Absa admits that over the past two years, it has experienced a 400% increase in the number of cyber attacks it is facing.
This is according to the banking group’s chief security officer, Manoj Puri, who spoke to ITWeb TV this week as part of a series of episodes in the run-up to the ITWeb Security Summit, in June.
“Attacks have been steadily increasing. From two years ago when I started [in this position] to where we are now, we’ve seen a 400% increase in attacks against us. And the number is in millions per month.”
He adds that despite the increase in attacks the bank is facing, it is symbolic of a wider trend, and hackers are changing their tactics and aiming for the path of least resistance.
According to a recent report by the South African Banking Risk Information Centre and the Financial Sector Conduct Authority, local banks and financial services providers are increasingly being targeted by criminals, as website cloning scams proliferate as a method to steal consumers’ hard-earned cash.
“Threat actors are becoming smarter. They’re trying their luck with financial institutions, but they’ll look where they can get in and get data out for ransom, and often the weakest link is where they’re going after,” Puri says.
He points out that this has resulted in the need for greater scrutiny of the risk posed by connected third-parties.
“Are we comfortable that the parties we work with, and the parties they work with have the same level of cyber hygiene, vigilance and cyber security [as we do]? And if not, how to manage that risk and the relationships?”
Third-party threat
Puri believes there must be different strategies adopted for the various third-parties. “You need to know who are the ones to worry about the most. Zero trust is always the best way as a starting point for everyone, and then look at the various third-parties and assess them to see what level of trust you will establish with them.”
He says there is a need for constant assessment and monitoring of a third-party’s external surface, including checking if they are up to date with patches. “It gives you indications of who’s taking cyber security seriously.”
He warns that this level of due diligence may have an impact on the global ecosystem of business.
“I think this is going to happen increasingly globally. If a certain standard of basic cyber security isn’t met, a large portion of organisations won’t be able to do business with others.”
Puri is also candid about the different threats he is concerned about. “The biggest challenge I see is discipline and cyber hygiene. It’s a constant thing to monitor and improve on. Being on top of your estate and the attack surface, and ensuring cyber hygiene is well managed is probably the hardest challenge.”
He outlines another significant challenge is keeping cyber security professionals alert and vigilant, while ensuring they don’t become apathetic or burn out.
“The wellness of our organisation depends on the wellness of the people running the organisation. We’ve battled with that; I’ve battled with that because cyber skill is scarce. It doesn’t mean all cyber skills are scarce. What I find most difficult to maintain is skill that understands your environment; that has your context. Having that skill and making sure they don’t burn out is probably the hardest part.” he admits.
Quantum concerns
In the interview, Puri also discusses emerging threats and identified mobile security, the pace of technology development and quantum computing as three that concern him.
On mobile phones and security, he says it is not just an organisation perspective, but also a human issue.
“While our app might be secure, ransom demands based on people downloading things and giving access to photos [and other sensitive data] on their phone is becoming a real problem – alertness and awareness are critical not just from a fraud perspective but from the safety of human beings.”
Puri notes the speed at which technology is being developed and going out in the market, without appropriate testing, is leaving increased opportunities for threat actors.
When asked about quantum computing and the potential it has for quickly cracking current cryptographical techniques, Puri says it is something Absa is tracking closely and has already started working on.
“We’re working with a few players in the market who are at the forefront of this technology. They call it ‘Q zero’, the day when quantum becomes commercially available. When I heard about this two years ago, it was 10 years away. When I talk to some of my partners now, it’s three to five years away. It’s not that far in the future.
“We need to understand what its threat actually is, and we’re working with our cryptography partners, as they’re worried about it. We have a lot of technologies that we use from the global giants, who are working on this heavily and we’re trying to understand their plans on the technologies, where it can impact us and the gap analysis. We believe it’s something we need to start looking at seriously now, and we have started already.”