Good morning, and good afternoon to all of our clients and friends dialling in to this, or indeed listening to the playback from all around the world. A very warm welcome to you all. My name is Lauren D'Arcy, and I'm the Global Head of Partnership Bank Relationships at Barclays.
We are so appreciative of you taking the time out of your day to join us. This is actually the third in our FI Forum series, which we have set up in order to ensure that we are staying connected to you, our clients, but also to share thoughts and insights into matters that are no doubt affecting all of us.
During our first session, we explored COVID and the return to work. We have also explored ESG within trade finance. And today, we are attempting to tackle the important topic of cyber security -- something that is, of course, of critical importance and focus for all of us on this call in a BAU environment, but perhaps has taken on an additional nuance in the age of the pandemic that we are all living through at the moment.
So, let me first explain the running order, and then we'll jump straight in. To kick us off today, we will have Mike Brookes, Head of Cyber Operations Intelligence at Barclays. Spend a few minutes setting the scene, and sharing with us some information about what the current threat landscape looks like.
We will then move to a panel discussion, and I will be joined by esteemed guests, who will help me explore this important but complicated topic. We'll then move into a Q & A session, and I'd really like to make this as interactive as possible, so please do make use of the question box that you will see on your screen, and we will also pop up some polling questions throughout the panel discussion, just to make sure you're all still listening.
With that, let's begin. As I mentioned, Mike Brookes is the Head of Cyber Operations Intelligence, and he leads a team that aims to proactively understand and defeat cyberattacks from the most active criminal and nation‑state threats. Mike has spent 10 years at Barclays, starting in information security consultancy, building secure architecture for the global business units. And then shifting into incident response, investigating sophisticated criminal and nation‑state cyberattacks. Mike set up the first cyber threat-hunting team in 2015, and established a practice devoted to uncovering undetected threats, and proactively mitigating threats before they manifest in the network.
So Mike, over to you to help us set the scene for us today. Thanks very much.
Mike Brookes: Thank you, Lauren, and good morning, everyone. Go to the next slide, please.
I think 2020 is no exception in showing the world has changed very, very quickly in recent months, and all these events will add a layer complexity to the equation, which will make global reliance on technology even more paramount. We face a world where the lines are blurred between electronic attacks and potential acts of war. You'll need to look at the number of attacks against SWIFT interbank systems for various financial institutions in recent years. And going back a few years, looking at the Ukraine accounting software attack, known as NotPetya perpetrated by a nation‑state.
For global organization, this extension of cyber threat raises the risk of collateral damage beyond traditional cyberattacks. Global organization, in some cases, takes on the risk of individual countries it operates within. In some cases, large brands may be seen as legitimate cybertargets in geopolitical events. Again, looking at Saudi Aramco and Maersk as part of the fallout of the NotPetya attacks. Where you line cross hairs often depends as much on your industry, your organization itself, and the ongoing global politics at the moment.
In the large and small, we're in this together. Our businesses are interconnected. Our markets are global. We share the same risks and must defend interconnected economies together.
As mentioned, the world has morphed significantly over the last few months. A historic globalization has led to an increased interdependencies alongside magnified technological dependencies that ultimately put us at more risk, as much as they create greater efficiency. Add the pandemic into the mix, and the risks go more digital for many organizations at even more complexity.
Before the pandemic hit, the last 10 years have seen a marked evolution in cyber threat landscape. The traditional views, antivirus software, and firewalls won’t keep attacks at bay.
Increased global interconnectivity means the private and public sector threats are closer together. And in fact, in the private sector may have implications to way of public life, and vice versa.
Could you go to the next slide, please?
First we have the nation‑states, criminal organizations, and individual threat actors. You can see in the infographic there, sourcing the FBI, the kinds of threats that we face that are increasing. Fundamentally, within all of this, there's two ways that these cyber risks manifest against your organization. The first one is the prevention of business, and the second one is the stealing of data or funds.
Within prevention of business, you all have heard about denial of service attacks. And these can be quite public and reputation‑impacting, but often not long‑lasting. It's been one of the key areas of innovation in the last few years is network technology and the ability to defeat those kinds of attacks.
I'm sure many of you will have read of ransomware recently, especially in 2020. These attacks are often limited in scope, but there can be some extraordinary cases that makes it into the press. Often what you might read about in the press is only the tip of the iceberg as to what is actually going on and the amount of funds that are being bled out of Western organizations.
The thing is, these cases can actually be preventable if you get the basics right. All of your basic patching and information security can prevent this kind of thing. If you can fully recover and restore business from a ransomware attack, then the more is the better.
What this presents, though, is a shift in the past 12 months or so in completely in the way that criminals operate. They've moved from a very complex ecosystem of a lot of criminals and fake bank accounts, called mules, where they needed to shift fraudulent money around. Now what they can do within this new ecosystem is sell each other direct access to breached companies. Another criminal will then demand payment in cryptocurrency. Their supply lines for obtaining untraceable funds have gotten much, much shorter, and the impacts have got much, much greater to you as organizations.
In terms of stealing money, everyone will have heard about business e‑mail compromise and invoice redirection, and that's probably the least of your worries, while it's one of the most prominent threats.
Intellectual property theft and espionage by similar nation‑states is one of the key concerns, especially with the arc of geopolitics going forwards. What you face with deep compromise of your network, and often the most difficult to see. It will be a very silent type of attack, and often they will use- they will not use malware, but they will use embedded technology within Microsoft Windows, such as PowerShell, and they will try to gain access to your networks that way. Equally, these are actually the most difficult to maintain for the attackers, so there are some opportunities versus defenders in the organizations.
Customer credentials or private information is one of the most reputationally damaging things that we face in terms of theft of data and funds. Once it's gone, it's gone. It will affect your share price, and recovery costs are very high.
And that was my section. Lauren, back over to you.
Lauren D'Arcy: Great, thanks very much, Mike. Very interesting. Mike is going to stick around in case we get any really tricky audience questions. We'll save those for you, Mike. But for now, let me introduce you to our panel, who I'm very excited can join us today.
First, we have Paul Gillen. Paul is the Head of Cyber Security Operations, and has been working in the area of cyber and fraud since 1996. Paul is the founder and leader of Barclays' global suite of joint security operations centres in the UK, US, and India. Paul joined Barclays from the European Cybercrimes Centre in the Hague, where he was the head Of Cybercrime Operations and Intelligence at the European Law Enforcement Agency. Paul was founding chairperson of Europol's European Cybercrime Training and Education Group, and he was also founding vice‑chair of the European Union Cybercrime Task Force, a group made up of all of the heads of federal cybercrime units across the EU.
Next, we have Stevie Wilson. Stevie is the Chief Executive Officer of the Cyber Defence Alliance. Prior to this, he was the head of the European Cybercrime Centre at Europol in the Netherlands, and his responsibilities included supporting international investigations into high‑level cybercrimes, online child sexual exploitation, transnational non‑cash payment frauds, and dark web inquiries. He has had a 34‑year career in law enforcement, including serving as the senior detective in Scotland, where he performed a range of roles with national responsibility.
And finally, we have Dan Pilling, who is our Global Payments Technology CIO here at Barclays. In this role, he is accountable for all payment platforms, payment gateways, SWIFT infrastructure, and payment sanctioned platforms. Prior to this role, he was responsible for the implementation of the strategic global payments utility. And prior to that, was head of strategic change management, with responsibility for defining the strategic change road map across all business clusters within corporate banking. Dan started his career in payment operations.
Very warm welcome to our panellists. Thank you so much for joining us today. That was a very quick snapshot of your careers and backgrounds, so I'd like to ease you in gently and kick off by asking you each a question, which will hopefully allow you to share more about your focus as it relates to cyber.
Paul, starting with you, you've been here within Barclays for about five years, I believe, as Head of Cyber Security Operations. I'm guessing this world of cyber security is very fast moving, and Mike spoke about there being a shift even in the last 12 months. Can you tell us a little bit about what your role looks like as Head of Security Operations, and what your focus is, and maybe what keeps you up at night, apart from this hot, warm weather we're experiencing?
Paul Gillen: I'm actually dialling in from Dublin, so the whole warm weather things does not apply for me.
Lauren D'Arcy: Okay.
Paul Gillen: Yes, I guess just when we listened to Mike there ‑‑ and first of all, good morning or good afternoon, everybody. It's great to be here. As Lauren actually said, I've been doing some sort of cyber for the last 25 years. It wasn't cyber at that time. I think it was computer forensics. I think when Mike outlined -- I think the modus operandi of the threat actors, they have changed over the last five years, we say in Barclays. So I've been responsible for cyber security and all front-line security operations for the bank globally for the last five years.
Although the modus operandi of the threat actors have kind of changed in the times, as Mike outlined, really at the end of the day, there are only two consequences. Those consequences, I have to say, have pretty much remained the same pretty much over the last 20 years for me, as I've been either investigating cybercrimes or responsible for defending against them here in Barclays.
And as Mike had said, it's something that prevents you from doing business. And the two that he outlined were DDoS and ransomware. So he's outlining exactly what keeps me up at nighttime. The denial of service attack where so much data has been sent to one of our online services that it can no longer cope with the amount of traffic that's been sent towards it. Then we can no longer legitimate ‑‑ customers can no longer log in and do business with us on that particular channel.
Then obviously, much more destructive is, and obviously keeping every cyber security professional awake at nighttime, is the threat of ransomware, where someone can ultimately breach the network, manage to get on to the network, manage to once they get on to the network, to move from one machine to another until they get somewhere that they can deploy some of this ransomware, and lock up machines silently at nighttime or over a bank holiday weekend, or whatever it is they're going to do. Hopefully, it will not be detected until everybody comes back into work.
Then the second one obviously, which is both the legend – you know, has happened all the time is where they get in, they do a data breach, they steal a whole bunch of data, credentials, user names, passwords, credit card credentials, whatever the case may be. Or ultimately, as we saw with some of the business e‑mail compromise, they get on to the network, compromise the network, sit on somebody's inbox for a protracted period of time -- I mean their e‑mail inbox for a protracted period of time. And then look to gather enough information that they can do some sort of really convincing scam.
So I guess ultimately, the modus operandi has changed over the 20 years, but the consequences haven't. I saw an interesting stat then as a result of COVID in the current environment, we’ve never—like in my lifetime, I haven't lived through a pandemic. It's been interesting to see that. So IBM published recently that they saw a 6,000 percent increase in malicious e‑mail attacks that were leveraging COVID‑19 as a theme, between March and April. Not the whole year, just March and April. I thought that was pretty astounding.
The threat actors will always look to gain advantage. They'll always use whatever is relevant to the day, whether that's a geopolitical event, or some other event, that they use that as a lure in order to attract us to do something, or some of our employees or our colleagues to do something nefarious, et cetera.
Probably a very long answer to your short question, Lauren, but I think they're the things that Mike had outlined. They're the things that keep me awake at night, and they're the things that I worry about. They are more the consequences than the modus operandi. The modus operandi just continually change, day in, day out. You have to stay really, really alive to changes and the threats that the cyber criminals do, their tools, their tactics, their procedures. You have to be completely alive to that literally 24 hours a day. If not, you're going to get caught in it.
Lauren D'Arcy: Right, okay, you're scaring me now, Paul. I'm just kidding. Thank you for that. Maybe moving to Stevie. Stevie, you've had a very long and impressive career in the area of law enforcement, most recently with Europol, and now currently with the Cyber Defence Alliance. Can you tell us a little bit about what your role entails? Because I'm sure no two days look the same. But can you give us a sense of what your focus is?
Steven Wilson: Lauren, thanks very much, and thanks for the invite to be here. Commonly known, eight months into my journey into the financial sector, it's been an interesting two months during the epidemic, as Paul speaks about. But firstly, Europol, 120 staff from 24 countries all working together as a collective team to tackle the top‑end cybercrimes. Not just in Europe, because back to what Paul spoke about, it's a globally interconnected problem.
Looking at what we do in the Cyber Defence Alliance, we're a small team, 30 staff in total between parent and seconded staff. What we're looking to do is between our eight member banks, Barclays being the founder bank, what does as to pool the collective resources to understand the threat. That involves setting on a daily basis, taking calls from the members, pooling everybody's understanding, assessing intelligence feeds, working and developing major incidents, and also understanding the geopolitical problem and what's likely to happen.
We have this problem starting to merge, escalating that into member expert calls. And then once that ongoing monitoring of dark web forums intel providers for that earlier limit. The whole point of what we are trying to do is to collect a security response together from all of our members. And again, ultimately making us all collectively stronger together.
Actually, I'm struck by the similarities in the role, the mission between Europol and what we do at the CDA. We're a central resource, but we have to support our members. Those members have got different capabilities and different priorities. We've got no front-line operation responsibility, but we have to support the guys on front end. Again, because we're multiple members, all with different and varying priorities, what is core to both what we've done at Europol and most pertinently what we do at CDA is that idea of information sharing.
Collectively sharing information, developing that trust, and the idea of the more you put into the pot, the more you get back out. And ultimately, combining those efforts to collect the benefit. Because sometimes we find it's almost like a jigsaw puzzle we're dealing with. That one single piece from one member can actually put the whole picture together for all of us, to make us collectively safer.
So back to you, Lauren.
Lauren D'Arcy: Great, thanks, Stevie. If we have time, we might explore that sort of concept of collaboration a little bit further later. So Dan, over to you. In your role running technology for global payments, I'm sure you think a lot about resiliency. But how much does cyber now factor into the things you worry about as it relates to our payment business?
Dan Pilling: Morning, afternoon, and thank you, Lauren. Resilience ‑‑ there will be three reasons in payments, and our SWIFT infrastructure is the forefront of everything we do on a daily basis. As we moved into an always‑on posture -- we're moving year on year to more payments moving around the ecosystem, 24/7/365 -- that resilience posture has become increasingly important. The cyber-resilient aspect of that carries the absolute same focus. It's gone from maybe being slightly in the background maybe 10 years ago, to absolute the forefront.
One thing that resonates with me, when I took this role on a few years ago, was the group's COO at the time clearly telling me that from his perspective, cyber security and getting it right or getting it wrong is the single biggest financial risk to the bank. You can understand why, having heard from Paul and Stevie earlier. It absolutely is something that is forefront of mind and is part of everything we do on a daily basis. And Barclays has been running a security program for a number of years now. Myself in payments have a fully funded dedicated cyber program which we run, focusing on all the key areas. This is reported up to group XCO level, obviously the full focus of the bank from top to bottom. So yeah, it's very much, in my mind on a daily basis.
Over to you.
Lauren D'Arcy: Great, and I think that's a shift, isn't it? Previously, the lines were a bit blurred between cyber security professionals and the business, if you like. Now we're seeing very much where the CSOs are reporting directly into group, and presenting to boards. I think that's been a shift, hasn’t it, in recent years as well.
Good, so we're going to pause now for our first polling question. Sharon, if you could send that question to the audience, that would be great. So hopefully you'll see that on your screen coming up shortly. The question is, "Cyber attacks are the greatest threat to the financial system we have today."
You've got some options there ‑‑ strongly agree, agree, disagree, or strongly disagree. We'll just wait a few seconds for those results to come through. So again, "Cyber attacks are the greatest threat to the financial system we have today." What's your opinion on that? Great, okay.
Super, so whenever you're ready, Sharon, we can push those results to the audience. You'll see the results pop up in your screen shortly. Not surprisingly, the vast majority of people, so 97 percent, either agree or strongly agree with that statement. That's probably not a surprise, particularly based on the opening comments from our panellists.
Okay, good. We'll move on now. Maybe based on that response, it's clear everyone is aware of the threat that cybersecurity poses. But I'm curious to know how much we understand, because we always hear that the criminals are a step ahead, the bad guys are getting worse, faster. Are the good guys able to keep up? And what impact has COVID had on this? So maybe Paul first, and then Stevie.
Paul Gillen: Thanks, Lauren. Yeah, I think our understanding of cybercrime and its consequences, certainly in my experience over the last 20 years, it's definitely improved. I think there was a case of that 20 years ago, anyone that was talking about this was a bit of a John the Baptist in the wilderness talking about it. I don't think anyone really took it seriously. It evolved over those 20 years, where it's now, we get surveys like this where people are saying that 90‑odd percent, or 97 percent of us believe that it's probably the greatest threat to the financial systems that we have today.
So I think we've come a long way in relation to understanding and appreciation of the threat, and I think we've seen all of the examples of all the various different breaches and the fines that have been handed out by regulatory authorities, for example. And the recovery costs that have been incurred by so many companies who found themselves in the unfortunate positions. I do really feel sorry for them. And of course, I always hope that it's never going to be me.
But there seems to be at this stage that criminals are so forward‑leaning and taking every opportunity, and there's so many of them. It's like crime in the physical world ‑‑ can you ever beat it? Probably not, but can you defend better? Answer yes, yes, definitely we can. Can we work together better? Yes, no question we can.
And the second part of your question was about COVID. And I guess COVID has been like a really unusual event. I'm not 100 percent sure of the consequences that COVID has had from a cyber perspective. I mentioned earlier on about the 6,000 percent, which I was kind of staggered by, increase in malicious e‑mails that are being sent to organizations, trying to get our employees or colleagues to click on them, and compromise their machines, et cetera.
I'm not 100 percent sure. We're certainly seeing ‑‑ we're replicating those, increasing simulations, and sending about to repeating what it is that we see from criminals, and letting it out into our colleagues, and see what it is they're doing. And so far, they've been pretty good. I think that's part of an education program we've been standing, and the click rates on those are at an all‑time low. I suppose that's the balance is, I think we do understand it more. I think we're educating people more. I think there's a greater level of appreciation. We're testing our colleagues and testing ourselves. We're sharing more and better information between ourselves as organizations.
I'll hand over to Stevie, and I think the Cyber Defence Alliance, for any of you that are in it or that are not in it, it's certainly worth a look at. We find ourself in a position where we're sharing good, sensitive information on helping each other out in the event that we see things.
So I think overall, yes, we're getting a better appreciation. Overall, no question, the consequences-- we have a greater appreciation of the consequences. COVID, I'm just not sure about yet. I just—I anticipate that in five, six months when we see results of various different breaches, and hope myself or nobody on the call is part of an organization that suffers from it but there will be people who will be sitting on our networks that we do not know about, as Mike spoke about a little bit earlier on. I think it's a little bit early to say the consequences of COVID yet, Lauren.
Sorry, Stevie, I'm not sure whether you agree or not.
Stevie Wilson: Yeah, thanks, Paul. Totally I agree. Some really interesting points in there. I think back to that point, I think it's getting much better. I've seen law enforcement capability grow. However, the problem is the bad guys have grown significantly in that period as well. I think for me, the biggest development has been that law enforcement and the industry cooperation, and intra‑industry cooperation as well to try and prove that collective front to tackle it.
And if we go back Mike’s first slide, if you look at the complexity of the problem, state‑sponsored, state‑condoned and taskable where we have organized crime groups watching as criminals by day, and potentially agents of the nation‑state by night. We have cybercrimes of service, a loose affiliation of cyber criminals who all combine together to actually subcontract parts of the cybercrime ecosystem to attack. We also look at the hacktivists, the Script Kiddies. Some of themselves, some of these young kids involved are hugely talented. But they can inflict massive harm.
That's the evolving, challenging, complex world we're facing. Also the big problem, I think, why we stay behind the cyber criminals sometimes, if you look at the challenge of location. We've got non-cooperative regimes, where they will not extradite or do anything regarding cyber criminals, even when positively identified. We look at the problems and challenges of attribution. We see that increasing sophistication I've spoken about, and the idea of encryption and anonymization makes it more and more challenging for both industry and law enforcement to tackle this.
But again, back to those ideas of the industry and law enforcement cooperation. We see the disruptions, detections. Take the dark web, for instance. Jobs over the past couple of years, AlphaBay, Hansa market, deep dark web, again, industry and law enforcement working directly together.
And on to your second question, Lauren. COVID, that's beenvery interesting in this area. I think in some aspects, we've actually seen a reduction. I think some of this comes down to the inability of many real networks to actually cash out. Again, that's hugely important to cyber criminals. That's probably held some of it back and shut down operations.
But Paul makes a very good point. They will be doing an act of reconnaissance. They will be getting places in the network to try and monetize later stage. But certainly on the scam side there's been a massive increase. COVID‑related PPE, delivery Phishing scams, or mine scans, they've all been through the roof because of what we're seeing just now for COVID. That's how I see things just now.
Back to you, Lauren.
Lauren D'Arcy: Thank you, thank you both. Very interesting. Maybe we'll bring Mike back in for this next question. I was curious to know if innovation is seen as a weapon in fighting cyber demons, so to speak? So I'm thinking about AI, machine learning, biometrics, or anything else. Is this a help, Mike, in fighting these criminals?
Mike Brookes: Thanks, Lauren. I think it's probably the only weapon that we should really start to focus up and towards. To my perspective, research into what the criminals do, what the nation‑states do, they're the real innovators. They constantly push themselves, constantly try, and try new things and incorporate the techniques of each other. They all learn from each other, because one of the problems that is we have in the cyber security industry is we write nice blogs and do marketing about what the criminals are doing, and that also acts as a playbook for them to learn from each other.
The key thing here is, is a phrase they have been aware of for many years. They only need to get it right once. We need to get it right every single time. So you have this set of adversaries, be they Script Kiddies in their parents' bedroom, be they heavily funded with all the apparatus of a nation‑state's intelligence behind it, they only have to get it right once. That's the kind of sphere that we're in. So we have to try and constantly out‑innovate them as best we can and put the [consummations] in before they come.
So to tick off some of the things that you've mentioned, machine learning, definitely. There are more and more and innovative new companies coming through. Barclays runs a program called the Rise Innovator Labs, and we kind of incubate a lot of these companies and put them through and trial them ourselves.
From a machine learning perspective, the amount of data we now have, the size of organizations that we need to protect, the only way we can do this is to use some of these more advanced machine learning techniques that spots these kind of nuances in the data. We've had some limited success with that internally in Barclays as well, and developed our own model that highlights threats.
From a biometrics perspective, yes, that's something as well that exists as toolsets, and if you run online platforms, interact with your customers, there are tools, technology that can help you biometrically kind of a fingerprint what a customer looks like, and what a fraudster looks like. And then within that as well, if you're not a big corporate, there is actually a lot you can do yourself, by just adopting an innovative mindset, and realizing as long as you understand your business, where it operates geographically, and what those threats might be, there are lots of free tools that are out there that are available to cyber security professionals with a bit of minimal investment in people, and some free rein and some trust that can put some really fantastic solutions that can defend your business intelligently and proactively.
I hope that answers it.
Lauren D'Arcy: Great, yeah, really interesting. Thanks, Mike. That leads me then, I thought, to the next question, maybe for you, Paul, which is around digital adoption. So we obviously know that digital adoption continues to grow exponentially, and we've seen it spill into all aspects of our lives. Does that mean, then, that the attack surface is much larger? And then if the attack surface is larger, does this mean it's easier for it to be hacked? I know we discussed this as we were prepping for this, and you weren't convinced. But what are your thoughts around digital adoption, and is that a further concern to help protect ourselves against cyber attacks?
Paul Gillen: Yeah, it's a good question. I guess, obviously, to state the obvious, digital adoption is absolutely inevitable. No question our reliance on it will absolutely increase. If anything the pandemic offers, as COVID has proven that our economy survived literally because, even though we've had ‑‑ there will be recessions, et cetera, after ‑‑ if we didn't have 21st century technology, we just simply wouldn't have survived, because the technology allowed us all to work from home, like literally, tens-- for example, with Barclays, tens of thousands of people began ‑‑ left the offices and then began to work from home.
So I suppose if we part that and go that ship has sailed, no question. Adoption is inevitable. Our reliance is only going to increase. And as a result, I guess technology, again, I'll accept, technology will continue to be the focus for criminals and other threat actors. No question. If we're all working on it, if that's where the money is, if that's where the data is, if that's where the funds is, if that's how they're going to be able to blackmail you or going to be able to ransom you, et cetera, then they're going to focus their attentions on that.
To kind of quote Mike from earlier on, we need to be ready to defend the networks. We all rely on each other. We're all absolutely connected. If one goes down, it's going to have a domino effect on other businesses, no question about that, either. However, however, because the attack surface is broadening, and it makes, I guess, a new frontline. That frontline becomes bigger and more difficult to defend. I guess the quote was Frederick the Great, "He who defends everything defends nothing."
I guess the advice I would say, or this is what's in my head, is that this is the way I'm approaching it anyways, that we need to know our most valuable environment. So the systems grow, and as the technologies increase, we need to know what our most valuable environments are, and we need to protect them, and we need to protect the people who have privileged access to them. We have to make sure that they're patched. We have to make sure that people who supply services to those environments are safe, secure.
We have to make sure that the third parties that provide or enhance the delivery of the services in those most valuable environments are safe and secure, and that they conform with the standards that we would expect of them. I beg your pardon, the standards, I suppose, we would expect of ourselves probably better way to describe it.
I think the second thing also is that if you sit and you wait to be attacked, then have that reactive cyber security posture, I think that's going to go badly. So therefore, the threat landscape changes. You do need to be aware of what the threat landscape is in your industry sector. That's because, as you know, as the attacks surface, as our reliance on technology gets bigger, and the reliance on your third parties gets bigger, and their reliance on technology becomes bigger, and we all don't have the same cyber security posture, you definitely need to know what the threat landscape is in your industry sector.
Who are the threat actors that are attacking you? What are the tools that they use? What are the techniques that they use against you or other people? What are the processes that they use against you or other people?
And then obviously, the next biggest thing for me would be, again, what Stevie was saying. Get together, work and join in sharing groups, and be forward‑leaning. Make sure that you know what it is that the threat ‑‑ who are the people that are attacking you. Be in a position to maybe change your cyber security posture as you see an attack against somebody else, and you get to put these knowledge, the TTPs -- I mentioned them earlier on, too, techniques and processes, TTPs.
As you know what TTPs have been used against another poor victim, if you can come back and get those TTPs and then look at your own network to see if you can ‑‑ could you withstand that same attack and what changes would you need to be in order that you don't fall victim to similar? That's really it. We need to check our security posture against those signals. Absolutely, no question about it.
As well as to synopsize here. The attack surface is getting bigger, yes, it is. If you try to absolutely defend everything with the same level of rigor, you're probably going to fail, because there isn't enough cyber security or enterprise security professionals in the world in order to do that. But you certainly need to know what your most valuable environments are. Know what your dependencies in those most valuable environments are. Be a bit forward‑leaning. Know what the threat landscape is. Join sharing groups. And then make sure you check your posture against real‑world attacks to make sure that you'll be able to withstand them and do it in a peacetime mode, where you're not the one that's under attack and running around with your hair on fire. Which I think anyone that's been involved in cyber security will recognize that term.
Lauren D'Arcy: Great, thank you, Paul. Lots of things to think about there. I suppose the biggest thing is that it's just no longer acceptable to just react to cyber security risks. We must be proactive and then anticipate what adversaries will do next. Lots to think about there.
Okay, let's pop up our next polling question then, please, Sharon. We will send that to the audience now. And the question is, "What is the greatest cyber security threat to your bank in 2020?" So the options there are A, phishing, B, data breaches or data leakages, and C, ransomware. We'll just give you a few seconds there to respond.
So phishing, of course, is the fraudulent attempt to obtain sensitive information by disguising oneself as a trustworthy entity in an electronic communication. Data breaches is obvious. And then ransomware is a type of malicious software that blocks access to a computer system or data, usually by encrypting it until the victim pays a fee to the attacker.
Okay, so let's send the results there to the audience, so the audience can see. Bit of a mixture there in the responses. Roughly half think it's phishing. Sorry, the responses are still coming through. But more than half think it's phishing. More than 30 percent believe it's data breaches. And a bit more than 10 percent think that it's ransomware. So a bit of a mixed bag there. I think probably the real answer is that they're all risks and threats to our institutions.
But maybe if we look at the question on data, and maybe this one is for you, Stevie. Data has become the new currency on the web, from intellectual property to financial, health, and personal data. And at the same time, monetizing data has become easier than ever, thanks to dark web marketplaces and crypto currencies. I suppose in the first instance, preventing and mitigating attacks should be step one. But what advice would you have to help companies or institutions to not fall victim to system compromises that result in data loss? Where do you even start?
Stevie Wilson: Thank you. It's important to put it in context, Lauren. I think the question actually is really partially a trick question, because all those parts of them are connected together. But you're correct. It's continually evolving how they monetize the data stolen on the web. At the simplest level, credit cards, again, immediately transferable into cash or goods. Again, so far this year, at the CDA we have repatriated something like 250,000 cards to member banks. Again, that gives you an indication of the scope of the problem.
Again, picking up personal data, turning it into a fraud tip for wider frauds. One aspect I'd like to really go into in that evolution is the ransomware business model. If you look a few years ago, back to what Mike spoke about, there was ransom, "Pay or lose your data." That was a simple decision. Now we see the bad guys have evolved their business model. They're publicizing their attacks. Reputational damage for companies. Potentially a fine from the information commissioners, potentially four percent of your turnover. And then threatening to advertise that data. And ultimately, if you don't pay the ransom, then they will monetize that data by selling the data.
I looked at 8 o'clock this morning. The two most recent breaches been advertised NA Lab, a major computer hardware company in the U.S., 94 gigabytes of data stolen. Employees, partners, internal correspondence. TME Group, an international corporate producer, the same amount of data been put up for sale. My question to the audience is can you afford to lose this data?
You think back to what Paul spoke about. What are your crown jewels? What is going to make your company go under? And understand and protect that stuff. The idea of encrypting your own data so it can't be monetized for the bad guys is a major start. The idea Paul spoke about as well, understanding the threat, what's coming over the hill, and the tactics by the bad guys. And push a backup policy in relation to the recovery of data.
And putting all that together as part of our cyber security prevention strategy, to me, is absolutely fundamental to existing, because again, you don't want to be in the situation. Take Travelex most recently, where we've seen that significant breach. And whilst their situation is complicated by COVID, that initial ransomware incident probably was rather significant in their demise.
Back to, Lauren.
Lauren D'Arcy: Thank you, Stevie. Very interesting. Dan, maybe we'll switch to you now. And a question around some of the things that SWIFT are doing. So SWIFT has introduced the customer security program, which aims to prevent and detect fraudulent activity through a set of mandatory security controls. Does this help in the fight against cyber attacks? What's your view?
Dan Pilling: As a very large user of SWIFT, as we are all on this call, we’re fully supportive of this CSP program that SWIFT has introduced. We've been working very closely with them in collaboration on the mandatory as well as the advisory controls they've been introducing over the past few years. I think we're now up to 21 mandatory controls and about 10 advisory controls.
The controls they sought to bring in, especially the mandatory ones, were very closely aligned with initiatives that we were already running in the bank through the cyber program that I mentioned earlier. So we absolutely do endorse and support that program of work. And the decision we took very early on is that we would adhere to all the mandatory and all of the advisory controls as they come through, and there are a few more coming through each year. So there's a few more mandatory controls that banks need to meet and attest by the end of this year.
And the sort of bracket states have bundled their controls into, again, as I mentioned earlier, to align with our strategy. So it's securing the environment. Obviously talking about the SWIFT environment here, but also we're talking about everything that aligns to this and connects to the SWIFT environment, which typically is the payments estate. As mentioned earlier, you need to identify your most valuable environments, and those are the ones, the crown jewels, that you need to protect and protect 100 percent. That's what these controls really address. Securing the environment, both physically as well as virtually, so through techniques such as network segmentation, to make sure that you really are segregating those core payment and SWIFT infrastructures away from the rest of the broad environment that may not be your most valuable environments.
Limiting access is another sort of theme that comes through. Again, really key, and one that we were running a very big program of work on. Making sure that the right people have the right level of access to the right environments. The right credentials, and making sure that when they access those environments, they do it in the most secure manner, using multi‑factor authentication, technologies, methods, to really ensure that the surface attack area is limited, because we have a very tightly controlled, access control, to our environments, both application level and infrastructure level.
And then the final area which is the sort of detect and respond, and this is where we work very closely with Paul and with the joint operation centre, is, firstly, we need to be able to detect any anomalous activity, and then we need to be able to react to that activity as and when it happens. It's all about being proactive, making sure we have playbooks, making sure we would know what would happen. And that broadly does align with this sort of strategy that SWIFT laid out with their SCSB programs. Yeah, we continue to work closely with them, and yeah, we fully support the program. We do genuinely believe it is having a real benefit of providing that extra layer of security.
Lauren D'Arcy: Great, thanks, Dan. I think that will resonate very strongly with the audience today. I want to ask a question around collaboration, and we touched on this ‑‑ it's come out both through Stevie and Paul's previous comments, where it's critical that industry and law enforcement collaborate directly. But I was curious specifically within the financial institution sector what sort of collaboration you see, because we have an audience of FI clients on this call here today, and to a certain extent, we may be competitors of one another.
But there must be a strong element of collaboration between banks in the cyber space, because an attack on one is an essentially an attack on all. Do you see it as a shared crusade? So if we had an attack or saw something that was a bit worrying, would we pick up the phone to your counterpart in another bank? How does it work? Maybe first Paul, and then if Stevie has any comments.
Paul Gillen: Sure, Lauren. Certainly I think it's a critical element. I think it was one piece of advice I would give anyone. Collaboration entirely. And you know, don’t-- if there's anyone on the call that are enterprise security professionals, don't do security to the business. Make sure security come on—the security—make sure that the business comes on the security journey with you. You just want do it on your own.
Then externally, having external contacts with industry organizations, intelligence sharing groups, being a member of as many of them as possible, and particularly effective for ourselves have been ‑‑ obviously, we have Stevie on this morning. I can hand over to, has been the Cyber Defence Alliance. I will say, based on my years of experience, I would say that the Cyber Defence Alliance is something that's probably very unique in relation to sharing information and intelligence, and then helping partners through difficult times or through incidents by giving advice or help or carrying out intelligence in the background to help people, to avoid and deflect attacks.
I would say it's very important, and I think, to hand over to Stevie, it's been really good for us. We've had a really good experience in it. And we’ve done things, I would say, in the Cyber Defence Alliance, that I'd say we haven't done anywhere else is in one member would have had an incident, and again, let's use that term jokingly that used earlier on, they're running around with their hair on fire. And then other members can actually carry out tasks on their behalf that allow them to have a better information position when they're about to make decisions, because when you're running around and you are under attack, it's a very difficult and arduous situation you find yourself in. You're trying to respond to the attack. You're trying to then give briefings up to the organizations. You've got regulatory relations that are asking you questions as to how ‑‑ where are we now, where are we now? You've got thousands of people doing it.
And then if you're in a position where you have a bunch of friends who are in the position who are not in the same position as you, and have the time to relax and actually do the research or intelligence gathering or the information on your behalf that allows you to make better decisions at critical times. I think that's been really, really benefit, and I'd say that's been the differentiator here the CDA has given to us in Barclays, compared to any of the other intelligence sharing forums that we've been members of.
I just hand over to Stevie. I'm sure he probably would agree. We've found it very beneficial and it’s been pretty important.
Stevie Wilson: Thanks, Paul, very much nodding all the way through your comments there. I think you can’t underestimate the importance of that collective security posture, information sharing, and actually that realtime understanding of the evolving threat. Because it may look slightly different to every single one of our partners. But back to the jigsaw puzzle analogy I spoke about earlier. When you put all those parts together, you start to see a clearer picture. So that was firstly, in normal times when it's not critical as the proactive network defends, to actually understand what might be developing.
Back to Paul's point there, when everybody's hair is on fire, those critical incidents, understanding, being able to fall upon your peers to be supported. Also, for the banks that are not being attacked at that time, being able to benchmark among the membership and go to your board and say we have a clear understanding of what's happening. Let's reserve decision. Do not underestimate the importance of that. And again, when the incident is over, being able to interface with law enforcement to present a collective picture from the financial sector. The gathering of the actual cost and threat. That's what can elevate something to a national investigation, rather than something at a local level. Unfortunately, our colleagues in the law enforcement have got limited capacity. But eventually as well, again on projects, back to the points on innovation and opportunity, why develop complex projects individually at a bank? The whole point is actually pool the resources to develop something for our collective good. And again, ability to benchmark, to understand where you stand with, and along with your peers, is hugely important for that collective response.
Back to you, Lauren.
Lauren D'Arcy: Thank you, thank you both. That's very interesting, and again, will resonate with the audience, I'm sure. Just a reminder, we do have a couple of minutes left for questions. If you would like to ask one, you should see a question box on your screen. Just pop the question in there. And I do see we have a couple of questions, so we'll go to Q & A now. So the question is, "If you were to give some positive advice to executives on this call who are beginning or improving their cyber security posture, what would you say in one minute?" Maybe start with you, Paul.
Paul Gillen: Oh, okay, I've already used up five seconds. I think getting ahead of the problem, that's the key to it. I would say the vast majority of organizations in the world have ‑‑ there's three types of cyber security posture. None, where you just don’t do anything. I don't think anyone is in that position. Two, reactive. I'd say the vast majority of organizations are in that. So something bad happens, we redouble our efforts, we defend against it, successfully defend against it, and the organizationfeels happy now.
Or the third one is, the more advanced one, is the proactive defence. Getting to a proactive defence, where you are members of sharing organizations. You know what the threat landscape is in your organization. You adopt one of the cyber security frameworks. We in Barclays, we adopted the Unified Enterprise Defense Framework and we achieved the status of intelligence‑driven defence organization. Which means that we see in advance of anything coming to us more often than we don't. So we do less reaction and we see what happens to other people. We help other people. We actually physically will help other people in organizations who find themselves in difficult positions. And then we use that information intelligence then after we’ve helped them to see if we would be able to withstand the same attack.
So go on a program of work. And to the cyber security professionals, I would say don't be defensive, and get all the dead cats out on the table. All the bad things that are in the organization, all the cyber security and things that are just not quite right. Get them all out on the table. Document that program of work over a protracted period of time. Put some program management staff in charge of that, because you're already busy enough. Execute against the program of work over a period of time. And then benchmark yourself annually on a two, three, four‑year journey. Benchmark yourself only to make sure that you're making the right level of progress on that journey.
And then you, as an executive in the organization, at least have the assurance that A, if something bad happens to you on the journey, at least you have that book of work to say, "Well, it was on this journey. It was well‑funded. We were making incremental progress in the right direction. We have been benchmarked. We showed that we were worse last year. We're now better this year, and we're better,” et cetera, et cetera.
So something happens in the meantime, at least you have some sort of defensible position in the event that fines are going to be levied at you at the end of a breach. That's like a really bad scenario. And then obviously, the good side of it then would be that you are actually making that incremental progress. You're using your resources wisely. Your resources are less reactive, so therefore are not constantly redoubling their efforts in order to react to incidents, which gives them no time to plan and make themselves better as an organization.
And then last and not least, which we found it actually reduces costs. Once you achieve that status, it actually reduces the costs of security to the organization, which was a very pleasant benefit to the organization.
So there; I don't know if that was a minute or a minute and a half. But anyway, there you go. Off the top of my head.
Lauren D'Arcy: Brilliant, brilliant, a very full answer. Thank you very much, Paul. Stevie or Dan, anything else just in the last minute or two to add to that?
Dan Pilling: Sorry, after you, Stevie.
Stevie Wilson: OK, I'll take 20 seconds. I have been saying with the exec, and the list of your company priorities, what's your company culture? How do your staff view security? It should not be just a cost. It should be a differentiator. And finally, where do you think your company sits in relation to your competitors by way of your response and ability to tackle this? Over to you, Dan.
Dan Pilling: Yeah, I'm going to echo a lot of the points. Education overall is important to make sure that the, really, understanding of how important it is. You have to be run, as Paul mentioned, as a dedicated fully funded program of work. We need to identify those most invaluable environments, and then identify the controls that you need to implement that gave you the most benefit. So trying to do everything everywhere will end up giving you probably a very poor end result. Identifying a small number of things across your most invaluable environments will give you the biggest bang for the buck, and then you just iterate from there.
That's it for me.
Lauren D'Arcy: Brilliant. Thank you very much. That brings us nicely to the finish. We'd like to finish on time to let you all get back to your days. But a huge thanks to my panellists today, to Paul, Dan, Stevie, and Mike. It's been wonderful to have you here today. Thank you to all of the audience. We're so grateful that you've taken time out of your day to spend this time with us. We know it's holiday season, so it's really fabulous to have you with us here today. We will have the fourth in our FI Forum season coming up in September, and we'll be focusing on payments specifically. So please look out for the invite for that coming soon. And thank you very much for joining us today. Enjoy the rest of your day. Thank you. Good‑bye.