The Security Holes Investment Firms Are Ignoring

When we look back at 2013, we may call it The Year of the Hack Attack. The numbers are staggering. According to Keynote Systems, a firm that measures websites’ response times, the websites of U.S. banks were down a record 249 hours in six weeks in February and March. And with faster networks, cloud computing and Big Data breaches, no financial services firm is safe from these online predators.

We spoke with Nik Whitfield of Detica CyberReveal, BAE Systems Detica, to find out what CIOs and their IT staffers need to do to stop these online attacks.

What new types of security threats are banks / investment firms unaware of or are ignoring?

Nik Whitfield: A financial firm in the 21st century faces a myriad of threats, and is more exposed than ever to would-be assailants. These can come from the outside - including nation states trying to get a view on M&A activity, OCGs seeking to directly defraud the bank, hacktivists seeking to disrupt operations - or from in the inside - like employees or contractors seeking to illegally take the firm's proprietary information.

What can they do to shore up their systems? Routine tests? Hire a hacker who knows where to break in? Run hack drills?

Whitfield: Cyber security is a multi-faceted discipline which, when done well, incorporates a variety of complementary techniques. A modern security operation in a major financial institution should include threat intelligence to identify new attackers and their modus operandi, an advanced analytics function to look for the telltale signs of these new m.o.s. hitting the bank, a strong set of policies and controls to lock down the IT estate and a 24/7 investigation and response group to quickly identify and counter threats.

More than ever we recommend putting in place a comprehensive monitoring operation. This allows a security leader to generate the evidence needed to persuade the firm to adopt the controls and policies which will better protect them from cyber-related risks.

Where are these threats coming from - inside the firm from a disgruntled employee? Phishers? Rogue nations? Which one of these is the biggest threat?

Whitfield: We mustn't confuse attackers and their motivations with attack techniques. A whole variety of threat actors might use phishing techniques to achieve their aim, but this is a tool, not a motivation. If an attacker can use commercially available malware to achieve their end game, then why spend time and effort creating something bespoke? We see this confusion regularly, even in relatively mature security operation. A business risk is related to the business case or objective of the attacker, not the technique they employ to achieve it. The key to disrupting the attacker is the disruption of their business case.

What's the biggest vulnerability in the firm? The BYOD tablets that might get stolen? Networks and dark pools? Offsite or third-party network connectivity providers? Outsourcing firms?

Whitfield: As with physical security, your biggest vulnerability can be your biggest asset - people. A motivated, observant and knowledgeable workforce will use corporate information judiciously, detect and report unusual activity and protect the interests of the firm. In the case of a poorly educated and security myopic workforce, well, you're going to have more problems.

Regarding technology, the attack surface is growing and the variety of threats are increasing. Security operations have been scrambling to keep up with attackers, but a step change in philosophy is required if firms are to protect their assets and operations in the future. Firms must stop benchmarking their security posture to their peers, and start doing so to their attackers.

Phil Albinus is the former editor-in-chief of Advanced Trading. He has nearly two decades of journalism experience and has been covering financial technology and regulation for nine years. Before joining Advanced Trading, he served as editor of Waters, a monthly trade journal ... View Full Bio