The arms race between cybercriminals and financial institutions

5 mins read

Melissa Teo, DigitalCFO Asia | 28 February 2022

Raj Viswanathan

Chief Information Security Officer, NIUM

The digital transformation of business services and products makes cybercrime a lucrative trade over traditional forms of criminal activity. Digitalisation of banking services sees consumers getting used to receiving updates via phone notifications on banking transactions and activity. The normalisation of information being sent and received in this manner makes consumers perceive notification content sent by businesses through official channels such as applications and email as legitimate. Yet the skills of cybercriminals have advanced to being capable of posing as faux companies and attacking consumers. The recent high profile cases of the OCBC phishing scam and Crypto.com hack are prime examples. With the significant revenue potential involved, more lucrative attacks carried out by organised threat actors are plausible in the not so distant future. Besides raising consumers’ awareness to the tactics of cybercriminals, what can businesses do on their end to protect consumers from being compromised? 

DigitalCFO Asia spoke with Raj Viswanathan, Chief Information Security Officer at NIUM, on the arms race between cybercriminals and financial institutions (FI). NIUM is a Singapore-based, B2B global payments service provider. The company was recently valued at $1 billion and has attracted over $200m funding in 2021, with investors including Visa, GIC and Riverwood Capital.

Many clients depend on companies such as NIUM to connect them to the global payments system seamlessly, 24/7. With the potential of cyberattacks causing massive disruption and revenue losses, as seen with numerous unsuspecting victims to date, NIUM takes a strong stance on their cyber defence capabilities, ensuring that they prevent or circumvent any potential cyber threats that might cause disruptions to their services. 

There is continually an increasing number of cyberattacks on financial institutions (FIs). With greater adoption of digital banking in emerging markets, these trends are likely to continue. 

Ransomware has been one of the fastest growing forms of cyberattacks. Its significant revenue potential makes this form of cyberattack lucrative for more organised threat actors. The attacks themselves are not something new – Business Email Compromise (BEC), phishing, malicious insiders, social engineering, compromised credentials, continue to be the common attack vectors.

However, these old techniques are gaining more finesse with the use of emerging technologies – like Artificial Intelligence/Machine Learning (AI/ML) being leveraged to craft authentic looking emails/SMS mimicking user styles.

Raj Viswanathan, Chief Information Security Officer at NIUM

Remaining One Step Ahead Of Constantly Evolving Cybercrimes

FIs are always fighting an uphill battle. Even putting the right security controls within the company is not sufficient in most cases – they must continuously look for ways to protect their end consumers from being compromised. Given that such attacks can’t always be prevented, leveraging the right technologies can improve early detection and timely response capabilities.

Just like how threat actors are making old techniques more effective with technology, FIs similarly need to continue their focus on foundational controls but with advanced tech. For example, safeguarding against advanced Phishing/whaling attacks with AI/ML based email security, external intelligence monitoring.

Lastly, the most basic foundational controls can always use some additional focus – such as through effective consumer awareness programs.

Mitigating And Preventing Cybercrimes With Cyber Security

Technologies and controls can span across functions – so it is important for different teams (like cyber, fraud, compliance) within an institution to take a converged view on risk and controls. For example, fraud and cyber controls can be enhanced with AI/ML based account takeover and transaction protection rules.

Fraud detection rules need to be continuously strengthened with user behaviour and demographic analytics. There have also been instances of the proliferation of highly sophisticated supply chain attacks, where malicious code can make way into a company’s system via third party products.

This makes managed service providers high-value targets and requires institutions to re-evaluate their third-party controls to ensure vendors implement and demonstrate adequate controls.

Top FIs’ Actions In Ensuring Security of Their Data

The adoption of emerging technologies are a key focus amongst top FIs, as they have now become a necessity to protect against advanced threat actors. A recent IBM security study found that the adoption of AI, security analytics, and encryption were the top three mitigating factors shown to reduce the cost of a breach, saving companies between $1.25 million and $1.49 million compared to those who did not have significant usage of these tools.

FIs are also implementing a more robust Security-By-Design program to ensure security controls are considered and implemented much earlier in the system development process. This ‘shift-left’ approach reduces cost of security controls and helps faster go-to-market deployments as it is much easier to fix issues during the early stages of system development.

Automation (like compliance as code and automated security patterns that define easily consumable security requirements) can further streamline this approach and reduce friction.

Things Companies Can Do To Increase Their Cyber Security Resilience Levels

The convergence of business continuity and security is another area of significance. Technology used to be an enabler but has now become the business itself. Every aspect of business is now tightly integrated with technology or even replaced by technology. Hence, business continuity programs need to consider security risks to develop appropriate response and continuity procedures.

There is a lot of focus on preventing cyberattacks (rightly so), but another important question is when (not if) an attack happens, how can they be mitigated with minimal impact and with customer communications managed effectively?

Resilience measures will have to be embedded in design and operations of processes and systems. As companies look towards the next level of maturity, FIs are looking to create unified Security, Privacy, and Resilience by design programs, which is a more efficient way to embed the relevant controls. 

Content distribution is diversifying through new platforms and modes of access such as links and QR codes. With each new platform is another chance for businesses to sell and inform clients of their services. Yet it is also another possible means for cybercriminals to attack businesses. Businesses thus need to defend themselves on all fronts, with equal attention to all fronts, not losing sight of any. Paying too much attention to one mode of cybercrime, for example phishing links in the OCBC scam and forgoing attention on other modes is an unwise move. Possible cybercrime tactics which have yet to be utilized does not make them a less plausible attack channel in the future. Such is the way to stay ahead of cybercriminals in the arms race.