The rate at which technology has developed in the past 20 years has been rapid, to say the least, and organised criminals who embraced cyber crime have been keeping up with the swift development.
Moving into the area of company computer systems as a means of making money or wreaking havoc, cyber crime is something that cannot be ignored, and anyone involved in financial services needs to be aware of the growing threat.
With that in mind Financial Adviser invited a panel of experts to its offices to help educate an audience of financial professionals on the level of risk that cyber crime poses to their businesses and to update them on the approach to regulation with the Financial Conduct Authority.
David Stupples, director of the centre for cyber security sciences at City University London, kicked off the seminar by focusing on how much money should be spent on protecting businesses against the threat of cyber crime.
He said: “One of the things we started to look at here at the university in light of viruses and worms is how much money should be spent on security. You can carry on putting more and more money into security but are you still going to be affected and lose money?
“What we are trying to do at the moment is come up with some sort of compromise and explain that this is the amount of money that you do need to spend on security, but you are going to lose money as well because there is no real way that you can protect forever. Sooner or later people are going to find a way into your computer systems and either steal data or cause damage.”
Mr Stupples said there were two sorts of attacks that can affect a computer system: sabotage, which will destroy files and take the whole computer system down, and espionage, which can build itself into the computer and conduct insider dealings, such as stock movement and merger and acquisitions – information which Mr Stupples said was “invaluable” to the criminal.
He added: “There are viruses and worms and both of them will manipulate and replicate themselves, but the worm has the capability to get inside the computer, burrow itself and stay there until it is activated. It could be put in as a sleeper and stay there for six months and then the organisation will activate it and it will start up.”
Mr Stupples also highlighted the risks associated with trojan programs, which perform actions that are not authorised by the user, and riskware that covers legitimate programs – some of which are sold publicly and commonly used for legitimate purposes – but can cause damage when they fall into the hands of malicious users.
So is there anything that can be done? Dmitry Dudorov, research associate for City University London, explained some of the countermeasures that businesses can put in place, such as vetting and training employees, system-level security, physical-level security, and insurance – something which he said was “the most important thing”.
He added: “When we talk about insurance we always talk about risk, and we all know that risk is probability times impact. We can calculate the impact, but when it comes to probability of an attack there is not much we can do. This is the main idea of our research.”
The solution the university team has found from that research is J-value – explained as providing an objective tool that assesses the cost-effectiveness of safety schemes for a wide range of industries. It is a new approach, based on established economic theory that balances safety expenditure against the extension of life expectancy brought about by the scheme.
Mr Stupples said: “Because we know the probability of attack, because we know for a particular bank or a particular organisation what the threat is and what the loss could be, we could then calculate the level of insurance for it. We could also calculate how much we should spend on its protection. You will be surprised that the majority of the companies are actually spending too low – but some do spend too much.”
He added that it will be impossible to stop the hacker or the criminal because there were too many of them around the world.
“There will be hundreds of millions probably doing this and these hackers are really expert at getting into operating systems, perhaps more so than people that we hire,” Mr Stupples said.
“It is a battle that we are not going to necessarily lose, but we are not going to win it either. What our solution does is say this is the value that you should put on insurance, this is how much money you can put into protection and, possibly, this is the amount of money that you are going to lose.”
But it it is not the only threat that businesses should be prepared for. Esrar Moitra, consulting director for Optima Regulatory Strategies, highlighted the burdens that companies were going to be faced with under the FCA when the new twin-peaks regulation gets into full swing.
He explained that the FCA will have a strategic objective to ensure that relevant markets work well and three operational objectives – consumer protection, integrity of the UK financial system and effective competition in the interest of consumers.
Mr Moitra said: “The FCA will also have new powers to force the immediate withdrawal or prevention of financial promotions, new powers to ban or prevent the sale of harmful products, and publicly announce investigations before determination of wrongdoing.”
He said that the regulator would try to achieve a reduction in actual or potential consumer detriment, product failures, advisory failures, firm failures and market failures.
In effect Mr Moitra said that we were moving towards a regulator “with teeth” and highlighted the FSA’s current approach to unregulated collective investment schemes, payment protection insurance, structured products and Arch Cru as a taste of what life might be like under the FCA.
Speaking about what businesses can do to reduce the regulatory risk, Mr Moitra said: “You need to market, transact, service and control the business well. All decisions need to be at the top, middle and front line of the business and you need to apply a regulatory lens to everything that you do.”
Alex Young, director of West Sussex-based advice firm Facet, said social media was becoming a popular way for adviser firms to advertise their services, and questioned whether it should be carried out using a different computer.
Mr Stupples said that if social media were important to a firm then it could separate client data and have another encrypted log in.
He added: “We can’t protect against everything, but the best thing to do is to put as much difficulty in there for the criminal as possible. It is not the social media that is the problem, it is people who are just sitting there scanning the internet. Suddenly they see something that they like and before you know what is happening they could be manoeuvred to a dangerous site.
“When you use social networks you are more open to social engineering techniques, such as phishing. Let staff visit these websites, but from their own personal devices.”
Izabella Gryzb, founding partner of London-based IFA Winterdean Partnership, questioned what companies needed to do from a compliance perspective to check that wraps, or other companies that it directs its clients to, were secure, and where responsibility lies if its client data gets compromised through that source.
Mr Dudorov said there is no way to check that they have shared your customer data with anyone else.
Mr Stupples said: “As long as you have done as much as you can in regards to due diligence on the company that you have told them to connect to, then you probably would be covered.”
Mr Moitra added: “If the wrap platform is regulated, which it will be, then by virtue of that it should be meeting the correct thresholds. But there will be differences across providers to the level of safeguards that they have.”
Roger Hersee, of Kent-based Roger Hersee Partnership, wanted to know whether the Apple operating system was safer than Microsoft.
Mr Stupples was quick to respond “no”and said: “The Apple operating system is slightly better but if people wanted to attack it then they would.”
Amy Ellis is senior features writer of Financial Adviser
Key Points
Cyber crime cannot afford to be ignored and anyone involved in financial services needs to be aware of the growing threat.
There are two sorts of attacks that can affect a computer system: sabotage, which will destroy files and take the whole computer system down, and espionage, which can build itself into the computer.
Businesses will not be able to stop the hacker or the criminal because there are too many of them around the world.
Profiles:
David Stupples - Director of the centre for cyber security sciences at City University London.
For a number of years Mr Stupples undertook research into secure communications at the Royal Signal and Radar Establishment at Malvern. Worcestershire. He has also worked for the private sector and his research has included the development of high-grade encryption techniques.
Dmitry Dudorov - Research associate of City University London.
Russian-born Mr Dudorov moved to the UK in 2008 after graduating from Saint-Petersburg State Polytechnical University where he received his MSc in computer science and information engineering. He is currently a PhD candidate at City University London under the supervision of Mr Stupples, and has been involved in research in the centre for cyber security sciences at the university from the second year of his PhD.
Esrar Moitra - Consulting director.
Mr Moitra has spent more than 10 years working in the retail financial services market, including roles as a CF30 adviser. He has worked for the Financial Ombudsman Service, the FSA and Deloitte, covering the IFA distribution, retail banking, investment banking and wealth management sectors. More recently Mr Moitra worked for Grupo Santander in a change and transformation role with responsibility for regulatory change projects.
Box
History of worms:
1994 – Citibank: considered the first serious cyber crime with a financial motive. Russian hacker, Vladimir Levin tricked computers at Citibank into sending $10m to himself and accomplices around the globe.
1998 – Cult of the Dead Cow: the hacker collective released a program – Black orifice – that allowed someone to take control of another computer running Windows 95 or 98.
2003 – Blaster: theorised that a blackout in northeastern US states was the result of a computer worm that had appeared days before, and not power lines failures.
2007 – Zeus botnet: built for techniques such as phishing to entice recipients of an email message to click on links to software that infects their computer.
2010 – Stuxnet: new kind of worm aimed at industrial control computers, and was said to have damaged Iran’s nuclear infrastructure
2011 – Gauss: a complex cyber-espionage toolkit created by the same authors behind the Flame malware platform. Highly modular and supports new functions which can be deployed remotely by the operators in the form of plug-ins.
2012 – Flame: quoted as the most complex malware ever found, it can record audio, screenshots, keyboard activity and network traffic
