We recently invited five panelists to join our Executive Roundtable Series event on cybersecurity and fraud. The discussion topics ranged from what motivates today’s hackers to biometrics and how COVID-19 has made digital security even more difficult. The panelists were Tommy Nicholas, CEO and co-founder of Alloy; Chris McCurdy, worldwide vice president and general manager at IBM Security; Cathy Ross, president and co-founder of Fraud.net; and Kevin Gosschalk, CEO and founder of Arkose Labs.
Cybersecurity and cyberfraud are a huge and growing source of risk. And while every industry is vulnerable, banks and other financial institutions are uniquely attractive targets. When the famous bank robber Willie Sutton was asked why he robbed banks, he said, “Because that’s where the money is.” If Sutton were alive today, he’d surely be a cybercriminal.
Cathy Ross, president and co-founder of Fraud.net, said that financial institutions face unique challenges. In addition to the higher financial stakes, financial institutions also have complex infrastructures—and operate in a business environment that’s multi-faceted and tightly regulated—making them more difficult to secure.
Reported cyberattacks on U.S. companies rose about 70% from 2019 to 2020, producing roughly $8 trillion in losses. And the actual magnitude and scope of the problem are surely much worse than reported, since the public generally only hears about attacks when something goes terribly wrong. It’s critical for financial institutions to fortify their defenses—and technology is one of the strongest weapons for preventing and mitigating attacks.
Steps banks can take to continue being leaders in cybersecurity
Tommy Nicholas, CEO and co-founder of Alloy, said there seems to be a common misperception that banks and financial institutions aren’t doing cybersecurity as well as other types of businesses. But in his experience, that isn’t true. In fact, in many cases financial institutions are actually driving the state-of-the-art forward.
In his view, it’s also not true that the public only thinks about cybersecurity when things go wrong. Today, people are almost constantly aware of the enhanced security measures that businesses are taking, whether it’s complex password requirements, fingerprint and face recognition on our phones, or selecting a text link to confirm an action on a website. Financial institutions are leading the way in those areas.
So what additional steps can we take to enhance our security?
Ensure you’re prepared for the digital transformation caused by the coronavirus.
The next level of security beyond passwords is using additional data points (such as physical location, IP address, and time of day) to verify that a transaction is being attempted from a valid location and valid machine at a time that makes sense. But with so many people now accessing systems from remote and varied locations—at all hours of the day and night—those secondary checks are much less usable and useful. And remote work environments are much harder to physically secure than an office.
According to Chris McCurdy, worldwide vice president and general manager at IBM Security, COVID has been a catalyst for digital transformation and cloud migration. But many executives mistakenly believe that cloud is inherently secure and that cloud providers are responsible for ensuring security. It’s ultimately the organization’s responsibility for the security of its systems and data.
Consider third-party risk.
Ransomware is running rampant, and combating it is everyone’s responsibility—from the CEO down to the front lines. But, according to McCurdy, the top-of-mind issue for financial institutions is actually downstream risk, which extends to the entire ecosystem—not just third parties but fourth and fifth parties, too.
How do you ensure the security of your vendors and business partners—and their vendors and business partners? A chain is only as strong as its weakest link, and a vulnerability deep in your ecosystem can have a major impact on your ability to do business.
Use artificial intelligence to gain security.
Many of today’s cybercriminals use pre-existing password tools and train themselves on YouTube. According to Gosschalk, many others are Ph.D.-level experts who develop their own advanced attack methods using the latest AI technologies. But two can play that game.
By capitalizing on the latest advances in AI and machine learning, financial institutions can implement more intelligent and robust security checks without creating an onerous burden for their customers and other users. They can also more quickly detect hidden threats and anomalous patterns of behavior.
Applying AI in these ways improves security by forcing attackers to work harder on the front end to breach security and giving them less time on the back end to exploit and monetize successful attacks—reducing their profit margin and giving them less economic incentive to launch an attack in the first place.
Implement multi-factor authentication, biometrics, and collective intelligence.
If you’re not already doing multi-factor, you should consider yourself compromised, said McCurdy.
Biometrics like fingerprint and facial recognition are quickly gaining popularity, particularly for mobile applications on phones and tablets. But, according to Ross, the next big thing could be “collective intelligence”—compiling and cross-checking information about a user from many different sources, including biometrics, sign in credentials, keystrokes, behavior patterns, purchasing velocity, social media, and even the dark web.
Strike the right balance between security and convenience.
It’s tempting to think that if you can just get the right security signals and model them perfectly, you can stop all fraud, said Nicholas. But the big question you always have to ask when you encounter suspicious activity is what you’re going to do about it. Are you just going to throw it out?
The easiest way to eliminate fraud is to have zero customers. Of course, that’s no way to run a business. You’re always looking to strike a balance between robust security and practical convenience. The right answer depends on the context.
According to Gosschalk, a comprehensive know-your-customer verification process might make sense for a bank, but it doesn’t make sense for a gaming platform because the barrier to onboarding new users would be much too high—and the risks don’t warrant it.
Nicholas said typology modeling is the key, enabling financial institutions to take different levels of action depending on the nature of the fraud signals. For example, if signals indicate that someone is a money mule, you might deal with that typology by running an automated procedure that throws them into multi-factor authentication, double checks that all their communications are coming from them, and shuts down their funding capabilities. But for a different typology involving spoofed credentials and phishing, you might flag their transactions for monitoring and lower their ACH limits.
Stay a step ahead of the threats.
Nicholas said he has never seen fraud vectors change as quickly as they have in the past year. So financial institutions have to be nimble and jump from tactic to tactic. Modeling can help companies understand what’s happening and develop elegant solutions instead of just pushing the burden onto users by adding more layers of checks and verifications, which can become onerous.
At the end of the day, financial institutions have to become quicker to respond and much more fluid in their approach to cybersecurity, said Ross. Standard approaches to solution development and deployment typically require 12 to 18 months, which makes it hard to stay in front of the bad guys. Vendor aggregation can help companies adopt new solutions and technologies more quickly by creating a single plug-in for cybersecurity infrastructure—requiring much less time and investment for development and implementation.
Don’t just be aware—take action to establish effective security.
Making people aware of security problems and best practices is an important first step, but it’s not enough. To establish effective security, people in an organization need to change their behavior—and that message needs to come from the top, said McCurdy. When security messaging comes from the CEO, it’s a mandate. C-suite bonuses should be tied to security, creating a shared fate—not just placing responsibility on the CIO or whichever executive has formal ownership for the security function.
Communication and collaboration are key.
Today, the bad guys are much better than the good guys at communicating and collaborating with each other. Working together and sharing information is a key part of their attack strategy. To tackle the challenge, institutions like ours need to encourage information sharing and communication about cybersecurity and fraud across the enterprise and through the financial services industry.