaster recovery plans, 87% undertake network monitoring and 78% have a backup or archiving policy. While the majority of organisations are using some security policies there are areas for improvement. For example, less than half of respondents have a system security plan in place (44%), and only 51% of organisations have a removable media policy.
Ransonware and malware were the most frequent incidents, but more than 15% were from external unauthorised access, and 10% banking malware.
Australia’s AU$240 million cybersecurity strategy, will focus on closer collaboration with business.
The Australian government will spend hundreds of millions of dollars defending Australia from foreign cyber attacks, and has stated it employs offensive cyber capabilities to deter possible attacks — which could mean employing hackers to disrupt activities overseas.
Technical solutions are important but cultural change will be most effective in mitigating this form of cyber attack.
As businesses and governments we must better educate and empower our employees to use sound practices online. This Strategy seeks to promote an improved institutional cyber culture and raise awareness of cyber practice across government and business to enable all Australians to be secure online.
One thought on “Time To Turn Up The Cyber-security Wick”