What’s the biggest risk to the security of the financial services sector? Is it the threat of cyber-attack by unscrupulous hackers? Well – yes and no. Obviously financial institutions are at risk from hackers and are therefore taking the necessary steps to minimise the risks they are exposed to, but according to Brian Lord, a former deputy director for intelligence and cyber operations at GCHQ, the biggest threat actually comes from the nature and scale of the information which is being stored. How can that be the case? Well, according to Mr Lord the accumulated global database of bank customer information which was meant to protect banks from risk and insulate financial institutions from cyber-threat has actually only made the financial services sector a much more tempting target for cyber criminals as all the information they could ever wish to gather is stored conveniently under just one roof.
So what exactly is this global database Mr Lord is referring to? Well, some time back the world’s biggest banks started to collaborate on a massive repository of customer information, known as Clarient Global. The database, which is majority-owned by the New York-based Depository and Clearing Trust Corporation, and supported by shareholders from Barclays, JP Morgan and Goldman Sachs amongst others, was created primarily in response to a series of fines that were levied on big banks for failing to spot transactions with suspicious entities. The idea behind the database was that if data could be shared between financial institutions then banks were more likely to avoid doing business with sanctioned companies and organisations.
The problem unfortunately, according to Brian Lord, is that by storing all this information in just the one place, the banks have created a huge security risk. Mr Lord, now managing director at cyber-warfare experts PGI, believes that the sheer volume and quality of information concentrated in just one place make it the most attractive target for nation states and hackers seeking to disrupt the financial system. He told the Telegraph newspaper:
“What this proposal appears to be doing is putting all that data in one repository, and this makes the value to a hostile actor significantly more than the sum of its parts,” he said.
“Because the accumulative value of this data is so large it would attack state interest, it is going to be valuable to the highest possible level of sophisticated actor.”
Financial institutions have been increasingly targeted by cyber-criminals and have therefore spent considerable sums of money beefing up their security systems. However, Mr Lord believes that regardless of how effective these security systems may be; the number of banks involved in Clarient Global would make it vulnerable:
“Regardless of how good your technology is, one of the greatest vulnerabilities is the human being and the user, and what you’re doing here is creating a number of users, each of which has their own culture and modus operandi,” he said. “You’re putting them on to the same system and expecting them to use it the same way.”
He also believes that because of the number of bank systems in place, security upgrades will be complex and slow to implement, and that means they will be vulnerable to new forms of attack:
“The number of times you can do security upgrades is limited because there’s such a level of complexity,” Mr Lord said. “[The speed at which hackers find new ways to attack] will invariably exceed the ability to upgrade the security and the abilities of humans.”
Cyber security is an issue that affects all businesses, not just large financial institutions. If you are concerned about the escalating security challenges and risk management issues facing your business today and would like to take precautions, then why not speak to Krypsys? Krypsys’ services are focused on helping your business assess its security posture against current and evolving security threats and educating you on the risks to which you are exposed. We have a wealth of experience in security projects in both the public and private sectors and have worked with organisations to protect high value information assets such as trading platforms, e-commerce systems, data-centres and cloud services. We also work with leading IT security vendors and specialist consultancies to close the gaps in your own IT security strategy and to assist in streamlining and prioritising your risk management spending.
Whether you’re looking for help with penetration testing and security reviews, or are looking for advice on security compliance and web security solutions, Krypsys can help you. For more information on web security solutions from Barracuda Networks, Check Point, Alien Vault and Netwrix, please contact Krypsys on 0845 474 3031 or [email protected].