If a bunch of crooks in masks were picking their way into your bank vault most days, would you wait another couple of years before considering a new kind of lock?
The threat to our banks from cyber crime intensifies every month. Yet the UK banking sector continues as if firewalls, email scanning and web controls are all that is required.
While the Bank of England (BoE) appeared to have woken up to this menace, with deputy governor John Cunliffe saying future stress tests would include cyber attack scenarios, the problem is that these are only scheduled to take place every other year.
That seems woefully inadequate when cyber criminals, whether state sponsored or motivated by greed, grudges or ideology, are devising new ways of penetrating bank security every day.
Read more: Cyber security jobs on the rise after hacks
Aside from direct criminal threats, the banks also seem strangely unaware of the juggernaut approaching in the form of the European General Data Protection Regulation, set for enforcement in 2017.
The fact that disclosure of breaches will be mandatory should be worrying bank executives who are only just recovering from the miss selling and market rigging scandals. Having to announce to the world that a bank’s system has been breached and that customer data, money or corporate information has been stolen, will surely incinerate what little trust consumers have in the banking sector.
Besides being publicly trashed, breached banks also face heavy fines of up to two per cent of global turnover, rising to five per cent for particularly shocking examples. And as part of the new regime, banks will have to demonstrate compliance.
Yet how can any bank shut out the hackers when its IT team is only ever searching for ‘known threats’, incapable of spotting the new style of sophisticated and targeted attack just over the horizon?
The vast majority of successful cyber assaults now use email attachments as their vectors, hiding malicious agents inside a small set of common file types such as PDFs, Word, Excel or PowerPoint.
A criminal will use data from public accessible documents to ‘case’ a bank before selecting the entry point for their adapted file. Last year these cyber assaults cost UK businesses £36bn, but most still rely on old perimeter technology for security backed up by endpoint signature based AV, which is wholly ineffective.
The BoE needs to take as firm a stance here as it has on misbehaviour in the markets, setting a standard for banking communications.
It needs to ensure banks take back control of the cyber crime threats they face, creating a transparent view of the vulnerabilities generated by the free flow of documents which is the lifeblood of business.
As large, cumbersome organisations, banks will never keep up with the cyber criminals. However, if the BoE pushes them into a new way of evaluating where the real security black holes lie – outside the known threats – banks will not only tick the compliance box, but sleep tight at night knowing their reputations and revenues are intact.