Why the controls of yesterday are not always sufficient to face today’s threats?
How to shape the ability to quickly react on cyber risks and what are the possible short-term impacts of this threats to the business?
First of all, it is important to keep a sharp view of what is happening outside of the bank, in society, in the financial sector, regarding incidents that were triggered by cyber events. Furthermore, it is important to weave the improvements, triggered by the most relevant threats, into the existing security programmes. This is to keep teams focused and not have them distracted by “the flavour of the month”.
These threats are not only a threat for ourselves, but also for our customers. We have seen situations where SME business went bankrupt due to ransomware attacks. For us, these threats mean that we continuously need to be focused on new threats and remain agile in improving security. The controls of yesterday are not always sufficient to face today’s threats. This impacts the amount of work for the IT teams, imposed by compliance and security requirements.
How has COVID-19 changed trends and methods of cyber fraud in online banking? Are banks capable of keeping up with the threats?
Research has learned that more threats are now focused at individuals. Criminals are, more than before, aiming to obtain access to credentials of customers, in order to obtain access to their bank accounts. Criminals are using moments of uncertainty, e.g., briefly before or after government press conferences where COVID-19 measures are announced, to send-out phishing emails. People unfamiliar with the situation are more likely to click links to unsafe websites.
At the same time, there is a stronger dependency on reliable working-from-home solutions, which changes and increases security requirements. A completely different example of changing requirements, is that the need for external business continuity locations has become smaller, as we have learnt from the COVID-19-situation, that many (not all) staff members can work from home in case of a disaster.
My personal view is that banks have coped well keeping up with these threats, by strengthening controls. Improving working-from-home solutions was high on the agenda for banks in 2020 already. Key elements involved are perimeter security, access controls, remote access and security training of staff and customers.
How to create a cyber resilient organisation while threats are constantly evolving?
Obviously, there is no silver bullet to build a resilient organisation, and there are several important factors. Given the more intensive workload for IT teams to implement security requirements for the increasing threats, it is important that responsibility for security is felt by a broad range of departments. This also requires training at all levels. A broadly felt responsibility makes the organisation more agile, in comparison with the situation where security is solely dealt with by the Security Department and IT, as we have seen in the past.
Rob SCHUURMAN is a Head of 2-Line Cyber Risk at Rabobank. After starting his career in an operational IT department as systems administrator, Rob shifted his focus to Information Security Risk management and started working in IT-audit for KPMG. Since that move, Rob gathered almost 20 years of experience in Information Security Risk management, whilst auditing and consulting in a broad range of multinationals via KPMG. After moving to Rabobank, Rob fulfilled different roles within with the 1st, 2nd and 3rd line of defence, building-up in-depth knowledge about IT Infrastructure operations and technology, information security topics, 2nd line risk management practice and IT related audits in different countries in the Rabobank. In his current role, Rob leads the cyber security risk management practice within second line risk management in Rabobank. In the current situation of increasing and changing threats it is crucial to enable IT departments to keep focussing on the most important risks. In order to do so, Rabobank has established a risk management framework that embeds Cyber Security into other risk management disciplines, including operational risk. This positions Cyber Security well in the organisation and ensures attention from all relevant disciplines and levels within the bank. During his presentation, Rob will explain how this was achieved. During his free-time, Rob likes travelling and running.