BANKING ON SECURITY
AFTER A SERIOUS CYBER ATTACK ON THE BIGGEST BANK IN QATAR, HAS THE FINANCIAL SECTOR WOKEN UP TO THE RISKS? QATARTODAY FINDS OUT WHERE THE PITFALLS LIE AND HOW THEY CAN BE AVOIDED.
After a serious cyber attack on the biggest bank in Qatar, has the financial sector woken up to the risks? Qatar Today finds out where the pitfalls lie and how they can be filled.
In April last year, a major cyberattack on Qatar's largest lender sent reverberations around the globe. A group of unknown hackers had claimed to have hacked into the servers of Qatar National Bank (QNB) and leaked 1.4 GB of data from the database containing personal data of its customers. The massive data dump contained hundreds of thousands of financial records including credit card numbers and their PIN codes and customer transaction logs. Moreover, the hackers also claim to have leaked banking details of some members of the Al Thani family, Al Jazeera journalists, officials from the Ministry of Defence, the State Security Bureau “Mukhabarat” and several other intelligence agencies. What was truly frightening was that it contained personal information collected from several nonQNB sources like social media, put together with the aim of creating a complete profile of certain customers. The breach was massive, it was public and it shocked people and institutions into action. What until then was thought of as something that happens to someone somewhere else, had hit home hard.
The Governor of Qatar Central Bank, HE Sheikh Abdulla bin Saoud Al Thani, noted that cybercrime is now considered the second most common economic crime in the Middle East. Speaking at a Dean's Lecture at Carnegie Mellon University in Qatar, he emphasised the importance of strong cyber governance, continuous monitoring, step-by-step detection and a well-designed contingency plan to mitigate any vulnerability on account of cyber risks to Qatar's financial sector. “Both attackers and their motivations are becoming more diverse – from financial gains to disrupting activity to causing political and financial instability,” he remarked, noting that cybercrime in Qatar increased by 52% in 2015 over the previous year.
The wake-up call
Security analysts are understandably on the edge. “Firms are coming under attack daily. It is well known that financial institutions across the region have prevented a number of attacks and also that a number of cyberattacks have succeeded in penetrating organisational defences. However, there is also a perception that the region is next in line for a major/sustained cyberattack, following large-scale strikes in other parts of the world,” says David Cafferty, Risk Consulting Director at Crowe Horwath UAE, and a Member of the Chartered Institute for Securities and Investment (CISI). And exasperating this challenge is the shortage of highly skilled people in this field in the region which is also geographically far from major technology centres, making the availability of quality support, implementation expertise, and the reliability of the providers even more important, according to Soubhi Chebib, General Manager at GBM Qatar.
Also, consumers in the region are doubly vulnerable to attack on financial institutions because they are somewhat less protected than their counterparts in, say, Europe. “In Europe, a consumer is protected by the European Union legislation for consumer protection, which means that a consumer can only be held liable for a very small amount of damage in case of a data breach or theft. Here it is different and the consumer is more or less liable for any misuse of electronic accounts, or at least the legal process is hard and cumbersome,” says Nicolai Solling, Chief Technical Officer at Help AG. “For the same reason, the banks in the European Union are very focused on minimising risks as they hold the liability. One of the ways this affects the way the banks operate is that in Europe you will not find many banks without a proper two-factor authentication solution for users, whereas here in the Middle East this is something that has only recently been applied by the large portion of banks.”
Under these circumstances, it has become increasingly important to understand the drivers of these cyber risks to help boost policies and strengthen risk governance, according to Cafferty. “Regional governments are very aware of the threat, and the formation of Computer Emergency Response Teams (CERT), and the development of national strategies, is indicative of that,” he says. This is substantiated by HE Al Thani who spoke encouragingly about the work the Qatar government has taken to combat cybercrime, including establishing the National Cyber Security Strategy. “Going forward, in order to benefit from the resiliency efforts of the financial institutions, Qatar Central Bank is preparing the Qatar Financial Sector Information Security Strategy, which will enhance and maintain information security and create a more resilient and secure cyberspace to safeguard the financial sector in Qatar,” he said.
As a result of this, there is an increasing
"QCB is preparing the Qatar Financial Sector Information Security Strategy, which will enhance and maintain information security and create a more resilient and secure cyberspace to safeguard the financial sector in Qatar." HIS EXCELLENCY SHEIKH ABDULLA BIN SAOUD AL THANI Governor Qatar Central Bank
"The first of its kind in the GCC, Qatar's Law No. 13 of 2016 concerning Privacy and Protection of Personal Data places new restrictions on how personal data of an individual is to be processed." NICOLAI SOLLING Chief Technical Officer Help AG
awareness of cybersecurity. Solling says this emphasis on cybersecurity in Qatar will only increase in the coming months with Qatar's recent promulgation of Law No. 13 of 2016 concerning Privacy and Protection of Personal Data. “The first of its kind in the GCC, the law places new restrictions on how personal data of an individual is to be processed in accordance with principles including those of transparency, integrity and respect for human dignity and acceptable practices,” he says. To comply with this, financial institutions, which handle large volumes of sensitive personal information about their customers, will no doubt have to rethink their operations and protocols, if need be, and also conduct regular training of their staff.
But the government can always do more, as Cafferty illustrates. “Governments receive information on individual attacks but they could do more to assist organisations by sharing this information and using it to create threat assessments, and typologies/case studies, for dissemination to a wider audience. But again, there is a cultural issue around scaring people – perhaps unnecessarily. However, not only should organisations be scared, they need to be scared into taking a more robust, strategic and holistic approach to cyber-risk.”
Chebib agrees. “IT security is not something that can be implemented and then forgotten; it requires constant monitoring and periodic updates that keep it up to date with the latest batch of threats and malware on the scene,” he says. “In addition to this, IT security should not be taken alone to ensure the protection of systems; it should be woven into the overall security strategy of organisation. In fact, many organisations have established a designated Chief Security Officer position, thus assigning the maintenance of the overall security of the company to a single person who reports directly to the CEO of the organisation.”
Patching up vulnerabilities
Globally, the financial services industry is under a barrage of ransomware and spearphishing attacks, according to a new survey conducted by the SANS Institute, gauging the state of risk and security in the financial sector. For the first time, ransomware, identified by 55% of respondents, has eclipsed spearphishing (50%) as the top attack vector. Such attacks have caused considerable damage, with 32% of survey respondents citing losses between $100,001 and $500,000 as a result
of their breaches. While the sample size of Middle East-headquartered organisations in the survey is reasonably small, as Chebib says, “Cybersecurity has no physical borders. Wherever you are or the system is around the world, attacks can be mounted from and to anywhere. Certainly, cyberattacks are politically motivated and we witness this from time to time. Qatar has taken strong measures to employ very sophisticatedly cybersecurity solutions and continues to update this in order for the services to be provided reliably and uninterrupted.”
While Qatar, together with the UAE and Saudi Arabia, leads the IT market in the GCC, spend alone will not ensure security. “Cybersecurity spending now accounts for a significant portion of IT budgets in the Middle East. What remains unclear is whether they are sufficiently equipped to defend against these attacks,” said Ned Baltagi, Managing Director, Middle East & Africa at SANS. Just over half of surveyed organisations claim to have felt prepared or very prepared to fend off attacks. “And even this readiness will stand to be tested when alternative payment systems come online,” he added.
Managing human vulnerabilities is sometimes more of a challenge than the technical aspects, though it ought to be the easiest and most effective way to combat cyber-risk. For example, both ransomware and phishing attacks (the two largest kinds of cyberattacks on financial institutions) prey on the vulnerabilities associated with users, who often unwittingly click on links that unleash vicious attacks on their organisation's assets. For that reason, organisations are going beyond techniques like employing perimeter defences, endpoint protections and log management techniques to identify, stop and remediate threats, and are focusing on controls such as email monitoring and security awareness training to reduce the potential for employee actions that unleash malware on their devices.
But there is still much left to be desired in this area. “Organisations are still taking an ‘old school' approach to cybersecurity with a narrow focus on ‘IT security' – a simple, easy-to-deal with threat with guidance given to members of staff, such as on the usage of USBs, unauthorised downloads, theft of data and small-scale phishing,” says Cafferty. “The impression that staff members get is that IT matters are very personal localised issues, rather than highlighting the bigger risks they may cause to the organisation such as denial of service, theft of customer data, whaling and large-scale extortion.”
“Management, working under Board direction, needs to develop focused education, training and awareness programmes for their organisations. Utilising government statistics and typologies, supported by internal research, management should ensure that all staff are aware of the full range of risks the organisation is exposed to and that education programmes are put in place so as to ensure that cyber risk management is embedded in daily activities. Finally, specific/ongoing training should be given to key individuals, and teams, so as to provide the skills and knowledge the organisation needs to effectively prevent, detect and respond to the cyber-threat,” he says.
"IT security should not be taken alone to ensure the protection of systems; it should be woven into the overall security strategy of organisation." SOUBHI CHEBIB Genaral Manager GBM Qatar
From end to end
Thanks to technology, everything is interlinked, such as a business's core operations with its vendors, customers and supply-chain networks. As such, failure to understand and address the systemic cascading effects of cyber risks could have far-reaching consequences across the network, according to Cafferty. "Customer education is more commonplace in this region, but again the fear factor gets in the way. Organisations don't want to give customers the impression that they don't have the systems in place to protect them,” he says. Initiatives like ‘customer training' may be unlikely due to the logistic challenges they pose, says Solling. “Financial institutions could, however, regularly share information about the latest cyber-threats and trends. They could also share best practice for online security. For example, many customers reuse weak passwords across multiple Internet accounts and even their online banking accounts. With data breaches of even large social media and other Internet services now commonplace, such behaviour could easily jeopardize users' security,” he says.
But he also goes on to emphasise that financial institutions must be wary of the partners they work with, particularly those that are SMBs. “Cyber-criminals often use these as gateways into the networks of larger organizations,” he says. "In the UAE we have seen such an attack successfully carried out against RAKBANK. In this particular case, RAKBANK's business partner in India, which prints their credit cards, had a data breach where information on credit card numbers and CVC codes were lost. This allowed attackers to replicate card information, which again was used to deduct money from these cards. RAKBANK was reported to have been facing damages of approximately $5 million (QR18.2 million) associated with this. Although they were not directly at fault, of course such incidents have a negative brand impact,” he points out.
Training partners and ensuring that they have the right cybersecurity measures in place will increase the security posture of the financial institutions themselves. By taking a broader focus that is aimed at the operations of the business, its supplychain networks and customers, cyber-
risk education to all involved parties can provide proactive strategic and more actionable insights into the entire control system of the enterprise.
New challenges of a new era
Even as we are still grappling with existing challenges, a new technological era fast approaches. With advances in new technologies – such as the cloud, analytics, mobility, artificial intelligence (AI), Big Data and Internet of Things – technological vulnerabilities have expanded exponentially.
In particular, the so-called Internet of Things (IoT) – a term that is used to describe anything and everything that is connected to the Internet and able to communicate with other ‘ smart' devices – has been vital to the turnaround of businesses, and in return, it has come with immeasurable challenges in the areas of privacy and security. A major issue around IoT is the vast number of devices, says Solling. “We are talking about as many as 50 billion sensors and devices by 2020. All those sensors are cheap, low-cost devices – a major factor as there are so many of them. Give this, how much security do you then think they could design into the hardware? Another problem is the software: IoT devices use software like any other device on the Internet. Some of them have generic operating systems like embedded Linux. How do you patch 50 billion devices in case of a general vulnerability?” he asks. Unfortunately we are already beginning to see the first examples of how attacks can be perpetrated in a connected ecosystem.
Given these challenges, it is imperative for organizations to thoroughly assess their IoT readiness before going to market. First, the service needs to make sense. While CEOs and CIOs within organizations must focus on how they can innovate in their business, it won't always hold true that IoT is the only way they can innovate. What is unique about IoT is that it is not necessarily trying to invent new problems, but tries to solve or optimize how we do things. Another very important aspect is the integrity and availability of the service. The minute you start to integrate with the day-to-day life of individuals, you need to ensure that the service is always available. Finally, and perhaps most importantly, security; financial institutions in particular need to think about the data they are storing, and how they are ensuring it is safe. IoT services need to be built with security in mind, as any failure to deliver the same can cause a huge impact to the reputation of a service.
On the other hand, the technological upper hand provided by Big Data and predictive analytics can't be denied. “Predictive security analytics is a way to analyze where threats could be coming from and who is mounting these threats and relationships that they have between them with potentially the physical location of the threat,” says Chebib. “Different elements of information are correlated together to provide insight about the threat to enable security specialists to pre-empt such threats, or to stop it. Big Data concepts shed more light and additional perspective in understanding threats and ways to prevent them and/or minimise their risk.” Big Data will also have an important role to play in helping organisations to identify areas of risk, says Cafferty. “What data they have; where that data is to be found; and what levels of protection are needed. It's a profound transformation in how man and machine interact with each other.”
"Governments could do more to assist organisations by sharing information on individual attacks and using it to create threat assessments, and typologies/case studies." DAVID CAFFERTY Risk Consulting Director Crowe Horwath UAE Member Chartered Institute for Securities and Investment