Banks are increasingly falling victim to bank robbery 4.0
Omni-channel banking, cashless payments, and robo-advisors – more and more data is flowing through a growing number of computer-operated conduits and interfaces. At the same time, “virtual bank robberies” and associated attacks on IT systems are becoming more and more professional – some ever enjoy the support of actors close to governments. The threat of cyber attacks is growing rapidly. As a repository of confidential customer data, payment instructions and financial-market transactions, banks are the focus for raiders from across the Internet.
While attacks were once carried out opportunistically and at short notice by amateurish hackers, they are today planned professional organizations and often months in advance. Banks’ weak points are not exclusively IT systems, but also a combination of organizational and technical facets. Because the haul of a virtual bank robbery can be very high, raids do at times rely on inside information and the participation of a bank’s employees. Given this, it is no longer sufficient only to protect the bank from the outside attacks by building a protective wall.
Virtual bank robbers can cause enormous damage
Virtual bank robbers can overcome firewalls and cause enormous damage in just minutes or seconds. In addition to ensuring external protection, banks have to shore up internal structures, processes and systems by combining them. Usually only a few processes are potential targets.
But if these processes are successfully hacked, big losses can quickly occur. Cyber attacks can pose an existential threat to institutions, for example, if transactions are manipulated or customer data made freely available. Yet banks too often still fail to take this danger seriously. They spend more on IT maintenance, adaptation, compliance than on information security.
Too many banking executives trust their experts and system too much. They think their experts have security management under control and that the bank has little chance of falling victim to an attack. But security still often only covers areas like personal safety, business continuity and physical security. The issue of information security is still comparatively underexposed.
Financial service providers often concentrate on eliminating known weak spots. Other known risks are often treated only cursorily – and unknown risks tested for even less. But this attitude is under enormous pressure: supervisory authorities are increasingly raising the issue information security, EU regulations are reinforcing this message and threatening sanctions for non-compliance. Concerns about crime are increasing the pressure from banking customers.
Simulating attacks with and learning from Red Teaming
Since the introduction of the TIBER-EU framework in 2018, financial service companies have been able to test their cyber security using so-called "Red Teaming" penetration tests. Instead of conventional theoretical security analyses, external "attackers" carry out the tests. Under real-world conditions and using professional methods, they penetrate bank infrastructure and show to what extent they could damage it. The institution can then draw its own conclusions.
The European Central Bank (ECB) published the Framework for Threat Intelligence-based Ethical Red Teaming (TIBER-EU) in May 2018. The controlled and tailor-made test procedure is meant to raise the resilience of digital networks in banks and across the entire EU financial sector. Each banks, its supervisory and stakeholders decide if and when a TIBER-EU test should take place.
Gain of knowledge is in the foreground
The Red Team test penetrates critical production systems using real-world tactics, techniques and procedures. It simulates the full force of an attack on critical functions and the underlying systems. When it is over, a Red Team test report gives an overview of the individual attacks and their consequences. For the bank involved, the test is not a question of pass or fail. The point of the exercise is to gain knowledge about strengths and weaknesses. Bank executives and their employees can learn from it and use it to further develop the bank’s cyber-security measures.
Despite obvious challenges and potential investments, the TIBER-EU Framework is recommended for financial service providers. It is basis for making national and EU-wide cyber security requirements comprehensively transparent. In the era of the “virtual bank robbery”, a bank can use it to examine weak points and the threats of possible attack scenarios, to strengthen its defenses against cyber attacks, align strategy, organization, processes and IT more effectively. A bank can also better assess possible damage – and contain it more quickly.