Cybercrime has soared during the pandemic – not least because, with many employees working from home, banks and their customers have become more vulnerable to attacks. Yuval Illuz, group CISO of Standard Chartered Bank, tells Abi Millar how banks can defend themselves against the new and rapidly evolving risks.
Over the course of the past year, we have seen an unprecedented shift in working practices. Remote working, previously a minority pursuit, became the norm almost overnight, with the majority of white-collar workers now working from home.
Much ink has been spilled over the benefits and drawbacks of this shift – and whether you’re loving your home office set-up or itching to get back to physical meetings really comes down to personal preference. However, remote working comes with one inarguable disadvantage for organisations, namely the increased risk of cyberattacks.
“In June last year, about 70% of our 85,000 staff across the world were working from home,” says Yuval Illuz, group CISO of Standard Chartered Bank. “This means we are more digitally connected than before. As a result, we now have a much larger and complex attack surface – where employees operate in different locations, from different networks or outside of the organisation’s perimeter and on both corporate and personal devices.”
Simply put, remote working creates all kinds of security weaknesses that opportunists can exploit. Home devices may be more vulnerable to malware, secure file sharing isn’t always secure enough, and home users may engage in riskier behaviour (including sharing devices with family members) than they would in the office.
On top of that, individuals are spending longer on their devices than they did pre-pandemic, and more customers have migrated to online banking, which poses new risks for the unwary. The pandemic itself, as an emotive subject, has also created opportunities for malicious actors.
“Cyber threat actors are capitalising on the sentiments arising from the pandemic by disguising as legitimate Covid-19 related emails or applications,” says Illuz. “They are tricking individuals into disclosing their personal information and credentials, which allows them to gain unauthorised access to networks, or to make financial gains.”
A key example is vaccine-related phishing campaigns, in which scammers send a text or email inviting the recipient to get their vaccine. One such message, purporting to be from the NHS, asks the recipient to click on a link, before asking them for their bank card details.
It’s a perfect storm of factors that has led to a drastic rise in cybercrime. According to research by McAfee, cybercrime costs are expected to top $1tn for the first time in 2020, a 50% rise on 2018 and more than 1% of global GDP. Other research, from VMware Carbon Black, found a 238% increase in cyberattacks between February and April 2020, along with a ninefold increase in ransomware attacks. What’s more, the sophistication of these attacks has increased since the start of the pandemic.
“Cyber threat actors are increasingly opportunistic in leveraging emails, instant messaging platforms, short message services and websites to support their malicious activities and reach end-users and businesses,” says Illuz. “Some cyber-criminal groups have also moved their infrastructure to the cloud to hide among legitimate services. They are taking advantage of organisations’ and people’s propensity to do good during times of crisis to encourage them to make mistakes.”
We might think of coronavirus charity scams, in which bad actors pose as a charity or person in need, in order to solicit donations.
He adds that organisations have become more susceptible to polymorphic phishing attacks, in which the bad actor modifies the phishing email slightly to evade detection by automated network security measures. These phishing emails sometimes slip through to end-users and the likelihood of compromise is higher.
During the first wave of the pandemic, Google said its systems detected 18 million malware and phishing Gmail messages a day, plus 240 million spam messages, directly relating to the pandemic. It also flagged up ‘more than a dozen’ attacker groups backed by governments, which were using Covid-related themes as bait.
“From January to April 2020, our Cyber Defence Centre noted a significant increase in cyber security incident reports – the lion’s share of those were suspected phishing incidents, of which some were confirmed Covid-19 themed phishing emails,” says Illuz.
So what can financial institutions do to defend themselves and their customers against these new cybersecurity risks? It is clear they are taking the threat seriously, with many ramping up investment in this field. According to a study by Deloitte, financial institutions spent an average of $2,700 per employee on cybersecurity in 2020, up from $2,300 in 2019.
In November, Lloyds Banking Group announced it had introduced a £500m technology project to enhance protection against hackers. Through improving its two-step verification process and providing branch staff with the latest technologies, the British lender hopes to make it harder for malicious actors to hack customers’ bank accounts.
NatWest has partnered with two companies, Featurespace and Malwarebytes, to protect its customers against fraud. Featurespace is a provider of enterprise financial crime prevention software, while Malwarebytes’s offers advanced cybersecurity solutions for online banking.
Standard Chartered has invested in a startup called Secret Double Octopus, which provides multifactor authentication without passwords. It has been using tools like machine learning to enable better screening of suspicious activity, and has increased its virtual private network (VPN) capacity by 600%.
“The Bank aims to look at the business from a ‘threat-led’ lens to reduce the impact of new and increasing cyber threats,” says Illuz. “We do this by identifying critical assets and sensitive data; determining the value cyber-criminals could gain; exploring how these assets and data are currently stored and accessed; and pinpointing potential weaknesses and implementing resolution plans.”
This said, he thinks technology and processes are just one piece of the puzzle – while a predictable world can be effectively mastered with algorithms, a messy world requires human input.
“Even the most stringent of plans are only as effective as the resilience of our first line of defence – our employees,” he says. “We continuously strengthen our ‘human firewall’ through training and awareness. We have also steadily increased our communications with our clients to keep them abreast and allow them to stay vigilant against the fast-evolving cyber threat landscape.”
The so-called ‘human firewall’ – a group of employees coming together to follow best practices – has been a point of weakness for many organisations during Covid. To fix this problem, many banks are training a broader base of employees than they did pre-pandemic, with a greater emphasis on the cyber threats associated with working remotely.
“With a significant number of our people working from home, we now communicate and collaborate online more than ever,” says Illuz. “Therefore, we need to work harder to ensure the tools used meet the stringent security standards. Continuous upskilling and reskilling of our talent to bridge the cyber security talent gap will continue to be a priority as we focus on enhancing our human wall against cyber threats.”
Aside from these very practical, day-to-day concerns, he thinks Covid-19 has occasioned a larger shift in the way we look at cybersecurity. The emphasis is moving away from preventative ways of managing risk (i.e., preparing for an incident before it occurs) and towards reactive ways of managing risk (i.e. adapting very quickly to what has happened).
“2020 has taught us that the path to an overall stronger cybersecurity is agility,” he says. “This means having a more flexible cybersecurity architecture, helping our technology teams easily deploy the appropriate network controls. It also means investing in operational resilience as we grow trust and loyalty with our clients. And it means implementing a multi-cloud strategy, which enables us to better withstand the next threat to business continuity and prepare for the multiplicity of unknowns we faced all of last year.”
He thinks we are moving towards a zero-trust model, in which organisations are viewed less as a single entity and more as a whole ecosystem of different parties (including partners, cloud service providers etc). Zero trust is how it sounds – a security concept predicated on the belief that you should not trust anything inside or outside your organisation. All users must be verified before access is granted.
“The same applies for solutions we implement, or apps we write – the zero-trust model will need to be embedded from the start,” says Illuz. “The challenge in doing this is how we keep our clients at the heart of it all – balancing a user-friendly experience with the complex requirements of enhanced security practices.”
While we have no way of anticipating what lies beyond the pandemic, it would be safe to assume today’s cybersecurity risks aren’t going to fade away in line with the virus. Threats will continue to evolve to evade detection, and the overall cyberrisk landscape will remain dynamic and dazzlingly complex.
Banks, then, will need to be vigilant if they want to quash tomorrow’s threats. They will also need to embrace this new reality as it is, rather than harking back to outmoded models of defence.
“A survival mindset views disruptions as point-in-time crises to be addressed with the expectation that the organization will revert to business as usual once the crises are over,” says Illuz. “To be future fit, we need to adopt a thrive mindset that recognises that disruption is continuous rather than episodic, and embraces disruption as a catalyst to drive the organisation forward.”
This article appears in the Summer 2021 edition of Future Banking
Journalist portfolio 