Developments in cybercrime and cybersecurity

Transcription

1 Developments in cybercrime and cybersecurity

2 Developments in cybercrime and cybersecurity As customers and clients increasingly go online to do their banking with convenience, privacy and security their main demands banks and other financial institutions are simultaneously facing an inexorable rise in cyberattacks. To respond to the growing threat to client, customer and employee information and to stay one step ahead of cybercriminals we at Barclays are investing in, and implementing, a raft of innovative measures, led by Troels Oerting, our Group Chief Information Security Officer. Most importantly, we are taking an inclusive approach that fosters cooperation with other financial institutions, as well as law enforcement agencies. Clients and customers shape the future of banking The figures are telling: with 3.17 billion active internet users out of a global population of 7.35 billion, 1 the world is moving online. It is a trend that is also being reflected in the way that banks and other financial institutions offer their services and we are no exception. 48 million The number of customers and clients we have worldwide. Operating in over 50 countries, we have 132,000 employees moving, lending, protecting and investing money for 48 million customers and clients worldwide. An increasing number of these are demanding an online service that offers privacy, security and convenience. Mobile banking in particular is a rapidly accelerating trend, not only here at Barclays, but right across financial services. There are currently 3.7 billion unique mobile users worldwide, and this figure is set to grow to 4.5 billion in the next few years. 2 And while all of this means new markets and opportunities for banks and other financial institutions, it also means greater scope for cybercrime. Cybercrime: a new game with different rules Cybercrime differs from traditional crime in several key respects. One of these is sheer scale: in the online world, crime is offered much like any other service the opportunity is there for anyone to engage in criminal activity on the web. 227,520 The number of cyberattacks per day. Similarly, the volume of cyberattacks is staggering: malware is proliferating at a rate of 158 new instances per minute 3 that s 227,520 every day so just keeping up is a full-time job. Meanwhile, unlike in the physical world, there is no geographical proximity between crime and perpetrator in the cyberworld. National borders and measures are no longer relevant, and cybercriminals leave little trace behind them. 2 of 5

3 Our response: protect, enable and innovate At Barclays, we are responding to the threat in three ways: protecting information wherever it is stored; enabling the development of the best possible products for the privacy, security and convenience of our customers and clients; and innovating to take security to the next level, rather than just providing more of the same. Innovation is, in turn, based on dialogue: listening to industry participants to understand their business models and their future requirements. We also set priorities according to the different types of threat and their potential impact. These range from mainstream attacks, such as Trojans, vishing and invoice fraud, to advanced persistent threats (APTs) and attacks by insiders. Different types of threat and their potential impact Trojans are viruses that enter a computer with other software. They can capture keystrokes and take screenshots, posing a threat to the customers who are logging into a financial institution s website or mobile app. Vishing takes the form of a phone call from a fraudster who claims to be a representative of a particular bank with the aim of obtaining information from customer or client. Threat, priority, impact With invoice fraud, a company receives a fake bill for goods and services that haven t been ordered or received. APTs, meanwhile, include the identity theft of LinkedIn users by criminals masquerading as headhunters. A cyberattack by an insider an employee of an organisation who has a grievance, or is being blackmailed, for instance poses possibly the greatest threat of all in terms of impact and opportunity. Severity of the impact Low High Impact Probability Insider Data breaches, APTs, wipes (big financial losses) Reputation Damage Sophistication Mainstream attacks High Trojans, bots etc. Low Number of attacks 3 of 5

4 Law enforcement: a whole new game Troels Oerting is Group Chief Information Security Officer at Barclays. He has 35 years previous experience in law enforcement, with positions in Danish and international police organisations focusing on ICT, including heading up Europol s Counter Terrorism and Financial Intelligence Centre. According to Oerting, law enforcement is now a whole new game, with different rules. The traditional role of the state in crime prevention and reduction is based on the three Ps : protect, prevent and prosecute. But with organised crime moving from the physical world to the deep web the 96% of the internet not visible or publicly accessible via search engines prosecution is almost out of the question. We have a responsibility to protect the privacy of our customers, clients and employees. At Barclays, we work closely with law enforcement agencies. But we also recognise like other financial institutions that we cannot rely on the authorities alone to combat cybercrime. As the owner of huge data libraries, we have a responsibility to protect the privacy of our customers, clients and employees a responsibility we take very seriously. We therefore implement targeted measures to identify adversaries, find out what their intentions are, and establish which tools they use to achieve their aims. We also examine and remedy our own vulnerabilities. To this end, we group assets into different categories, such as corporate data, employee HR files and personal financial information a process known as asset mapping. And, finally, we constantly review the controls we have in place. These include maintaining up-to-date antivirus software, proxies, boundary defence and attack monitoring. Keeping one step ahead of cybercrime For financial institutions, cybersecurity is not only about responding to current threats. It is also about staying one step ahead of cybercriminals. We at Barclays are therefore investing in the future of cybersecurity in a number of ways. For instance, we are running Cyber Academies, offering specialist qualifications for the next generation of cybersecurity experts. Additionally, under the FinTechfocused Accelerator programme, we mentor the founders of security companies in their start-up phase. We want to spearhead innovation, says Oerting. For instance, we think that blockchain can do a lot for the safety of our information. We just need to find a way to use it. What is blockchain? Blockchain is the technology underlying the bitcoin cryptocurrency. It is now being used to build better cryptocurrencies, taking bitcoin s initial concept and adding key features such as KYC, reversibility/refunds, real-time transfers and, crucially, improved security. Most important of all, however, is the need for cooperation among industry participants. This is happening to some extent, but still not enough, according to Troels Oerting: Cooperation is based on trust and we are trying to build this trust through coalitions and alliances. Not just with financial institutions but with police authorities worldwide. We are a very inclusive bank, and more than happy to help when it comes to safety and security. 4 of 5

5 Key takeaways The future of banking is online, with financial institutions customers and clients demanding convenience, privacy and security The impact and scale of cybercrime means that it cannot be tackled solely through traditional law enforcement methods At Barclays, our response is based on measures to protect our employees, customers and clients, and to enable the development of cutting-edge cybersecurity products Our investments in future cybersecurity developments include the Barclays Accelerator programme and Barclays Cyber Academies. barclays.com/corporatebanking Every attempt has been made to ensure that the information provided is accurate. However, neither Barclays Bank PLC ( Barclays ) nor any of its employees makes any representation or warranty (express or implied) in relation to the accuracy, reliability or completeness of any information or assumptions on which this document may be based and cannot be held responsible for any errors. No liability is accepted by Barclays (or any of its affiliates) for any loss (whether direct or indirect) arising from the use of the information provided. Barclays is a trading name of Barclays Bank PLC and its subsidiaries. Barclays Bank PLC is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority (Financial Services Register No ). Registered in England. Registered number is with registered office at 1 Churchill Place, London E14 5HP. November of 5