Security has traditionally been sold on a powerful combination of fear, uncertainty and doubt. With cyber security that is no longer the case. With cyber security the simple truth is so scary that there is no need to go over the top to induce a state of panic in a potential client. The emphasis today is on education rather than exaggeration. Once clients, whether personal or institutional, absorb the reality of the day-to-day danger they face, they will want appropriate protection.
This is in a nutshell the world of cyber security today, as perceived by Alastair Paterson, CEO of specialist monitoring and consultancy services provider Digital Shadows, which has developed monitoring systems covering 80 million sources on social media in 26 languages. An extended conversation with him on the subject generates enough fear, uncertainty and doubt to leave one pining for the relative safety of the Middle Ages, when the only personal information in the public name was that displayed on gonfanons and other flags, jousting shields and coats of arms.
The traditional approach to security in cyber space has been to build the equivalent of a medieval keep to house data, complete with protection round it in the form of digital walls and moats, the walls built ever higher and the moats cut ever deeper and wider.
The arrival of social media, the so-called Cloud and associated services, mobile workforces and ‘bring your own device’ culture, and the lengthening of supply chains, make the traditional approach to security look as medieval as it sounds. While much of the leakage from companies into the free internet is of little consequence, confidential data and documents such as building blueprints, details of a bank’s ATM network installation and unpublished board minutes have been known to break free from what were thought to be secure surroundings and make it into the digital wild.
Much of this is happening not because of hackers or mischief makers, but because of a combination of negligence on the part of hard drive manufacturers and their willingness to make their products as easy to use as possible, thoughtlessness and simple old-fashioned user error. “We are seeing new types of devices leaking data, and what we are seeing is slightly scary,” says Alastair Paterson.
“We have been seeing real growth in this area over the past three to four years and that growth will continue,” says Matthew Martindale, director, cyber security, at KPMG. The 270-strong team of consultants at KPMG that advises clients including asset managers, wealth managers, hedge funds, private clients and family offices is projected to hit the 500 mark in two years or so as clients embrace new technologies to achieve greater speed and efficiencies across their static and mobile devices.
Matt White, senior manager in KPMG’s Cyber Security practice, has his own views on suggestions that hedge funds could be particularly susceptible to cyber-attacks from. “Compared to the forced regulatory requirements of the larger players in the Financial Services sector, Investment Management (IM) is still a relatively immature market in terms of cyber security capabilities,” he says. “Despite potentially high value assets and information, the staff count is frequently low, especially in the Information Security space and this leads to potential ‘gaps’ in an organisation’s cyber security capability.
“Whilst many of the potential breaches are probably not being reported, it is likely they are common (or unrealised), making the IM sector similar to many others, but this is improving. More and more frequently we are being approached by IM companies asking if there is any advantage that can be gleaned from the sector’s ‘older siblings’ in financial services, such as the higher tiered banks. By taking their ‘lessons learnt’ and applying them we can more quickly help shore up their defences, with companies not realising that potentially small changes can help them get the basics right, reducing their potential exposure to risk of a breach.”
Organisations can today offer a range of new channels to access products and services and as digital footprints grow they have simultaneously become easier for hackers – including criminals going where the money is, so-called hacktivists seeking to make political points, and even nation state entities – to access private databases searching for names, passwords and intellectual property.
“Banks have been favourite targets in the past but asset managers are now taking the threat of major attacks more seriously,” says Matthew Martindale. One threat in particular that he identifies is the possibility that criminals might be able to gain access to inside information and front-run legitimate trades being initiated by an asset manager.
There is no room for complacency and the process of keeping up with wrongdoers is increasingly difficult, never ending and expensive. As Tim Thornton, Chief Data Officer at fund administrator Mitsubishi UFJ Fund Services puts it, the IT refresh cycle in his industry has shrunk to barely 18 months from around three years, meaning organisations need to run ever faster if they are to keep up with those who would do them harm.
“Client RFPs contain a growing number of questions related to cyber security, asking what procedures are in place and whether they are regularly audited,” he says. “We make the same demands of our external third-party service partners who handle client data. We need to know that their environment is as secure as ours. In turn, they want to know about our own security procedures. We’d rather spend money on adding value and functionality but security systems and processes need to be in place and constantly enhanced.”
The refreshment cycle is not only shortening but is often missing certain points, according to Professor Julian Williams, chair in accounting and finance at Durham Business School. “It tends to keep the corporate front end state of the art, while leaving the background infrastructure untouched,” he notes.
Increasing security is not just about spending money, says Matthew Martindale. “Yes, you have to buy the right technology, but you also need to hire the right people with the right skills and ensure they are following the right processes,” he says. Companies also need individual employees to act as their own first line of defence. “The bad guys have a significant advantage, in that they need to find only one way in, and companies need to work on the assumption that they will get in,” he continues. Staff working together to common standards and within common frameworks might at the very least persuade opportunistic wrongdoers to go elsewhere.
Wilbert Hofstede, head of cyber security at Euroclear, the Brussels-based international central securities depository, picks up on this theme. “Where there is to be money made, whether directly by diverting it from the rightful account or indirectly by tapping into information or goods that can have a financial value, there will be criminals trying to make it happen,” he says. “Criminals only need to succeed one time in a hundred. In such a dynamic cyber environment, that we need to be secure one hundred times out of a hundred. That means we need to do more than just focus on prevention to do our job properly; we need to be extremely vigilant for all signs that might indicate potential concerns.”
The issue of fraud is not of course a new one, observes Joe Norburn, managing director at Coutts responsible for digital and front office solutions. He recalls (almost wistfully it seems) the days when the preferred modus operandi of criminals intent on enriching themselves financially involved men wearing tights on their head and carrying a shotgun in the hand.
Protecting against the scaled-up modern equivalent is the cornerstone of day-to-day priorities, he says. “It is important for all organisations to protect clients to the best of their ability; a key element in that is knowing customers so well that we can anticipate their needs and authenticate that they are who they say are when connecting remotely as quickly and as certainly as we can do face to face.”
Professor Williams cautions against overhyping the subject as it relates to asset management. “To the best of my knowledge, only one case has been prosecuted in the US for the theft of code and that failed. Many algorithms are, after all, open source code.”
When all is said and done, there is no single silver bullet solution, warns Joe Norburn. Rather, a layered approach to security coupled with an ongoing customer education programme is necessary. Identify, protect and respond is the mantra here. In the first instance, two-factor identification is the equivalent to locking the front door. “Then you must make sure you have good controls in place that will enable you to detect potential mischief makers or wrongdoers and react accordingly to prevent it or minimise the impact.”
All this must be achieved, moreover, without rendering the customer experience unpleasant to the point of repelling them. “We want security and trust and convenience,” concludes Joe Norburn.