Cybercriminals are the bank robbers of the digital age
By Wim Mijs, Chief Executive Officer of the European Banking Federation
When you are in banking you know that dealing with criminals is part of the job. Because banks have always been a popular target and we all know why: because this is where the money is. However, most of our money is not any longer behind thick walls or vaults. As money is becoming virtual, it sits behind a button, moves around through fibre cables and is stored in data centres. Accordingly, the modern bank robber no longer needs a mask or weapon. He now hides behind a computer screen and his bullets have become evil bytes. When it comes to banks, cybercriminals are the bank robbers of the digital age. It is clear that the need for cybersecurity cannot be ignored.
The digital revolution has brought many opportunities for the banking sector and its customers but also new risks to consider. From the onset of the first online banking services, banks have been at the forefront in the fight against cybercrime. Fortunately, banks are not alone in this fight; cybersecurity now has become a pressing issue on the political agenda in Europe, but also in the rest of the world. Mid-September the European Commission published its Cybersecurity Package outlining important proposals to build a more cyber resilient EU.
October is also the European Cybersecurity Month, a month full of projects and events initiated by Europe’s Agency for Network and Information Security (ENISA). As a close partner of ENISA, the European Banking Federation organised, on 10 October, the second annual Cybersecurity Conference “Managing Risk. Deploying Awareness”, which turned out a great success with many attendees. One of the main goals of the conference was to show the state of play of cybersecurity in the financial industry and to discuss how banks, central banks and different authorities (government, regulators, law enforcement) are working together on different dimensions. The success of this event confirmed the fact that cybersecurity in banking has become an extremely relevant topic for all.
Challenges for banks
Traditional crime is not new for the banking sector. Cybercrime, however, is more complex. Attacks take place on all fronts, often in an incredibly well-organised way. Cybercriminals are extremely smart and creative people and have a wide arsenal to attack: malware, ransomware, DDoS attacks, phishing, social engineering, trojan viruses and can even make ATMs generate money at will. This is all real and it is becoming more sophisticated every day. But more importantly, let’s be aware that cybercrime has no borders and this makes it an issue of global relevance. The recent WannaCry attack affected thousands of computers in more than 150 countries.
We see that throughout Europe many banks have their own cybersecurity practices. Some countries, such as the Netherlands and the United Kingdom have disaster exercises in place or national cybersecurity agencies to turn to. Partnerships between law enforcement and the financial sector have led to several operational successes in many countries in terms of prevention, intervention and prosecution of cybercriminals. But this is not the case in all countries.
“Coordinated action starts with
sharing information, getting
everyone informed at the same
time with expertise, statistical
data or even specific details on
attack methods. ”
Sharing the knowledge industry-wide
Coordinated action starts with sharing information, getting everyone informed at the same time with expertise, statistical data or even specific details on attack methods. You can learn from each other’s experiences and make faster decisions. We promote industry initiatives to create cyber intelligence sharing platforms, while working closely with Europol’s cybercrime centre (EC3) to facilitate communication with the sector. Evidently, the quicker an organization can share information on a cyber threat, the more other organisations can protect their systems better and quicker. However, sharing of cyber threat intelligence between the industry, law enforcement agencies and other stakeholders often comes across legislative obstacles mainly related to the kind of data that may or may not be shared. Trust is an important component that needs to be created. We cannot legislate trust, only build it, and we must do that together.
Report those incidents!
We believe there is a need for a common reporting taxonomy and to this end the EBF facilitates the exchange of information and practices between its members and maintains a dialogue with supervisory and regulatory bodies in the EU. The European regulatory frameworks and various national legislations have introduced reporting requirements of cyber incidents by banks. At first sight, this is a positive development but it also has created a complex reporting grid where a bank must report an incident to national and European authorities, in different timeframes and with heterogeneous data. That is why we need a consistent and harmonised legal framework across all jurisdictions and different regulating entities in Europe.
“Almost half of the European
population lacks basic digital
skills, which are necessary to
protect ourselves once we go
Humans are the weakest link
In most cases, the weak link in the prevention of a cyberattack are humans. Almost half of the European population lacks basic digital skills, which are necessary to protect ourselves once we go online. Small mistakes can have consequences; not using the same password for multiple accounts and downloading software updates are only two very common examples of simple safeguards that we ignore and thus make us all vulnerable. Creating awareness is the answer to tackle this problem. We want to enhance digital skills of existing and future customers and employees; hence we promote and create awareness-raising campaigns, notably with the EC3 and its campaigns on money muling, ransomware and malware. Also, we have become a member of the Digital Skills & Jobs Coalition of the European Commission and we are already working to add digital literacy to our financial education initiatives, during the European Money Week.
What is next for banks?
Three years ago, we saw the need to join forces on a European level and believed it was time for organisations and countries to work more closely together. In all our work at the European Banking Federation, we stress out the need for cross-border collaboration. That is why we signed an MoU with European law enforcement agency Europol and work closely with its cybercrime unit EC3 but also with ENISA, FS ISAC and other actors in the cybersecurity field. And we see the positive results of these kind of partnerships. Therefore, we must aim for more Private-Public Partnerships (PPPs) in all countries. The insights from the private sector can benefit other industries and governments. Best practices in banking can be used for all the stages of creation, implementation, evaluation and review of cybersecurity frameworks.
The next cyberattack is probably already on its way. But if we keep raising awareness and involve all stakeholders, with the right security tools, rules and governance in place, the industry can be prepared.
This article was originally published in the InforBanca Magazine.
You can find the full document below: