Banking on trust – addressing the triple threat of ransomware, regulatory compliance, and consumer confidenceBy Andy Ng - Veritas Technologies
The recent ransomware attack on an insurance company in Singapore has underscored the cyber threats confronting financial institutions.
This threat, which looms ever larger with increasingly sophisticated and emboldened ransomware attacks, comes at a time when financial institutions are also facing greater regulatory scrutiny.
For example, the Monetary Authority of Singapore (MAS), meted out SGD 11.7 million in civil penalties and imposed another SGD 3.3 million in composition penalties for money laundering related breaches between January 2019 and June 2020. In January 2021, the MAS issued a set of revised guidelines to combat the heightened cyber risks, in an environment where financial institutions are adopting new technologies and also increasingly reliant on third party service providers.
With the rise of online and mobile banking services and the accelerated shift to remote working driven by the current pandemic, banks are being entrusted with an increasing amount of highly sensitive personal customer data that has become more dispersed than ever before. As a result, banks have had to rapidly extend their IT infrastructures with complex combinations of cloud, virtual and on-premises infrastructures – which are often increasingly fragmented and harder to manage. According to Veritas research, most banks are struggling with this issue, with 63% indicating that their security measures lag behind their complex IT infrastructures, meaning they have less visibility and control of their data than ever before.
If banks continue on this trajectory, they run the risk of being exposed to a triple-threat of becoming victim to cybercrime, facing hefty fines for regulatory non-compliance, and eroding consumer trust. The truth is, cybercriminals have already been capitalising on this security lag. According to the Cyber Security Agency of Singapore, ransomware cases saw a sharp rise of 154% in 2020.
A matter of trust
When customers choose a bank to do business with, they do so with the expectation that the vast amounts of highly sensitive personal information that they share will be treated with the utmost care and protection. If this data falls into the wrong hands, the repercussions could be beyond repair. Ultimately, it all boils down to one word: trust. It is the principle that the industry relies upon to attract and retain customers.
However, building an industry on collecting and using highly sensitive customer data is a double-edged sword. While banks can take advantage of a vast pool of valuable customer data to offer personalised services, offer greater convenience, and explore new revenue streams, it also makes them a very attractive target for cybercriminals. In fact, research revealed that at the beginning of the pandemic, cyber-attacks against the financial sector rose by over 200% globally.
Clearly, with a recent history plagued by cyber threats and outages, trust between customers and banks is fragile at the best of times. It could merely take one more data breach or outage to damage the trust and reputation that have been built over the years.
Confronting harsh truths
The honest truth is that many banks could be managing their data better to avoid the huge risk of failing compliance checks.
Given the sharp rise in ransomware attacks, this is the most crucial time for financial institutions to be testing and perfecting recovery plans. However, Veritas research found that almost half (46%) of banks surveyed have either never tested their disaster recovery plans in the event of a ransomware attack or have not tested it in over 90 days. Furthermore, despite nearly two-thirds (63%) of banks admitting to falling victim to a ransomware attack at some point in their history, more than one in 10 (14%) banks believe it would take them over a month to recover from a breach – if they are able to recover at all.
These figures illustrate that it is imperative for banks to do more to prepare for when the inevitable ransomware attack strikes, in order to better protect their most valuable digital assets. In fact, half (50%) of the banks surveyed have admitted to paying a ransom to recover customer data.
Eliminating the risk factor
In a world where banks have had to accelerate digital transformation plans and introduce new ways to operate amid the global pandemic, how can they ensure their data protection strategies measure up?
At first glance, it seems that banks can just simplify their IT infrastructure to manage data risks. In reality, the volume of data stored by banks will only continue to rise, and banks have to accept that there is always going to be complexity in their IT environment.
To abstract complexity, banks can look at standardising the systems that mange data across their enterprise and start to extract value from their data. As a first step, it is essential to understand what data they have, its value, where the data needs to be hosted, who should access it and how long it needs to be held for. Beyond being a defence measure, this data visibility would help banks to gain a better understanding of their data and in turn, identify trends and insights that can be utilised to offer better customer experiences, or open doors to new revenue streams.
Once organisations have visibility into their business-critical data, they need to ensure that business continuity and disaster recovery processes are optimised to protect it. In the event of a ransomware attack, an encrypted backup is the only line of defence. It is important to remember that there is no backup plan in place until it has been tried and tested.
Testing disaster recovery plans help reveal cracks and vulnerabilities that otherwise would never have been discovered. Are backups sufficiently isolated to avoid infection from spreading, are there enough copies of valuable data and are those copies being retained according to regulatory requirements? Only regular fire drills and tests can answer these questions beyond doubt. Testing could be something as simple as checking whether a backup site will go live should the main application fail or performing a single file recovery and checking that the recovered copy matches the original. It is important that these tests are regular, repeatable, and a crucial part of a bank’s backup strategy.
Whatever the post-pandemic future holds, banks must be ready to adapt again and again to keep pace. This includes having the tools in place to abstract complexity from their IT environments and having robust disaster recovery plans to protect their most valuable digital assets. Notwithstanding their best efforts, most organisations will succumb to at least one cyber-attack at some point in time. What distinguishes one victim from another is their ability to ensure data resiliency and bounce back. Data responsibility is the foundation of any organisation’s ransomware defence while backups are its secret weapon.