Solving the cybersecurity puzzle
Cybersecurity is an issue facing firms across all sectors, and with large amounts of money at stake, fintech and financial services are huge targets.
But many firms have yet to fully grasp the nettle and concentrate funds and resources towards tackling the issue, whether that’s due to the sheer scale of the problem or naivety.
FinTech Futures recently spoke with two individuals who are on the frontlines in the cybersecurity battle: Professor Raj Muttukrishnan, a director at the Institute for Cybersecurity at City University of London, and Stuart Jubb, group managing director at cybersecurity firm Crossword.
Muttukrishnan’s interdisciplinary approach to cybersecurity “cuts across psychology, social sciences, including law to computer science, engineering, and business”. He also does a lot of external work with various companies and the government and is a non-executive director for London’s Cyber Resilience Centre.
“I work with technologies that are near market-ready, bringing scientific innovation into start-ups so that they can scale up with innovative new products in the cybersecurity space,” Muttukrishnan says.
On Crossword’s relationship with Muttukrishnan, Jubb says: “We were initially set up to commercialise IP from university research, which is how we know Raj.
“Obviously, we can’t solve the whole cybersecurity problem, but we aim to try and solve certain segments of it.”
Cyberattacks cost a lot to combat but can cost far more to ignore, and many firms seem to have not fully grasped the size of the problem.
Jubb cites research from McKinsey that shows the overall damage from cyberattacks across the globe has cost firms $2.6 trillion, but currently only $150 billion is being spent to tackle the issue. “So, there’s a clear gap there,” Jubb says.
Jubb relates how a large FTSE 100 British bank, which spends about a billion a year “just keeping the lights on”, is spending around 5-10% of that on cybersecurity. “They’ve got a lot of legacy IT and systems that has all been merged – it’s a complete mess.”
And because of regulatory concerns, they’re loathe to ditch their legacy systems because they’re worried about what information they will need access to in the future.
“The further you go down, companies are spending less, but we’re finding with the fintech companies, they’re taking cybersecurity seriously from the get-go,” Jubb says. And as a result, “they’re a lot more efficient in their spending”.
Muttukrishnan works with a number of FTSE 100 companies, and for these firms, he says “the biggest threat they see is from the smaller players, because they don’t have the budget to have anything in terms of cybersecurity”.
It’s because of this imbalance that Muttukrishnan took up the voluntary role of non-executive director for the London Cyber Resilience Centre in order to help small and medium-sized enterprises (SMEs) in London.
The major banks will have enough cash to budget for cybersecurity, but smaller outfits will not, “because they have to grow and scale, and their focus is more on business than cyber”.
There is also a raft of new compliance and regulatory challenges that smaller firms such as fintechs must meet, Muttukrishnan adds. He thinks many of the big players have “very good infrastructure” in place in terms of cyber, conducting a lot of simulation attacks. But SMEs, for example, don’t do phishing simulations on a regular basis.
“It’s going to be interesting for fintech,” Muttukrishnan says, especially as investment has dried up over the last six months. “Many of the companies I work with, they’re just running to raise money.”
Muttukrishnan’s “biggest worry” is fintechs are now diverting cash towards keeping normal business operations running. “When are they going to find the money to look into the new regulatory challenges that are coming along?”
Once cybercriminals breach the smaller fintech players, then you can easily navigate into the larger players, Muttukrishnan explains. “The big banks that I’ve talked to, because they have been pushed to open up their datasets to APIs, their concern is they don’t have the capability and software to scan through all these APIs that they are going to be connecting to. And that’s the challenge.”
We live in a connected world. Complex chains serve to provide financial services for customers and therefore, it’s important to ensure that all parties in those chains are protected to prevent a domino effect that could lead to a breach.
Jubb explains that CISOs try to triage who the high-risk suppliers are “in terms of who have access to the crown jewels” and how secure their suppliers are, and then conduct due diligence audits. “But that just isn’t working particularly well,” he says.
Muttukrishnan explains that until we get to a space where the banks are collaborating, “and they’ve tried to do it a number of times”, problems will continue to crop up. “I think they need to relook at how they manage the supply chain to move towards that more collaborative model,” Muttukrishnan says.
Another household banking name, Muttukrishnan says, has tried to develop a collaborative supply chain model in which suppliers have a credit score, with all information shared among the parties, “but they just haven’t managed to get it to work”.
Jubb adds many financial services firms are trying to patch up and manage a “smorgasbord of technologies”.
Combine this lack of preparedness and unwillingness or inability to upgrade legacy infrastructure with increasingly sophisticated cybercriminals, and you begin to understand the scale of the problem.
“It’s pretty industrialised now,” Jubb says. “Some of these hacking groups even have spokespeople who will make statements.”
Many will be trying to get into a nation’s financial services and critical national infrastructure. “We know that they’ve influenced elections,” Jubb says. And it’s often these same regimes that are responsible for cyberattacks against financial services.
While lone wolves in basements are sometimes responsible, this tends to be less of a systemic problem and more about trophy hunting. “I’d say the majority of the economic crime is coming from criminal groups and a lot are in former Soviet countries,” Jubb says.
Muttukrishnan agrees: “I think now they’re all state sponsored. It is more large scale and it’s very sophisticated.”
People are the weakest link in the cybersecurity chain, so how do we make humans more resilient to being targeted? “That’s the million-dollar question. And I don’t know if anyone has an answer,” Jubb says.
“I think the main thing is having constant awareness across multiple mediums,” he adds. While companies will do mandatory training every six months, for example, or simulated phishing attacks, it’s fairly weak sauce given the threat.
Some banks may include in individuals’ contracts a stipulation that if they fall victim to a simulated phishing attack, or even a real phishing attack, their bonus can be withheld. But, Jubb says, “the reality is if you’re a bit of a rainmaker at a bank, you’re not going to get fired for having poor cybersecurity hygiene”.
Interestingly, Muttukrishnan is about to begin working with psychologists on a project that is looking to effect employee behaviour change within organisations. It’s those on the lower rungs of the ladder that represent an organisation’s vulnerabilities.
Despite all the training employees must endure around cybersecurity, “80% of employees don’t do these exercises”, Muttukrishnan believes.
Muttukrishnan has been conducting phishing training for CEOs and CTOs over the last six years but one of their biggest problems remains; their employees, especially contractors. “In terms of phishing, the only thing that will make an impact is behaviour change and the use of automation.”
However, on a macro level, there is a lot more that could be done to shore up cybersecurity, not least sharing information and best practices.
“Given the hackers all speak to each other, I think there’s a lot of ground to cover in terms of how companies collaborate, and I think cross-sector collaboration could definitely improve,” Jubb says.
Also, companies aren’t very strategic when it comes to cybercrime. “They’re so focused on doing the basics, so focused on the day-to-day battle, they’re not thinking about three to five years ahead.”
Jubb says firms should be asking themselves what technology they can start investing in now and how they can begin collaborating with universities and start-ups.
Even if financial services firms and fintechs are not necessarily looking ahead, hackers are, and an arms race is unfolding.
“There’s a real gap at the moment, in our opinion, and if we don’t be more strategic, we’ll just continue to focus on the next six to twelve months, which isn’t really good enough,” Jubb concludes.