Chris Wallis, CEO of Intruder, spoke to Payment Expert about the growing threat of cyber attacks and what financial services can do to mitigate them in a challenging economic climate.
Payment Expert: Firstly, are you able to tell us more about how cyber attacks have evolved in recent years?
Chris Wallis: Cyber attacks haven’t evolved massively in nature over the last few years besides the fact there are far more of them. Two key factors have contributed to this: firstly, with the amount of money being made by ransomware gangs, cyber-crime has become industrialised into something that in some cases resembles legitimate business, with support hotlines and instruction manuals for how to extract the most money from victims.
This automation in turn has lowered the bar to attack, meaning it has become
cost-effective to target and extort even smaller businesses. That’s on top of the fact that even if you are not targeted, you could get caught up in a spray-and-pray type of indiscriminate attack, in the same way scam callers operate.
It was previously the case that if you were a relatively unknown company you could probably fly under the radar a bit. However, this industrialisation and automation means that no company can safely ignore cyber threats anymore. The only good news is that the threats themselves have remained largely the same, meaning there are well established playbooks businesses can follow to avoid becoming victims.
PE: How significant is the threat for financial services when it comes to ransomware attacks?
CW: The threat level for financial services is understandably huge, and for good reason. Not only is the information held by these firms often sensitive in nature, but the attractiveness of moving or storing money to a hacker goes without saying.
Sprinkle on top the fact that the burgeoning fintech industry combines this juicy target with an ever-increasing surface area of technology for hackers to penetrate, and you almost have a perfect storm.
Regulators are understandably hot on this in that they mandate sufficient cyber security controls – but as guidance from the regulator has to be vague so it works for every type of organisation, including financial services companies, particularly those without extensive cyber teams can often struggle to know what is appropriate.
PE: What steps do you believe FS services can take in terms of safeguarding against these attacks?
CW: Cyber security is a very wide field ranging from technical compromise to human deception, and is overall an unsolvable problem. However, there are basics to reduce the risk that every company must follow from employee training to endpoint protection and vulnerability management.
This should all start with a team member solely responsible for cyber security, whether that’s a CISO or in an earlier stage fintech simply the CTO. Defining those responsible, then setting a strategy that is appropriate for the stage of the company and level of risk, is the starting point on the journey every company must take.
PE: Is the threat of these types of attacks elevated as the economic strain intensifies?
CW: Potentially, although not necessarily. As times get difficult all companies must look at costs to identify savings.
Awareness of the threat of cyber attacks is so high though, many businesses are fully cognisant that the risks of cutting costs could lead to greater damages in the long run. So while some may need to trim down, they must also remember to keep a level of security commensurate with their own risk appetite.
PE: How challenging is it for financial firms to keep up with the evolving efforts of cyber attackers?
CW: As a cat-and-mouse game, there will always be an element of being one step behind the attackers’ latest ruse. However, over the last ten years, the amount of information sharing for defenders has increased to the point there is little excuse to be left in the dark, examples including the FS-ISAC (founded in 1999) and the UK’s CiSP in 2013 can provide huge benefits for those with the time to stay up to date. The hardest job will always be for the smaller firms, who need to avoid being the low-hanging fruit.