CSConnect UK 2019: Round-up of key cybersecurity trends
This week FinTech Futures attended Cybersecurity Connect UK 2019, a conference bringing together chief information security officers (CISOs) from the financial services, aviation, energy, charity, government and security intelligence service sectors.
The consensus was one of excitement, as like-minds came together and realised that cybersecurity is well on its way to becoming part of day to day business for companies increasingly handling billions of people’s data.
If you missed the event, if you attended but want a wrap, or if you’re just interested in what these experts have to say on developments in cybersecurity, here’s a wrap up of key talking points during the week.
Email phishing is still the top cause for cybersecurity risk in FIs according to the chief security officer of Vocalink – a Mastercard company – Andrew Rose, who notes “Office 365 attacks are ramping up” and they are “quite alarming”.
“Executives work from iPads and iPhones these days, they just do emails as they go to meetings,” says Rose, “so the mobile platform is the one that’s really being focused on and it’s interesting to see that changing in attack”.
Phishing emails can render very differently on a mobile device, where it looks far more compelling, to a desktop, where it can look ridiculous and unbelievable.
Fraudsters are now targeting individuals, building up profiles from social medias to build convincing attacks which are more disguised than ever before.
Mastercard’s Rose feels customer service teams are facing a tricky dilemma, being told to always do as the customer asks, even if that means clicking on a phishing link.
“We talk about customer-centric approaches but these people [customer service teams] have really been set up to fail,” says Rose, who thinks these teams need to be re-trained.
Fintechs a potential route to attack big banks
Asking different expert’s opinions on the cybersecurity trends going into 2020, HSBC’s head of technology and cyber risk Rory Alsop says “fintechs might become a route of attack because of their route to big banks”.
Just one of several rough predictions for what the year ahead holds, the spotlight on how banks work with third parties and how fraudsters view this partnership could certainly inform future cyber attack trends.
“Technology firms are not getting the same level of scrutiny and heat” when it comes to banking app downtime as financial services organisations do, says Lloyd’s head of IT risk & governance Ameet Jugnauth.
When asked about the UK Treasury’s call for regulators to hold banks to account for “unacceptable” amounts of IT failures, the Lloyds head has no doubt that “to have that [government] attention on it is the right thing”, but feels there is definitely a “quirk” in the way culpability is currently distributed.
HSBC’s Alsop is a speaker for technology career outreach in schools and universities, tackling the gender imbalance in financial services. “What puts girls off is firstly boys trying to make it a boys club which means visibility is all middle-aged white males and secondly, we’re still way off parity with the numbers [of men to women on boards],” says Alsop.
The percentage of women in leadership positions on the UK’s FTSE 100 boards is just 9.7% according to Cranfield University research.Edinburgh-based Aslop, along with the rest of the financial industry in Scotland, wants to double diversity in the country’s financial services.
CISO for Micro Focus Michele Hanson also mentions how the physically handicapped bracket of society often gets ignored. “With diversity of spirit comes diversity of thought, which will enlighten the way we look at cybersecurity,” she says.
Emerging “common language” of risk
Lloyd’s Jugnauth says there has long been this inconsistent expectancy that all IT system employees can speak the business language, but that’s simply not the case.
Where business and technical conversations can align is on risk. For Jugnauth, risk can be the bridge between these teams and act as a “common language”. HSBC’s Alsop agrees, saying that when you quantify risk, the board can suddenly understand its technical teams a lot better.
Traditionally this isn’t what the risk community has done, having taken more of a compliance approach as opposed to pulling together subject matter experts (SMEs) like it does now.