By Chris Underhill, Chief Technical Officer at Cyber Security Partners
Consumers are increasingly more likely to check their bank balance online rather than visit a bricks and mortar branch on the high street. In fact, figures show that we login to our online banking around 9.6 million times per day, indicating the mass-popularity of this medium in keeping tabs on our finances. Online banking is also good news for the environment, and paves the way for a paperless society, whereby bank statements are provided electronically rather than printed and posted. Unfortunately, environmental issues are not the only consideration for banks and their customers, with cyber crime representing an on-going threat. Banks have successfully implemented layers of security for logging into online banking, however, the most commonly used channel of communication between banks and their customers is arguably the least protected.
Cyber threats, such as email phishing, pose an increasing threat to banks and customers as more consumers migrate to online banking. Despite this fact, new research by Cyber Security Partners (CSP) reveals that a massive 97 percent of FTSE 250 companies, including three of the four banks in the list, are inadequately protecting themselves and customers from the threats of email phishing and malware. The research could suggest that many banks leave it up to customers to report instances of email phishing, rather than taking a more assertive and proactive approach.
How can banks do more?
Commonly, banks assume customers will have an awareness of what cyber threats could affect them and how to protect themselves, but this is where things need to change. The responsibility should not fall solely with the consumer to flag threats and issues to their bank, nor is it an effective method of prevention. With consumers now exposed to an increasing number of threats online, now is the time for financial services companies to take greater responsibility and place more emphasis on the importance of cyber security.
Recently, Mustafa Al-Bassam, a computer hacker who has previously targeted huge companies such as Sony and Fox, stated, “The majority of UK banks don’t even implement HTTPS encryption properly on their website, and show a poor understanding of how it is implemented in practice when I have tried to probe them about it. They certainly seem to be lagging behind in terms of modern standard security practices.” Mr Al-Bassam was just 16 years old when he was arrested for his online crimes. This damning insight from an established hacker really indicates that banks are falling short, and need to do more to protect consumers online.
Action needs to be taken
It is estimated that some 200 million phishing emails are distributed every day, highlighting the breadth of the issue and indicating that advice alone will not prevent this issue: solid action needs to be taken. Security breaches not only threaten customer confidentiality, they have a hugely negative impact on a company’s credibility and reputation. A recent security breach at HSBC may have allowed the bank to emerge from the attack with client information safely intact, but it did little to instil consumer trust in the company. In a similar situation, in October 2015 TalkTalk lost more than 100,000 customers following a severe cyber attack which equated to around a £15m loss in revenue.
The number of email phishing attacks continues to increase, so business leaders need to take the appropriate action to lead from the front and protect their companies, and customers, from cyber criminals. In response to the TalkTalk attacks, Andrew Tyrie, MP and Chairman of the Treasury Committee, expressed his concerns regarding cyber security: “Bank IT systems just don’t seem to be up to the job… Incidents like these are unacceptably frequent, and sometimes serious. Until this is sorted out, the public will remain more exposed than necessary to the risks of IT banking failures.”
Companies have a huge spectrum of tools and solutions available to help them to prevent the damaging impact of cyber attacks, so there is no excuse for consumers to be negatively impacted by online crime. DMARC, which stands for ‘Domain-based Message Authentication, Reporting & Conformance’ is an email authentication protocol that enables senders to monitor and protect a domain from fraudulent email. Amazingly, CSP research reveals that a meagre 17 companies in the FTSE 250 are using the DMARC standard to prevent email scams, which enable the theft of customer passwords, banking details, debit or credit card numbers and other confidential information. Preventative measures such as this are easy for large corporations to implement, however many are still falling short in terms of their defences against cyber attacks. Clearly, this needs to change.
Now is the time for companies to understand and accept their collective responsibility to deter cyber crimes, and maximise protection for consumers in any way they can. When giant global companies such as HSBC and TalkTalk are infiltrated by a hacker in their bedroom, it really spells out that any organisation in the world can be affected by the wrath of cyber crime. As technology and innovation in Britain continue to thrive, isn’t it time that prevention of cyber crime kept pace?