Cybersecurity: how to deal with new threats
Banking institutions and their partners have long been aware of cybersecurity risks to their information systems, applications and data. However, new threats are becoming increasingly sophisticated, requiring everyone to be more vigilant, but also to cooperate.
Like all banking institutions, Societe Generale has been working for years to reduce the risk of attacks on infrastructure, applications and data. The Group invests more than 200 million euros in cybersecurity each year. Why invest so much? Because security is central to a bank’s value proposition to its customers, as well as its regulators.
Although “cyber” risks have been around for a while, they have shifted and increased over the years. These days, traditional threats (phishing, DDOS attacks, etc.) are still present, but they are complemented by more indirect attacks targeting suppliers and providers of banking institutions, which are just as capable of falling victim to phishing, malware and other attacks that are more difficult to detect. The “SolarWinds” cyberattack is emblematic in this respect: slipping in via an update, the Trojan horse attacked a supplier whose software components were integrated directly into the information systems of several large groups. Detecting this attack proved to be particularly complex, as it targeted a security specialist, of all people...
Responding to “traditional” threats and building resilience...
To respond to these new threats, companies and their managers first need to take measures against traditional attacks, by raising awareness among employees and service providers on a regular basis, and by equipping themselves with the most advanced detection and protection tools. At Societe Generale, for instance, this allows us to regularly block DDOS attacks (Distributed Denial Of Service, a few per month), malware on websites or in emails (several hundred per month), and of course phishing attempts against the bank’s employees (several thousand per month). Once this first condition is met, it then becomes possible to tackle more sophisticated threats, such as Trojan horse detection.
But no matter how many protective measures are taken, the risks do not go away. Faced with the risk of cyberattacks, companies must therefore seek to strengthen their resilience as well: since not all attacks can be avoided, it is important to ensure that if one of them does succeed, it is identified as soon as possible and its impact limited. The concept of resilience has already been taken on board by banking institutions, in the form of operational resilience. It is now complemented by a concerted effort to improve IT resilience, with the aim of keeping the most critical services online and limiting systemic risks.
... before tackling more complex threats
When suppliers are targeted, prevention and protection measures are more difficult to take, but they do exist. Suppliers themselves must be increasingly vigilant: while the issue is well known to large IT service providers, this is not necessarily the case for smaller players.
For banks, the task is complex, as a banking institution works with hundreds or even thousands of providers. Faced with this problem, it becomes crucial to be able to identify and monitor supplier access and data flows in real time.
An increasingly common practice is micro-segmentation, which consists of isolating each application within the computer system by limiting its interaction with the outside world. To monitor how it behaves and to identify suspicious flows more quickly, data analysis and machine learning are invaluable allies, since manual monitoring of all flows is simply not possible. Algorithms, which are constantly being perfected, can be used to detect suspicious behaviour, as has already long been the case for bank card payment flows, for example.
Working together internationally and across major sectors
However, fraud and cyberattack detection will only be fully effective if there is increased coordination between the different actors involved. Societe Generale’s Computer Emergency Response Team (CERT) already liaises with CERTs at other banking institutions and the ANSSI in France, as well as internationally. But as threats become ever more widespread, cooperation must be international and cross-sectoral. It is together, by sharing our alerts, our best practices and our detection algorithms, that we will be able to thwart attacks more effectively.