Historically highly targeted by cybercriminals, financial services are among the most advanced in terms of protection. While they are alert to risks as well as being equipped to anticipate and avoid them, companies must ensure that their supply chain is as resilient their attackers.
Amanda Creak is responsible for technology risk in Europe, Middle East, Africa (EMEA) for Goldman Sachs. This “technology risk” refers to all threats incurred by the investment bank in relation to digital technologies. Of which there are many – especially for financial institutions. Nearly 90% of cyberattacks worldwide are motivated by financial gain. This involves either simply stealing money, holding individuals and companies to ransom or stealing information from systems that can then be resold – data, patents, contact details, IDs and passwords, and so on.
For a financial institution like Goldman Sachs, cyber-risk is one of the main areas of focus. “Not only are all our processes digitised, but all of our equipment is connected, from desktop computers to printers to air conditioning! Many of the large financial institutions like ours attract cybercriminals,” explains Amanda Creak. She has been passionate about cybersecurity since the beginning of her career and enjoys the challenge of managing a significant security program in a large bank. “As an investment bank, we have a lot of confidential and therefore sensitive information; what we call Material Non-Public Information (MNPI). This is information relating to mergers, acquisitions, IPOs, investments, etc. But we are also an online retail bank, so we have to protect our customers from all money-related crimes.” Moreover, risks are evolving rapidly, and attacks are constantly renewed.
However, the security of a financial institution would be useless if the supply chain was not also highly secure. “We are in a regulated sector and cybersecurity is taken into account in regulations, stress tests, etc. But we need to make sure that our service providers and partners, who are not necessarily subject to the same regulations as we are, have the same level of security as we do,” explains Amanda Creak. It isn’t always easy to ask a supplier to respect very restrictive rules when they are just restocking the company with office supplies or coffee… Similarly, with the majority of staff working from home at the height of the Covid-19 pandemic, solutions had to be made for it to be possible to maintain the same high level of security at home as in the office.
For Goldman Sachs, security is achieved through defence in depth and layers of controls and focusing on good cyber hygiene. “We pay attention to fixing security vulnerabilities and we strictly control the use of USB sticks, which only a few dozen people can use,” says Amanda Creak. Attack attempts, intrusion attempts, ransom attacks, check-ups and patches are regularly carried out to assess the consequences and test the resilience of the system. The goal: that this institution, founded in 1869, will remain a major player in world finance for a long time to come.
Ransoms are highly profitable attacks!
Wavestone’s CERT (Computer Emergency Response Team) has analysed the profitability of two ransom attack scenarios. They consolidated data from CERT-managed attacks and analyses of cyber-crime groups from different companies and organisations. These analyses take into account the costs of setting up and managing the attack as well as money laundering and human resources to calculate the net gain after laundering. The first attack, non-targeted in general public, shows a return on investment (ROI) of 746%. The ROI of the second, an attack targeted at businesses, is 525%. Wavestone, associated with the Montaigne Institute, is now studying ways to reduce this ROI and make ransom money less profitable.