Antiquated stress testing methods could pose a threat to European banks

The effectiveness of current cyber security measures in European banks has overtaken concern over the resilience of the banking system itself, with pressure mounting on the European banking system following the election of Trump, Britain’s EU referendum and the aftermath of the credit crunch.

Discussion is increasing over the requirement for stress tests on cyber security to prevent any impending disasters within the banking sector.

Not only is the EU considering these tests, the European Banking Authority (EBA) is demonstrating its awareness of the potential cyber risks, positioning itself to emphasise the urgency of member states taking measures to ensure their own banks are sufficiently protected, while also implying that the current digital infrastructure is archaic and obsolete.

Following last year’s cyber attack on the central bank of Bangladesh which netted hackers $81 million, the concern across Europe feels undeniably appropriate.

Unfortunately, the problem is that the tests, if ever undertaken, will likely stick with assessments of the very same security techniques that currently make banks vulnerable.

>See also: Open banking: the quiet revolution

This is not a desirable state of affairs when banks, just like every other organisation handling data will face the full severity of the law after the European General Data Protection Regulation (GDPR) comes into force in 2018.

Under the terms of the GDPR, data breaches will be legally notifiable and costly, both in financial and reputational terms.

Yet European regulators are misguided if they imagine that concentrating on conventional passive anti-viral border security will provide banks with sufficient defence.

Testing has to move beyond security architecture to encompass business processes and the establishment of best-practice approaches. The latter is difficult when information-sharing between national authorities is currently so poor.

What needs to happen is that banks completely reappraise their border security. Great claims are made about the effectiveness of conventional anti-virus and malware security, even though it is known to be ineffective against new methods such as zero-day attacks.

These are attacks that the anti-virus industry has not yet identified or categorised and does not have the technology to combat until it is too late. One of the leading cyber-security vendors this year claimed to have discovered “29 of the last 53 zero-day attacks”. If it only takes one bullet to kill you, the fact that 24 can get through to you is not much in the way of protection.

>See also: Rise of the collaborative open bank

There is growing evidence that conventional anti-virus defences are no longer effective as hackers and cyber-criminals simply by-pass them. These standard approaches fail to address how the cyber-security world has changed.

The great majority of malware attacks now start with an email to an employee. This will probably have been dressed up to look like it is from someone familiar to its recipient and contain a file attachment.

Criminals will hide their malicious code inside a common file-type, increasingly using the actual structure of the file itself as a hiding-place. Conventional anti-virus solutions don’t pick up these threats, but file-regeneration technology will.

The point about using file-regeneration is that it puts the power back in the hands of the organisation – in this case, the bank. Files are almost-instantly regenerated after being minutely inspected down to byte-level, validated against the manufacturer’s design specification and then rebuilt as clean, completely malware-free versions that are identical to the originals.

Banks can then determine the levels of risk they want their various departments to be exposed to. Some pieces of code in documents which don’t conform to the manufacturer’s standard may be legitimate tools required for a particular task. The bank can decide what it wants to admit and who gets to use it.

This is best practice. Banks no longer have to rely on the dubious claims of conventional security vendors and can exchange documents with confidence. They don’t have to succumb to the kind of fatalism that seems to have crept in across the cyber security industry where the belief is increasingly common that your organisation will be hacked and you will lose data or be held to ransom. All you can do is to mitigate the effects.

>See also: The new European Payment Services Directive

Let’s not forget how damaging attacks can be. The banking arm of Tesco was badly hit by cyber criminals last November, with money taken from about half of the 40,000 accounts affected by “suspicious activity”.

It was serious enough for all online transactions to be suspended for a while. As well as having to refund its customers and rebuild its reputation, the bank is also likely to be stung with a humiliating fine.

Given the scope and sophistication of cyber-attacks, any stress tests ordained by the European Banking Authority or European Central Bank that focus exclusively on IT infrastructure and conventional anti-viral security are destined to be ineffective.

It is time for testing to assess how a bank is embracing innovation to take the initiative against cybercrime, managing an active policy that is adjusted to the precise level or risk required while shutting out all the malicious pieces of code that threaten the organisation’s integrity and potentially, that of the entire banking system.
By Chris Dye, VP marketing and communications, Glasswall Solutions

Avatar photo

Nick Ismail

Nick Ismail is a former editor for Information Age (from 2018 to 2022) before moving on to become Global Head of Brand Journalism at HCLTech. He has a particular interest in smart technologies, AI and...