Bankers in North America and the UK are more concerned about cybercrime than the economy, according to new research from PricewaterhouseCoopers.
The consultancy interviewed over 670 bankers, regulators and observers in more than 50 countries to understand the risk outlook for the industry in the last quarter of 2015.
The resulting Banking Banana Skins 2015 report showed that although fear of economic failure was the top concern globally, criminality—drive by cybercrime—came in second. What’s more the latter was the top concern of bankers in America and the UK.
The report had the following:
“Many respondents worried that banks have little power to prevent attacks because cybercrime comes in many different guises, from opportunistic hackers holding private data hostage, to organised criminals pilfering funds through digital channels, to states using espionage to steal banks’ intellectual property.
Banks’ under-investment in their ‘creaking technology systems’ means they are on the back foot while criminals become more numerous, sophisticated and audacious.”
Several experts quoted in the report express fears that a well targeted attack could paralyze key activities like inter-bank transfers, or even bring down a financial institution altogether.
Even as banks improve their cyber defenses, clued-up cybercriminals will be able to go after the weakest links—a strategy made easier because so many new players are joining the system every year, the report claimed.
According to Verizon’s Data Breach Investigations Report, over 60% of attacks against financial institutions last year followed three patterns: disruptive DDoS; malware and phishing designed to steal data and passwords en route to monetary theft; and web app attacks exploiting vulnerabilities or using stolen credentials to steal data.
David Flower, European managing director of security firm Bit9 + Carbon Black, argued that if a bank has been targeted, a determined hacker will always get in eventually.
“One of the problems banks face is that they are very network focused, when endpoints are increasingly the target,” he added.
“Take JPMorgan Stanley, for example. In that breach, it was an employee device that was attacked, which was then used as a jumping off point to infect the rest of the network and exfiltrate data.”
The vast majority of incidents currently go unreported, although that will change when the NIS Directive mandates breach notifications in Europe, Flower said.