Ageing or poorly designed IT infrastructure and lack of effective cyber-security solutions are leaving banks and corporates exposed to systems failures and hackers.
Consumers and businesses globally have had to contend with many instances of their banks suffering IT failures over the recent years. Indeed, according to a recent study by Which? Money, UK banks alone are hit daily by IT failures halting payments.
The Which? study is the most comprehensive probe into IT failures across UK banks since the FCA last April ruled banks must report any major operational or security incident that prevented their customers using payment services.
Which? Money, owned by the largest independent consumer organisation in the UK, found that there were 302 incidents that prevented customers from making payments in the last nine months of 2018. Its study also notes that six of the UK’s biggest banks had at least one failure every two weeks.
Andy Barratt, UK Managing Director at international cyber-security specialist, Coalfire, believes over reliance on legacy infrastructure and out-sourcing IT has played a major role in weakening banks’ defences to both internal operational failures and cyberattacks. And contrary to received wisdom, despite the resources they can call on, it is the very size of the major banks, with overly complex IT infrastructures and legacy equipment, that can often make them less secure, he says.
Indeed a “penetration study” by Coalfire last year involving the use of real-world hacking techniques to test the defences of hundreds of businesses found that large corporates like banks, despite their much bigger budgets, are actually more susceptible to cyber threats than their SME peers.
“The cracks uncovered by that research and other studies are now starting to show very publicly,” says Barratt. He points to the IT meltdown at TSB last year during its attempt to migrate vast amounts of data from its existing IT infrastructure to its new owner, Sabadell, as a case in point. The event resulted in TSB customers being given access to and information about other customers’ accounts. The issue led to over 200,000 complaints and the resignation of TSB’s CEO, and has cost the bank £330m.
Barratt says: “It subsequently became clear that the TSB crisis was caused by insufficient testing in advance of the Sabadell migration to ensure the process would run smoothly. There was also major criticism of the company’s glacial response to the problem – taking too long to inform affected customers and months to fix residual issues.”
While the TSB episode wasn’t caused by malicious intent or outside interference, it exemplifies the challenges a large entity, like a bank, has in managing a huge IT infrastructure: “Whether it’s guarding against external threats or simply ensuring systems are running smoothly, in-house IT teams in these organisations have an awful lot of ground to cover.”
Barratt believes pressure on banks is intensifying as agile fintechs increasingly become the technological benchmark, in terms of both the consumer experience and security. Then there is the added pressure on banks’ IT expertise and infrastructure from initiatives like Open Banking, GDPR and growing impact of APIs.
“There is the obvious financial and operational damage for banks, indeed any company, that results from an IT failure. But there is the reputational damage as well to consider – customers are becoming more and more sensitive about how their information is handled by businesses as well. Any business will tell you, once a customer loses trust in you, its very difficult to get it back.
“GDPR coupled with major incidents like the TSB saga have heightened general awareness of data security issues so consumers are more likely to have them front of mind when deciding who to trust with their money. Considering all of this, the case for putting the management of cyber risk firmly on the bank boardroom agenda has never been stronger.
Understanding the threat
Barratt says that size and complexity of banks’ IT infrastructure makes it “nigh-on impossible” to cover all the bases in terms of security. That makes it vital for them to fully understand the nature of the threats – internal and external – so that resource can be put to the best possible use.
He explains that from an external perspective there are three main ways cybercrooks look to target banks. The first will typically see a hacker infiltrate an institution, freeze accounts and demand a ransom to unlock them.
Secondly, they could grab large amounts of customer data that they can then either sell on the dark web or use to facilitate further criminal activity.
A smarter, perhaps more sophisticated cybercriminal might take a more surreptitious route, slowly and steadily making off with smaller payments so they are less likely to attract attention. In the case of a large financial institution, this approach could net millions of pounds before it is exposed.
But internal vulnerabilities are just as much of a threat as external actors. “As in all industries, people are one of a bank’s biggest security weakness – and this risk is amplified as the size of the workforce increases.
“It’s essential to train staff on the vital importance of using strong passwords and knowing how to spot common phishing attacks – where hackers pose as a trusted contact to dishonestly obtain sensitive information like usernames and passwords.”
Barratt warns cyber risk is most likely to rear its head during a significant transition or major project – as was the case with TSB – and the threats listed above all need to be factored into planning a large-scale operation. But doing that effectively is often hampered by a deeper issue found in some large corporates: culture.
He explains: “It’s important to foster a positive, open culture where staff feel comfortable that they can raise issues with the board without attracting blame. Environments where flagging an issue is viewed negatively lead to potential problems being swept under the rug. This means leadership teams are often making decisions and green lighting projects without being aware of potential risks that have been hidden from them by desperate-to-impress employees.
“Creating an environment where colleagues are confident in elevating issues to management means they can be tackled at the root – before they manifest as an often very public crisis.”
“Ultimately, banks must incorporate a suite of strategies that include more progressive ways of thinking alongside operational and technological solutions in order to reduce their exposure to IT threats. It’s only by applying this kind of joined-up approach that they can respond to the rapidly evolving threat to their operations and future-proof their brands against disruptive new competitors.”
Hackers eye corporate treasurers
Corporates too are also increasingly being targeted by hackers, especially their treasurers, due to their access to sensitive data including cash flow forecasts, borrowing figures and business liquidity information. They may also be in charge of financial risk management via hedging and maintaining bank accounts and debt positions.
Barratt says another key reason hackers are targeting corporate treasurers is that they are tasked with making 24/7 investment decisions and as such often don’t face the same restrictions that are imposed on other areas of the business: “They may have license to move substantial financial sums around – at any time of the day or night – in order to manage interests in foreign markets. It’s this operational freedom that makes corporate treasurers particularly attractive to cybercriminals.
“One way hackers might seek to gain access to a business’s accounts is through phishing exercises, posing as a trustworthy entity – usually via email – to obtain sensitive information such as usernames and passwords. If a corporate treasurer fell into such a trap, the cybercriminal would be able operate with a worrying amount of freedom without raising the alarm. The financial rewards of this kind of heist could be particularly lucrative.”
However, says Barratt, it’s not just malicious interference that presents a problem for corporate treasurers, as failures in IT infrastructure can also prevent them from being able to effectively do their job. “A technical issue will be no excuse for missing an interest payment, and not being able to react to currency exposures could have a significant impact on a business.”