Over the past decade, there have been several cyber attacks in Qatar, most notably the ‘Desert Falcons’ and ‘MiniFlame’ instances, all discovered by the Kaspersky Lab. During the summer of 2016, there were unconfirmed reports of Qatar National Bank (QNB) being subject to such attacks.
This has been highly worrying as QNB is the single largest lender in Qatar, and especially because the breach of security protocols by hackers had reportedly exposed the personal details of many of the banks clients. These personal details were consequently divulged on social media, including Facebook and Twitter, and focused upon such divergent targets as media staff and security officials. Of late, the most famous cyber breaches have reportedly involved energy companies such as RasGas and Saudi Aramco.
These incidents demonstrate how companies and institutions in the GCC have become prime targets for hackers. As Mike Weston, Vice-President of Cisco Middle East, states: “Despite efforts such as policies, training and education, cyber risk management and audits, incident monitoring and reporting, and a combination of security tools, cyber attacks on financial institutions are growing every day in strength and velocity across the globe, and the ramifications are costly.”
Crimes against financial institutions manifest themselves in two areas – via physical attacks on users of the bank at ATM machines or in a branch, or through the targeting of mobile banking and online banking
Businesses that operate in the realm of financial services face, by the very nature of their reliance on technology, significant security challenges. There are a number of different ways that criminals target financial institutions – as Yury Namestnikov, Senior Security Researcher at Kaspersky Lab, says: “These crimes manifest themselves in two areas – via physical attacks on users of the bank at ATM machines or in a branch, or through the targeting of mobile banking and online banking.”
He goes on to add: “Bank attacks also occur via the financial system itself, especially through the monetary processing system. This gives hackers more leverage over financial institutions. Although such institutions invest a great deal of money to ensure security, they still face cyber threats due to lack of knowledge and/or effective vigilance.”
The threat landscape
Although the threat landscape is more dynamic and advanced than ever before, Namestnikov believes that attacks on the individual citizen at the global level are actually falling. As he states: “Attackers thought that if they spread more malware, they would get more attention, but such attention actually ensures that the lifespan of viruses decreases as anti-viral software learns to recognize the threat and fight back. So hackers are making their attacks more targeted. They have realized that they no longer need to infect a thousand computers – just one huge success is their goal.”
According to the Cisco 2016 Annual Security Report, malware is becoming increasingly sophisticated and elusive, and cyber criminals are launching attacks through a variety of vectors, including tools that users trust, or view as benign. Targeted attacks are on the rise, creating a persistent, hidden presence within an organization from which to execute their mission.
The recent cyber attack on Bangladesh’s central bank, that allowed hackers to steal over $80 million from the federal reserve bank account, was reportedly caused due to a malware already installed in the bank’s computer system.
Weston reveals that cyber hackers have identified the human as the weakest element in all technological systems, and will continue to target them
Discussing the reasons for the attacks, Weston reveals that cyber hackers have identified the human as the weakest element in all technological systems, and will continue to target them. As he says: “Security assessments identify that the root cause of many security problems is an operational challenge and not just a technical one.”
According to the Cisco EMEAR Security Insights Report, employee behavior (52 percent) was second only to cybercrime (60 percent) when employees were asked to identify the top two greatest sources of risk to data security. It is a genuine weak link in cyber-security – more through complacency and ignorance than malice – and is becoming an increasing source of risk. Consequently, full visibility of the network needs to be people centric i.e. include who is connecting to it and what they should be allowed to do and access.
Weston suggests that setting up clear identity and access rules for this human activity can significantly reduce the available threat vectors and enable people to be champions for good cyber-security behavior. He further adds that, “Training employees should be a key part of organization’s security strategy, policies and procedures. This highlights why organizations’ need to operationalize security, as effective defense will require the involvement of senior managers across a range of business functions including HR and training and development.”
How do cyber hackers attack financial institutions directly?
Network-based security threats have led to widespread identity theft and financial fraud. Spam, viruses, and spyware cause significant problems for consumers and businesses. Today’s information attacks are a profitable business enterprise and are often controlled by organized crime syndicates.
Weston states that a growing number of sophisticated cyber crime business models, including the emergence of criminal enterprises, are built around selling tools and services for launching network attacks, rather than simply selling information gained from attacks. Financial services companies are being disrupted by agile, online-only challengers that offer convenient, efficient services.
A common way of targeting banks is the use of malware to circumvent local security systems, gaining access to the SWIFT messaging network, and forwarding fraudulent messages via SWIFT to initiate cash transfers from accounts at larger banks.
Security and cyber-crime experts note that hackers break into the computer systems of financial institutions and make, or incite others to make, fraudulent transactions within compliant accounts.
Organized crime then uses techniques developed over decades to launder the money, giving the criminals much higher rewards than a hold-up or bank vault robbery – and with much less risk. The Internet has also made it easier for criminals to get inside banks, so that they are now shifting away from physical attacks to cyber hacks, because such cyber attacks take less effort and yield more money.
An industry-wide talent shortage also compounds the challenge of maintaining a strong security posture. On the global front, according to the Cisco Annual Security Report 2016, there is currently a deficit of 1 million security practitioners, which is projected to increase to 1.5 million by 2019
Global talent shortage
An industry-wide talent shortage also compounds the challenge of maintaining a strong security posture. On the global front, according to the Cisco Annual Security Report 2016, there is currently a deficit of 1 million security practitioners, which is projected to increase to 1.5 million by 2019.
Commenting on this global talent shortage, Weston says that: “Organizations are facing critical staffing and expertise shortages. Security jobs are growing at 12 times the rate of the overall job market, and three times the rate of general IT, yet Cisco struggles to attract and retain talent, as the competition for coveted security skill sets increases.”
Combating cyber security challenges
As stated, the increased exposure of businesses to the Internet provides the advantage of publicizing business offerings and promoting interaction between its stakeholders. However, it also requires adequate security measures to be deployed in a timely manner to counter possible and reported risks to IT infrastructure across organizations. As Namestnikov comments: “The first thing you need is an effective and thorough assessment of your security system. You need to understand where you currently are, to realize what you have to do in the future. You also need to understand what assets are in the network, as many business owners are unaware of the actual state of their network.”
He goes on to add that secured mobile banking customers have to be particularly careful. As he says: “Mobile phones can easily be hijacked, so those customers who use mobile banking, are especially at risk. Banks usually provide some sort of protection for their mobile users itself, but I would say that it is obligatory for the user to have a device that is harder to steal from. Also, for office networks, different layers of security can be applied. For example, your network should not allow any unknown application top download, open or operate. Your networks should be configured to allow known applications only.”
In conclusion, Weston notes that: “Firms must be able to prevent security breaches — and detect and remedy them quickly if they occur. Mobile payment security breaches can result in downtime, lost revenue, retribution costs to remedy the damage, and loss of financial data. The intangible effects can be even more harmful, eroding brand equity and hindering bold innovation.”
The central key to preventing cyber crime is that Internet users need to constantly update their operating systems. Ensuring that security software is up-to-date is vital, as is caution when clicking on links or attachments in unsolicited emails
Hackers who commit cyber crime operate from different countries and even continents. They constantly invent new malware, so banks and financial institutions need to be constantly vigilant, devising new approaches to tackle cyber crime. The central key to preventing such crime is that Internet users need to constantly update their operating systems.
Ensuring that security software is up-to-date is vital, as is caution when clicking on links or attachments in unsolicited emails. Indeed, the key to turning cyber security into a growth advantage for the bank is by building holistic and all pervasive security throughout the network, along with a change in individual attitudes, especially on the side of caution.
Cyber security should become the primary concern in the development of any Internet-based financial offering, but the same rules apply to the banking sector as to any other. That which is built upon firm foundations is very difficult to topple.
This article is from BQ magazine’s September-October 2016 issue – Volume 3: Issue 37.
Get the latest copy of BQ magazine from the nearest store to you for the latest news in ‘Business in Qatar and Beyond’.
© 2016 BQ Magazine ALL RIGHTS RESERVED