Naked Security Naked Security

Banks confident of their approach to security – but still get hit by hackers

How well does your bank look after your details? The financial institutions are pretty confident they're doing a good job

Banks around the world are pretty confident about their security, it seems – but what is that confidence built on?

According to a report from Accenture outlining the banks’ attitude to their security, 73%  of respondents considered that security was embedded in their culture – but on average they had 85 targeted breaches per year, one third of which are successful.

The banks’ confidence is laid bare in some of the statistics. Managers believed that security was achieving genuine business results: 93% said it was protecting customer details, 89% said it protected company information, 78% felt it prevented service disruption and 76% believed it protected the bank’s reputation. And yet the statistic on targeted breaches boils down to at least one successful attack per month.

Also striking is how long it can take to detect a breach. “The length of time taken to detect these security breaches demonstrates that the attackers are spending considerable time inside the organizations,” says the report. “59% of banking respondents admit it takes “months” to detect successful breaches, while another 14%t identify them “within a year” or longer.”

Added to the fact that 48% believed the worst threats come from malicious insiders and it becomes surprising that managers seem to be so sanguine. Accenture’s answer is for the institutions to assess their security more thoroughly and then go through some simulation exercises – tough internal questioning and a holistic approach.

Banks do fall foul of hackers, as Tesco Bank did in the UK last year.  That said, they are not the most vulnerable; the UK government’s Cyber Security Survey 2017 identifies other sectors in the top three: information, communications or utilities (62%), administration or real estate (62%) and professional, scientific or technical services (60%). The difference is that bank data will by definition concern other people’s money the whole time.

Javvad Malik, security advocate at AlienVault, believes it’s to do with banking culture. Banks have had to put many changes in due to security and they’ve had to do it very quickly, he points out:

In doing so though, many legacy processes and disciplines have simply been lifted and shifted into the digital era. While this may work well for some aspects, such as the convenience of online banking – security hasn’t always been modernised accordingly.

This combines with the view of Alex Mathews at Positive Technologies, who fears attacks would increase.  He says:

Banks use old reactive information security approaches and out-of-the-box protection that doesn’t work. At the same time, hackers, drawn to easy money, start replicating successful attacks.

It’s perhaps unsurprising that financial institutions, or any repository of money, is going to be a target for hackers at some point. Nor does it come as any surprise that the banks are investing in security. However, that they’re apparently confident of their security might be more of a surprise given what’s revealed in this survey.