2_cyber finance
π Digital
Are we prepared for a cyberpandemic?

Cyber-attacks: the financial service sector fights backs

Sophy Caulier, Independant journalist
On March 3rd, 2021 |
3 mins reading time
5
Cyber-attacks: the financial service sector fights backs

    Amanda Creak
    Amanda Creak
    Head of EMEA technology risk at Goldman Sachs
    Key takeaways
    • Some figures show that up to 90% of cyber-attacks are motivated by financial gain: banks must therefore be particularly attentive to “technological risk”.
    • Attackers are interested in all the sensitive information they can find, from simple logins or passwords to patents.
    • As an investment bank, Goldman Sachs holds a lot of confidential, and therefore sensitive, information, which it seeks to protect by correcting areas of vulnerability such as the use of USB keys by employees.
    • According to the firm Wavestone, ransom attacks can expect 746% profitability. Reducing the profitability of cyberattacks is therefore one of the priorities of cybersecurity companies.

    His­tor­i­cal­ly high­ly tar­get­ed by cyber­crim­i­nals, finan­cial ser­vices are among the most advanced in terms of pro­tec­tion. While they are alert to risks as well as being equipped to antic­i­pate and avoid them, com­pa­nies must ensure that their sup­ply chain is as resilient their attackers. 

    Aman­da Creak is respon­si­ble for tech­nol­o­gy risk in Europe, Mid­dle East, Africa (EMEA) for Gold­man Sachs. This “tech­nol­o­gy risk” refers to all threats incurred by the invest­ment bank in rela­tion to dig­i­tal tech­nolo­gies. Of which there are many – espe­cial­ly for finan­cial insti­tu­tions. Near­ly 90% of cyber­at­tacks world­wide are moti­vat­ed by finan­cial gain. This involves either sim­ply steal­ing mon­ey, hold­ing indi­vid­u­als and com­pa­nies to ran­som or steal­ing infor­ma­tion from sys­tems that can then be resold – data, patents, patents, con­tact details, IDs and pass­words, and so on. 

    For a finan­cial insti­tu­tion like Gold­man Sachs, cyber-risk is one of the main areas of focus. “Not only are all our process­es digi­tised, but all of our equip­ment is con­nect­ed, from desk­top com­put­ers to print­ers to air con­di­tion­ing! Many of the large finan­cial insti­tu­tions like ours attract cyber­crim­i­nals,” explains Aman­da Creak. She has been pas­sion­ate about cyber­se­cu­ri­ty since the begin­ning of her career and enjoys the chal­lenge of man­ag­ing a sig­nif­i­cant secu­ri­ty pro­gram in a large bank. “As an invest­ment bank, we have a lot of con­fi­den­tial and there­fore sen­si­tive infor­ma­tion; what we call Mate­r­i­al Non-Pub­lic Infor­ma­tion (MNPI). This is infor­ma­tion relat­ing to merg­ers, acqui­si­tions, IPOs, invest­ments, etc. But we are also an online retail bank, so we have to pro­tect our cus­tomers from all mon­ey-relat­ed crimes.” More­over, risks are evolv­ing rapid­ly, and attacks are con­stant­ly renewed.

    How­ev­er, the secu­ri­ty of a finan­cial insti­tu­tion would be use­less if the sup­ply chain was not also high­ly secure. “We are in a reg­u­lat­ed sec­tor and cyber­se­cu­ri­ty is tak­en into account in reg­u­la­tions, stress tests, etc. But we need to make sure that our ser­vice providers and part­ners, who are not nec­es­sar­i­ly sub­ject to the same reg­u­la­tions as we are, have the same lev­el of secu­ri­ty as we do,” explains Aman­da Creak. It isn’t always easy to ask a sup­pli­er to respect very restric­tive rules when they are just restock­ing the com­pa­ny with office sup­plies or cof­fee… Sim­i­lar­ly, with the major­i­ty of staff work­ing from home at the height of the Covid-19 pan­dem­ic, solu­tions had to be made for it to be pos­si­ble to main­tain the same high lev­el of secu­ri­ty at home as in the office. 

    For Gold­man Sachs, secu­ri­ty is achieved through defence in depth and lay­ers of con­trols and focus­ing on good cyber hygiene. “We pay atten­tion to fix­ing secu­ri­ty vul­ner­a­bil­i­ties and we strict­ly con­trol the use of USB sticks, which only a few dozen peo­ple can use,” says Aman­da Creak. Attack attempts, intru­sion attempts, ran­som attacks, check-ups and patch­es are reg­u­lar­ly car­ried out to assess the con­se­quences and test the resilience of the sys­tem. The goal: that this insti­tu­tion, found­ed in 1869, will remain a major play­er in world finance for a long time to come.

    Ran­soms are high­ly prof­itable attacks!

    Wave­stone’s CERT (Com­put­er Emer­gency Response Team) has analysed the prof­itabil­i­ty of two ran­som attack sce­nar­ios. They con­sol­i­dat­ed data from CERT-man­aged attacks and analy­ses of cyber-crime groups from dif­fer­ent com­pa­nies and organ­i­sa­tions. These analy­ses take into account the costs of set­ting up and man­ag­ing the attack as well as mon­ey laun­der­ing and human resources to cal­cu­late the net gain after laun­der­ing. The first attack, non-tar­get­ed in gen­er­al pub­lic, shows a return on invest­ment (ROI) of 746%. The ROI of the sec­ond, an attack tar­get­ed at busi­ness­es, is 525%. Wave­stone, asso­ci­at­ed with the Mon­taigne Insti­tute, is now study­ing ways to reduce this ROI and make ran­som mon­ey less profitable.