BAE Systems Applied Intelligence’s Simon Viney explains what financial institutions can learn from pandemic-related security and fraud trends
The most successful businesses turn crisis into opportunity. But there have been few global crises in living memory to match the pandemic of 2020 and its effects will continue to linger for many years to come.
COVID-19 is said to have pushed many companies “over the technology tipping point”, accelerating digital transformation as they rapidly adjusted to a new reality. But it also pushed many banks and insurers to the limit, as they struggled to tackle surging levels of cyber-crime and fraud.
To find out exactly how these financial institutions (FIs) and their customers were affected the COVID Crime Index report reveals plenty of challenges for the industry to overcome in the UK and US, but also highlights opportunity.
Cyber-crime surges during lockdown
There’s been plenty of anecdotal evidence around escalating cyber-crime and fraud, but how bad really was 2020? The 902 FI respondents surveyed were pretty unequivocal. Three-quarters (74 per cent) said they’d seen an increase in malicious activity since the beginning of the crisis. On average this amounted to a 29 per cent increase, driven by threats to corporate systems and data such as mobile malware, phishing, botnet attacks, ransomware and insider threats.
The unique characteristics of the pandemic appear to have helped the threat actors and hindered FI security teams in equal measure. On one hand, disruption caused by COVID-19 restrictions provided the perfect lure for phishing attacks. Distracted remote workers and exposed infrastructures, such as unpatched virtual private networks (VPNs) and remote desktop protocol (RDP) endpoints offered additional opportunities for compromise.
On the other, FIs were forced to rapidly evolve their security strategy, which may have left critical gaps as those that were able to evolve around the pandemic took an average of 18 weeks. A minority (14 per cent) are still evolving their capabilities.
Overall, the vast majority (86 per cent) of FI respondents admitted remote working made their organisation less secure, with over two-fifths (44 per cent) complaining of a lack of visibility into their networks. Some 14 per cent said the productivity of IT security teams also suffered due to remote working.
Budget cuts lead to more financial pain
At the same time, financial pressure forced many FIs to cut funding for IT security fraud and risk teams. On average, budgets were cut by 26 per cent between March 2020 and March 2021 — almost exactly the same amount that detected criminal activity rose by (29 per cent) during the period.
Although the two trends are not linked, 37 per cent of respondents claimed customers would be at greater risk of cyber-crime or fraud due to a drop in investment. Around the same number (36 per cent) warned of losing experienced security professionals.
There’s a strong likelihood the initial decisions to cut investment in security and fraud may have actually resulted in more financial and security woe for FIs. Most (75 per cent) FIs said cyber-crime losses experienced by their business over the period were down to pandemic-related crimes.
Consumers in at the deep end
The index also polled over 2,000 US and UK consumers to understand their experiences of the pandemic. Perhaps unsurprisingly, given the large numbers of first-time ecommerce users surging online, many suffered losses.
Half (50 per cent) of the consumers surveyed said they’ve been victims of cyber-crime or online fraud in the past, a fifth (19 per cent) over the past year. A quarter (24 per cent) claimed it happened twice in a year and 15 per cent three times. Phishing, bank and card fraud, stolen data, and fake SMS messages and phone calls were all commonplace, with COVID-19 often used as a lure.
Yet, while these incidents caused understandable stress and strain for many consumers, they’ve also increased their awareness of malicious online activity. Nearly a quarter (23 per cent) are now more concerned about cyber-crime than they are physical crime. This is an important trend for FIs to note.
What the future holds
So what next for FIs looking to exit the pandemic with momentum? Most (77 per cent) are concerned about the continued rise in online threats over the coming year. Somewhat surprisingly, a fifth (17 per cent) say they have little confidence in their ability to block cyber-crime and fraud in 2021.
Financial service providers must strengthen capabilities to meet the growing expectations of an increasingly cyber savvy customer base. A quarter (24 per cent) of consumers believe their FI could do a lot more to protect them from cyber-crime and over half (53 per cent) now think it’s the job of FIs to do so — more so than the government (47 per cent) or the police (34 per cent). Most consumers also say they now consider cyber-crime protection when choosing a bank or card provider.
So where are the opportunities for FIs? Certainly in providing more transparency around current cyber-crime and fraud campaigns, as well as investing in greater education and outreach to customers. But also, in bolstering internal security with a focus on people, process and technology.
That means understanding where key assets lie and where data flows across the organisation, what the key threats and attack vectors are and where vulnerabilities lie. It means continually training staff in best practice cyber awareness, breaking down siloes between compliance, fraud and security teams, and following internationally recognised governance frameworks and standards. It also means enhancing cyber security and fraud detection capabilities with a focus on defence-in-depth, automation and consolidation.
There’s much to learn from the events of the past year. The FIs that take learnings from the pandemic and respond to these well will be best placed to survive in a post-pandemic future.
Simon Viney is Cyber Security Financial Services Sector Lead at BAE Systems Applied Intelligence
Main image courtesy of iStockPhoto.com