Trends

2018

2018: The future of banking in the spotlight as digital trends take hold

One Year Later: Cybersecurity Practices Shift After the Equifax Breach

Cybercriminals increasingly target retailers via digital, social channels

Banking Trojans continue to surface on Google Play

Fraudsters Increasingly Turn to Mobile Payments Technology, Specifically Gift Cards

iPhone a Growing Target of Crypto-Mining Attacks

North Korean hackers used Swift network to steal more than $100m

Mobile fraud soars - ThreatMetrix

Juniper Research: Mobile Payment Security’s Future Software-Based

2017

Asking for Ransom in Bitcoin Is Apparently a Thing for Hackers Now

2017-11-21

https://cryptovest.com/news/asking-for-ransom-in-bitcoin-is-apparently-a-thing-for-hackers-now/

The secret to reeling in cybersecurity talent at three big banks

2017-11-27

Cyber security Banking Technology Recruiting Wells Fargo USAA U.S. Bank

Where can you get a good cyber sentinel these days?

Funny as that sounds, demand for cybersecurity talent is far outstripping the supply, though estimates of the size of the divide vary.

There will be 3.5 million unfilled cybersecurity jobs by 2021, up from 1 million last year, according to the research firm Cybersecurity Ventures. Meanwhile, Frost & Sullivan estimates 1.8 million cybersecurity jobs will go unfilled by 2022, a rise of around 20% since 2015.

Banks, usually among hackers’ top targets, are hyperaware of the problem.

“We’re looking at multiple angles on how are we going to handle the talent shortage we all know exists in information security, especially in the coming two to three years,” said Jason Witty, the chief information security officer at U.S. Bancorp in Minneapolis. “We’re trying to be very strategic in how we develop the next generation of leaders.”

The chief security officers at USAA, Wells Fargo and U.S. Bank all shared with me examples of how they are attempting to close the gap. Two of the most popular strategies are the recruitment of ex-military talent and the establishment of programs to find promising high school and college minds.

Tapping veterans

All of the security chiefs agreed that military veterans are a rich source of cybersecurity talent.

The military is skilled at producing what Gary McAlum, the chief security officer at USAA, calls “Jedi Knights.”
Gary McAlum, chief security officer at USAA.

Military veterans with cybersecurity backgrounds are as valuable as Jedi Knights, USAA’s Gary McAlum says. “Everybody wants them, and there are not many of them out there,” he says.

“These are high-end people who think differently, they’re very technical, able to write their own scripts, [and] they’re hunters,” McAlum said. “Everybody wants them, and there are not many of them out there.”

The most valuable are said to be military alums who had cybersecurity training and experience in dealing with attackers.

“That’s a rare combination,” McAlum said. “People who have done that think like an attacker, and that is a valuable perspective to bring to securing [USAA’s] space. You see more of those coming out of the military than other places.”

The mindset of the typical veteran lends itself to cybersecurity, too, McAlum said.

“I served for 25 years" in the Air Force, he said. “When we get out, veterans have a lot of energy and the desire to make a difference, to make an impact. It sounds like a cliche, but a lot of us getting out want to continue to be part of a team and have a mission. Cybersecurity is important, so people that are doing this in the military want to keep doing it on the outside.”

USAA has a few natural advantages on this front. Its headquarters, San Antonio, is near the Air Force’s cyber command and other military bases; its members and employees are mostly veterans; and employee turnover is relatively low.

“When people decide to transition out of the military, they often know someone at our company and will contact us,” McAlum said. “These resumes typically end up on my desk, and I’ll look at them. I got a couple this week and thought, these look really interesting, we should have a conversation with them and find out more.”

Wells Fargo is making a big push to hire veterans, said Rich Baich, its chief information security officer. He has held several positions in the Navy, the North American Air Defense Command, the National Reconnaissance Office and the FBI.

As of August more than 8,500 veterans worked at the San Francisco bank, and at any given time it has 200 team members on active duty.

“You have people coming from the military who have technical skills, but you also have people who know how to manage threats, manage people and lead,” Baich said. “I do think that’s some of the best talent out there.”

Baich established a training and career development program that he modeled after his military experience.

“In the military, you do a job for two or three years, then you move jobs,” he said. “There’s this steppingstone of expectations so you can advance in your career and gain more responsibility. In the private sector, it’s not exactly like that.”

The new curriculum includes many online courses run by the SANS Institute that lead to industry certifications. Baich mapped certain job titles to sets of courses, so the coursework helps lead to promotions. Two-hundred employees have obtained industry certifications.

Veterans who work for the company are always assigned to talk with veteran recruits and answer their questions.

“We explain to them how we have our veteran branches around the country, so they can meet with other veterans,” Baich said. “Some people still want to maintain that touch with the military.”

Like McAlum, Baich noted that veterans tend to be mission-focused as they leave the military.

“This discipline can give them that opportunity,” he said. “As you might imagine, we’re fighting the war every day.”

Partnering with educational institutions

U.S. Bank holds career fairs and participates in military-to-private-sector transfer programs to recruit veterans, but it has had had good luck in forging partnerships with a few local universities. The bank built its cyber fusion center in Cincinnati, knowing there was good cybersecurity talent at places such as Northern Kentucky University across the Ohio River.

The bank was impressed with NKU’s cybersecurity program and began a scholarship program for it in 2016, Witty said. The university sets the criteria and selects three student winners. U.S. Bank provided $10,000 in scholarships last year and this year. It’s committed to donating $10,000 each of the next three years.

“Once they graduate, we can pipeline either those scholarship recipients or other high potential people from the university into our internship program or entry level positions in cybersecurity,” Witty said.

Since then, the bank has begun providing scholarships to the University of Missouri at St. Louis, the University of Washington and Whatcom Community College in Bellingham, Wash.

“Our industry is changing so fast, the amount of attacks we see every day are exponential in nature and more sophisticated as well, so our response has to get better, and the only way we can do that is by having a good talent base,” Witty said.

U.S. Bank has also partnered with Navigo, a Cincinnati not-for-profit that helps high school students who cannot afford higher education to obtain jobs that enable them to save enough to eventually go to college. Twelve U.S. Bank coaches work with high school students in the program.

“We help them build resumes, we meet with them on a monthly basis and talk about career development and how do they home in on what exactly they want to do with their careers,” Witty said.

The bank also hosts groups of students at its Cincinnati facility for tabletop exercises designed to get them excited about security as a career. One of the exercises works a lot like a popular game show.

“We show them a live hacking demonstration and play hacker Jeopardy to get them interested,” Witty said.

2017-11-17

Cyberattacks have become increasingly routine

What is nearly imperceptible, leaks important secrets and can keep Canada's top bankers up at night?

A cyberattack.

It's not a punch line but a seriously haunting prospect for those in the upper echelons of Canadian governments and corporations.

When Victor Dodig checks his phone in the morning, the chief executive of Canadian Imperial Bank of Commerce dreads reading that any government or corporation, anywhere in the world, has been hacked, he told an Ontario Securities Commission panel last month.

"Obviously, it would be more of a concern if our institution was, but we're so interconnected that one weak link creates an issue for all of us."

Of all the nightmare scenarios that run through Bank of Canada governor Stephen Poloz's head, the threat of a cyberattack is "more worrisome than all the other stuff," he told The Canadian Press in an October interview.

Cybersecurity experts fear government and corporate defensive capabilities are not keeping pace with growing ranks of sophisticated hackers, a sentiment underscored by recent events.

This week The New York Times reported that the National Security Agency — America's largest intelligence organization known for its own clandestine hacking operations — had been infiltrated by a hack, an insider's leak, or both. The cyberweapons it developed to spy on other countries are now being used against it and a 15-month investigation has not produced a clear source of the leak.

The latest revelations come two months after Equifax Inc. disclosed that nearly half the U.S. population had sensitive personal information stolen by hackers who exploited a weakness in its system. The data breach was announced in September, nearly five months after hackers first broke in. They downloaded sensitive information undetected for almost two months before Equifax discovered the breach.

While American politicians lambasted the company for its slow response, the political response in Canada was decidedly less strident, despite the fact that the company declined for weeks to identify just how many Canadians had been affected.

Equifax Canada's silence was enabled by the lack of federal laws to force companies to disclose breaches and theft of information or money.

But that could change if a mandatory data breach reporting requirement amendment to the Personal Information Protection and Electronic Documents Act is passed. It must undergo several more stages after a consultation period for a draft closed last month, more than two years after it was first proposed.

In the meantime, cyberattacks have become increasingly routine.

Nearly 60% of Canadian businesses who responded to an Ipsos poll in February said they either suspect or know for certain that they were hacked last year, while more than one-third of Canadian individuals said in an Accenture survey they have been the target of a cyberattack.

Hacks involving extortion were up 50% last year, according to a report by Verizon Communications. And that company knows all too well the fallout from a hack — it recently acquired Yahoo Inc., the victim of the largest data breach in history, in which three billion user accounts were compromised.

Estimates suggest cybercrime costs the Canadian economy between $3 billion and $5 billion a year. The average per company cost of a data breach has risen as high as $6 million, according to the Canadian Chamber of Commerce.

The Bank of Canada has warned that Canadian banks are vulnerable to a cascading series of attacks that could not only undermine confidence in the financial system, but spill over into other sectors, such as energy or water systems.

Hacking has already been deployed as a weapon of war.

The first known attack to take out an electrical grid using malicious software occurred two years ago, in the middle of Russia's siege of Ukraine. Russian hackers have undermined almost every sector in Ukraine, including the Ukrainian tax filing system, pharmacies' prescription tracking system and the radiation monitoring system at Chernobyl.

The hacks of Ashley Madison, Yahoo and now Equifax have sparked alarming headlines, federal investigations and passing political ire, but have amounted to little real change, leaving our institutions vulnerable to Poloz's nightmare cyberattack that could grind the gears of modern civilization to a halt — a scenario that suddenly doesn't seem so far-fetched.