Fighting Cybercrime: A United Crusade

The benefits of moving from manual to digital operations are so manifest that such a migration is all-but inevitable. Digital processes allow greater efficiency, faster transactions and increased control. Companies adopting digital processes have raced ahead of their less-advanced competitors, forcing laggards to accelerate their implementation of automated processes simply to remain relevant.

Furthermore, digitisation requires security changes: enhanced authentication can ensure that money or data is securely and rapidly delivered to the right person, on time. Yet while it protects banks and corporates from the thieves and attackers they have faced for centuries, digitisation exposes a new threat: cybercrime.

A study published last June by the Washington, DC-based Center for Strategic and International Studies (CSIS) and sponsored by security software group McAfee found that cyber-crime costs the global economy around US$445bn per year. The weakest link in a company’s operation can bring down the entire corporation, and impact their supply chain and bank accounts. An unprotected company is exposed to cyber-threats which have quickly become the world’s most prevalent crime.

Know your Enemy

Banks and corporates are, of course, accustomed to the threat of fraud and theft – having always been prime targets. So, while this is a new type of threat, banks are well aware of the risks and are as determined as ever to remain secure. The trick to strong security is to know your enemy.

Most threats are intrusion activity and attackers can be both outsiders and insiders. That said, the hardest form of attack to detect – although thankfully the rarest – is from an insider. The ‘insider threat’ generally comes from an individual with access to security or transaction systems – perhaps redirecting funds or sharing confidential data. He/she could be a trusted, valued – and therefore undetected – part of a company or bank. However, banks are implementing behaviour analysis tools to flag anomalies in the network activity of an employee, when it falls outside the scope of their entitlements or access rights. This enables institutions to stop employees from stealing intellectual property or destroying data, since the alerts happen real-time as the employee is engaging in unauthorised activity on the network.

Outside Attacks

Attacking from outside the company, but no less threatening, are attackers such as ‘hacktivists’, who are primarily motivated by a political agenda rather than monetary gain. Hacktivists rally support via social media platforms and provide their supporters with online tools to attack a particular target, such as banking websites. Some aim to gain press attention – meaning that a targeted company or bank is not only vulnerable to monetary loss, but also perhaps to a public relations embarrassment as well as a loss of confidence from their clients.

Then there are cyber terrorists – some of whom compromise systems specifically to launder money. That said, perhaps the most sinister threat of all is the ‘state affiliated threat’ – usually (but not always) from a hostile nation seeking to potentially undermine a rival country’s digital integrity. Having gained entry into a system, these attackers can lie dormant and invisible for many years, perhaps tracking information before disabling systems seemingly out of the blue.

In addition to targeting technology systems directly, outside threats such as ‘hacktivists’ and traditional ‘cyber criminals’ employ security-related social engineering to target victims. This means using techniques, such as ‘phishing’ emails to manipulate a victim into downloading malware that can capture sensitive information.

A Cyber-security Fort

Understanding the threat is the first step to neutralising it. So how should corporates protect themselves? By developing a robust cyber-security system and set of processes, corporations can spot and counter the ever-changing threats to their online integrity.

While some technology aspects can be complex, much of the system mostly involves commonsense. For instance, perhaps the most critical need is to protect the company from the ‘insider threat’. Yet this is also one of the most logical to deal with. Both companies and banks must be aware of everyone with access to a banking system and other monetary transactions. Personnel changes must immediately trigger corresponding changes in access. Additionally, insisting on multiple levels of approval (with multiple parties) for every transaction can reduce the threat of a rogue employee corrupting systems. For instance Citi’s web-based banking platform, CitiDirect BE, supports up to nine approval levels before releasing any payment. Having a diverse set of people and systems involved in a high value transaction increases control and reduces the likelihood of fraud.

Transactions themselves also need to be watched. Creating and analysing full reports on all transactions is a must, and the ability to spot anomalies and suspicious activity is invaluable.

Commonsense can also be a powerful tool against security-related social engineering. Anyone contacting you claiming to be from a bank and asking for passwords and private information is a potential fraudster. Accepting email invitations and clicking on shortened URLs is unwise, while giving out sensitive information to anyone unknown – and sometimes even those who are known – can be dangerous.

Certainly, companies must train employees on what to do when called by someone claiming to be a bank representative requesting sensitive information. As the threats develop, it is important to provide annual training to refresh everyone’s knowledge on the top trends.

IT Discipline

While cyber threats are indeed intimidating, in reality most cyber security comes down to discipline and vigilance by IT and end-users – the negligence of which is, frankly, reckless.

Using anti-virus software and regularly updating browsers and systems are simple, preventative measures. This extends to any personal devices that employees could use to access company platforms or execute transactions. Using an unprotected device to access business platforms, even just once, essentially invites a cyber-criminal through an open door. So discipline, in this sense, means taking an extended interest in the gadgets that log-in to your network, ensuring they are as up to date with the latest virus/malware protection as any office PC or laptop.

Pillars of Defence

In addition to being proactive in dealing with cyber-crime threats, there is also a need to be reactive. Acting quickly against cyber-crime is essential. Citi’s strategy includes the use of the ‘cyber kill chain’ methodology, enabling the bank to tag information that it collects so it can identify an attack in the earliest stages – when an attacker is trying to discover a vulnerable spot in a particular system. By identifying and countering an attack early, it is possible not only identify the threat before it fully develops, but also to use the information it gains to spot future threats.

With threats coming from so many angles, a security system requires a multi-layered response to counter both the internal and external threats simultaneously. As such, and over many years, the bank has developed a three-pillared approach to digital security. This is a holistic solution that focuses on what the attacker is targeting and also details what processes and technology shields can be adopted.

Channel protection, the first of the three pillars, blocks an attacker’s entry to a platform such as Citi’s CitiDirect BE or CitiConnect channels. Partly, this can be controlled through insisting on strong log-in credentials for authentication. The bank often uses ‘challenge’ and/or ‘response’ tokens, as well as digital certificates. Secondly, all data exchanged with clients must also be protected with robust encryption tools in case attackers try to read information while it is being transferred from their system to the bank. Finally, and perhaps most importantly, any abnormal log-in behaviour or activity must be detected, investigated immediately and minimised.

Many attackers are more focused on the transactions themselves, of course. As such, the second pillar encourages both companies and banks to be vigilant about payment outliers. Any outliers, often detected through behaviour-based blocking capabilities, must require a diligent review of communication and transaction data. Citi’s Payment Risk Manager helps identify outliers, for instance, while CitiDirect BE reports can be reviewed for alerts for certain events.

Thirdly, attackers often focus on higher value, and usually confidential, data. Data privacy is therefore the final pillar – utilising the bank’s data privacy policy and data governance function. A strong focus on entitlements insures that only the correct person is allowed to view information, which is periodically reviewed and updated. Maintaining multiple layers for security is key – backing up all data at different sites, while using a variety of systems in order to protect data and ensure its accuracy and reliability.

Figure 1: Digital Channels Have Brought Better Control:

Citi digital security fig 1

Source: Citi

Innovation Spotlight

While Citi has a robust response when attacked, cyber-crime is constantly evolving as current attacks become known and dealt with. As such, the bank works proactively with industry leaders on innovative approaches to reduce the threat of cyber-attacks, which focus on improving both security and the client experience.

One example illustrates the point. The explosion of single-purpose credentials per application, such as security tokens, has benefits and risks. These single-purpose credentials require end-user vigilance to prevent against loss and may create user frustration when interacting with multiple banks.

Citi pioneered a proof of concept with Microsoft Treasury utilising Microsoft’s Azure-based next generation identity technology. Microsoft already issues very secure identities to its employees with digital certificates. Leveraging those smart IDs, the bank and Microsoft tested access to Microsoft’s bank accounts via CitiDirect BE as a way to both enhance security and the user experience.

A spokesperson at Microsoft describes how the treasury team was often either worried about the threat of cyber-attack, or inconvenienced by the need to carry around bags of security tokens for every bank – both distractions from core operations. The need to conduct business easily without concerns about work being stolen is an imperative. This partnership of joint research and development activity shows promise for a future system that increases security and usability.

Strength in Numbers

So security is about more than simply protection; it allows companies the freedom to operate without fear. While sophisticated security systems and due diligence will help protect against cybercrime, the one key weapon that will keep defences at maximum strength is collaboration.

As the Microsoft-Citi partnership illustrates, cyber security is easier when banks and corporates work together to protect the end to end security of bank-corporate interactions. Sharing knowledge of anomalies or updates, or even of attackers’ activities, makes every party stronger. What’s more, conversations between parties enable a bank to ensure that solutions created for a particular corporate can be adapted to the specific threats faced. It enables solutions to be produced more quickly and with fewer flaws.

Collaboration is a trend very much underway. In fact, information sharing is probably more advanced in the digital security space than any other sector. Real-time, highly-detailed, analysis enables banks and companies to detect patterns and stay at least one step ahead of attackers.

What’s more, this collaboration is taking place on an international level – attacking a global threat through combining the capabilities of companies and banks across the world. The Information Sharing and Analysis Centres (ISACs), for instance, share information not only internationally, but also across sectors. It understands that attackers are not necessarily that picky, so an attacker targeting one company in a certain sector can easily pivot to focus on another company or sector entirely.

Cybercrime is a very real – and a potentially very debilitating – threat. Alone, companies are vulnerable. Yet by working together, both banks and companies can help defeat today’s cybercrime – and be ready and able to defeat criminals again tomorrow.

Figure 2: The Power of the Network

Citi amended fig 2

  Source: Citi


Related reading