It's 9 a.m. Do you know where your data are? As you read the morning newspaper, most likely on a mobile device, you could unwittingly be opening the way for cyber invaders. Maybe it was an email sitting in your inbox that you clicked on, maybe a link to a new business article or journal study. And suddenly the walls of your enterprise are breached—the walls that you have spent billions of dollars to secure with software and services, walls that can be breached in the blink of an eye.

In this chapter, we address two types of cyberthreat: the threat from the outside and the threat from within.

External Cyberthreats

Of late, cybersecurity threats have been a greater concern than ever, including allegations of election hacking from all sides. Although sovereign states are now deploying powerful tools of cyberwarfare, the threat posed by small but well‐organized attackers can pose just as much danger to banks.

Malcolm Gladwell, in his book David and Goliath, highlighted the somewhat counterintuitive idea that in a clash between a David and a Goliath, the odds are generally stacked against the bigger, more highly favored opponent.¹ Goliath is slow and lumbering, blinkered in his vision and rather hard of hearing. He has also has a rather outdated weapon at his disposal. Like Goliath, the modern large enterprise is slow—slow to react to changes in the business environment. It is also hard of hearing, and updated information from clients and employees may not reach the ears of senior managers who can influence decisions made by the company. Furthermore, a combination of sunken investments and conservative thinking may delay decisions to invest in modern tools. Now contrast that with a small attacking force, the David in this encounter that has but one objective, to bring down the larger one. It dedicates its energies to that one goal and can take full advantage of modern weaponry to do so. This small opponent can change the message and have it understood by all its network members instantly. Today, banks find themselves under siege from organizations dedicated to steal data, individual identities, and account information and disrupt customer services. Vast entities—businesses, organizations, countries—find themselves outmatched by relatively tiny organizations.

It is unusual these days for a week or even a day to go by without publicity of a security breach at a large bank or retailer, and it feels like this game has changed both in terms of the significance and the nature of that risk. The greater significance attached to data security can be seen in two ways. First of all, the publicity surrounding recent data breaches has been richly deserved. There have been massive breaches, and they have upended the assumptions made by customers when they transact in the most basic, everyday ways. Second, in “yesterday's world,” the security of a bank's IT network was generally the domain of IT security chiefs. Today, however, it is the CEO who owns it and is publicly responding to it. The issue of today is not just compliance with the regulatory control compliance framework but the loss of real assets, customers, data, and revenue.

The elevation of the significance of data security has been brought about by the revolution in the ways we transact, conduct, and manage business. Customers access their accounts online as a matter of course, often on‐the‐go via a bewildering array of devices. The same is true of employees. We already take this for granted, but it is a massive change, and it has taken place in the blink of an eye. Large US enterprises, on the other hand, have typically designed their IT security strategies around the paradigm of employees accessing a single IT network from enterprise‐compliant computer devices. Although the network was frequently breached by viruses, worms, and the like, such breaches incurred limited damage and created minimal reputational damage. This was because online customer transactions and account data were far less ubiquitous and thus harder for an intruder to locate and steal from. Companies nevertheless started to make bigger investments to shore up their networks. Robust firewalls were erected and virus software was installed. These investments focused on a view of the enterprise as a single network with a centralized command‐and‐control center. Today, those seeking to infiltrate a company's information assets, customer accounts, sales information, and so on have many potential points of entry from unwitting customers and employees that can easily bypass a central firewall. Focusing on the firewall is rather like focusing on a missile defensive shield when terrorists are leveraging civil airliners. The Goliaths of today need to get a slingshot.

The key to turning the tables in this battle revolves around two key components: data and education. Companies need to go through a process of identifying which of their data and their customers' data are critical to protect. Once identified, analytics should be built around how, when, and who accesses the data. For instance, when does a customer typically access his or her account, from what device, what type of transactions are executed, how much for, and so on. For an employee, the analysis is similar: Which employees touch this customer's account information and to perform which function? Understanding these normative patterns helps identify unusual activity that could indicate a breach has occurred. Investment in tools, people, and processes that can detect deviations from such patterns of behavior is critical if companies are to move from defense to offense on this issue.

Insider Threats

These days, and perhaps it has always been the case, Wall Street needs to worry just as much about the threat posed by insiders, by rogue employees, as from those threatening from outside. Edward Snowden is only the most famous example of this threat: an employee who is inside the firewall and throws stuff—secrets, confidential information—over the wall for all to see. Banks have had their own versions of Snowden to deal with.

Herve Falciani worked for HSBC in Switzerland. Falciani is the person behind the Lagarde list, a list of allegedly over 130,000 HSBC clients, many of whom allegedly used the bank to evade taxes and launder money that Falciani leaked to ex‐French Minister of Finance Christine Lagarde, the managing director of the International Monetary Fund. Lagarde, in turn, sent the list to governments whose citizens were on the list. Falciani, who worked in IT at HSBC, had managed to download the list of client information and take it with him to France in 2008. In November 2015, Switzerland's federal court sentenced Falcini, in his absence, to five years in prison in respect of charges of “aggravated financial espionage, data theft, and violation of commercial and banking secrecy.” Falciani, however, remains beyond the jusrisdiction of the Swiss authorities.

So what did Falciani do that was so wrong? In traditional private banks, customers remain anonymous, accounts are numbered, and only the banker knows the identity of the account holder. Secrecy laws, enacted in certain countries, Switzerland being one of them, require banks to keep information about their clients private and a secret from any prying eyes. Whether or not you agree with these rules, Falciani emphatically broke them, and so provides a very good example of the threat that is posed by all employees. According to a New Yorker profile, “Falciani had obtained sixty thousand files relating to tens of thousands of HSBC clients from nearly every country. An HSBC lawyer later described Falciani's crime as “the largest robbery of a bank ever committed in the world.”²

So who was Falciani, and how do we recognize a threat posed by someone like him? Like Edward Snowden, he worked in IT systems at HSBC and, indeed, his job was to build stronger network security following a scandal involving bankers skimming from client accounts. He had worked in this role for around eight years, and as such was a participant in a number of projects to improve systems and client databases. Like Snowden, Falciani allegedly harbored a sense of injustice, which in this case did not go unreported. According to the New Yorker profile, Falciani became aware of fraudulent practices at HSBC and said that “he tried to sound the alarm and was ignored—a claim that the bank disputes.”³ The HSBC incident still haunts Swiss and other private banks today.

Any discussion of global data systems being implemented by a universal bank have to take special account of the Swiss data protection laws and requirements, and this often results in a Swiss instance of the system being created specifically in Switzerland. I know this from bitter experience!

The key to identifying the insider threat and mitigating it is threefold:

1. It is important to recognize that IT employees and IT vendors play a special role in enabling the flow of customer data through the banks' systems and infrastructure and, as such, typically enjoy special access. The controls against them having access to client data and accounts must be robust, with a focus on separation and segregation of duties and withdrawal of access being immediate on completion of project or change management operation.
2. Strict data encryption routines and utilities should be built into any system that transfers and analyzes data so that only authorized users, those whose job requires them to have access on the front end, are able to read and understand the data.
3. Banks must get to know their employees much better. Managers have a responsibility to know and understand their employees and their motivations.

In addition, modern surveillance technologies can help by reviewing all employee communications against code‐of‐conduct policies using keyword lexicons and Google‐like search tools. Artificial intelligence can enhance this by identifying employees' normal patterns of behavior to identify the anomalies and the exceptions: Which people do they normally connect with, inside and outside the company; what systems do they access, what files do they open and edit? Know your employees may not be required under the law, like know your customer, but it is clearly just as important and cannot end after the background checks have been completed.

Taking Cybersecurity Controls to the Next Level

A compliance or risk management team within a bank or other company plays the valuable role, among others, of trying to mitigate the gullibility or ethical lapses of the firm's own employees. But actual law enforcement officers take this to the next level. Rather than merely using deceptive measures to strengthen the defenses of potential crime targets, they look for ways to infiltrate criminal groups, pretending to help them in order to stop and arrest them before a crime is carried out.

What if risk and compliance departments were to engage in activities more akin to real‐world detectives? Instead of just filling holes in a bank's security safeguards, perhaps they could use some form of espionage to catch employees committing financial crimes or policy violations. This could mean identifying potential or even real criminals inside the company, or simply regulating employees' impulses to commit a legal or ethical lapse. We will review some examples in Chapter 21, where we look at surveillance tools and approaches.

Education of clients and employers continues to be of major importance and is still far from effective. Companies need to invest much more heavily in both data analytics and education on this issue if they are going to stop playing Goliath to the hackers' David.