Attestation for the SWIFT Customer Security Programme (CSP) will start in July. That might seem like plenty of time to show that you can comply with the 16 mandatory controls (and hopefully the 11 advisory ones as well), but it’s coming up faster than you think. You’re going to need every second between now and then to craft a solid security strategy that proactively protects your organization against the ever increasing threat of fraud – a strategy that protects you well into the future, not just until the next breach happens.
As you work through the security planning and implementation process, here are answers to the top 4 questions regarding the SWIFT CSP, along with some guidance on what you need to do to avoid future attacks.
- Just how serious are the cyber threats that banks face?
Very. That may sound somewhat alarmist, but it’s just a realistic view of the ongoing state of the industry. Business email compromise scams have risen 2,370% since January 2015, draining international organizations of more than $5 billion since just 2013. A full 38% of organizations now admit that it’s difficult to tell the difference between a legitimate payment and a fraudulent one. Plus, in a November letter to banks worldwide, SWIFT themselves have said that “the threat is very persistent, adaptive and sophisticated – and it is here to stay.”
This is not a drill. Banks are under attack and must take action now to not only meet SWIFT’s requirements, but to implement a comprehensive security plan that will future-proof their institutions against growing threats.
- Are internal or external threats the bigger danger?
Threats can come from anywhere and they all represent a significant danger. While external threats can range from individual hackers to organised fraud rings or even state sponsored actors, fraud perpetrated by insider threats is no less insidious. In fact, some of the most infamous attacks to capture the headlines in the past 18 months are alleged to have been perpetrated by insiders. To effectively protect against both internal and external threats, it’s necessary to proactively monitor all user behavior, regardless of where it comes from.
- What has changed in the threat landscape to drive the need for new methods of security?
Progress is a tremendous change agent. When Karl Benz drove the first car in 1886, seatbelts were hardly a necessity because the car’s maximum speed was 10 mph.
Payments have been the benefactor – and the victim – of a similar type of evolution. As payments have moved faster, so have cyber criminals. That, in essence, is the problem. The methods fraudsters now use to infiltrate payment systems and divert funds are evolving faster than anyone can keep pace with. The situation that has evolved with SWIFT customers is a perfect example. The $81 million heist in Bangladesh. $12 million in fraudulent transfers from Banco del Austro (BDA). An attempted attack on Vietnam’s Tien Phong Commercial Joint Stock Bank. SWIFT was never the direct victim of an attack, but their customer’s local environments — banks with insufficient security controls — were an irresistible target and therefore an Achilles heel for the entire community. It was a perfect storm of circumstances that shined an international spotlight on the desperate need for all organization that handle payments to employ better security protections.
The traditional log-file systems that are still widely used today aren’t the answer, either. They are of little to no protection because they only make organizations aware of a fraud incident after it’s happened. Once payment fraud has occurred, it’s next to impossible to recover the losses – most of the $81 million from the Bangladesh heist, for example, is still unaccounted for. To avoid financial losses and reputational damage, threat detection must happen in real time.
- Do all 27 of the SWIFT CSP controls need to be implemented in order to achieve maximum protection?
You certainly need to implement the 16 mandatory controls. As for the 11 advisory ones, that’s a topic of much debate. Some organizations view them as optional, but we would strongly recommend that you assess their necessity for your own organization. Many of them are common sense measures that should be a part of a comprehensive security plan anyway, so it may just make sense to comply with them as well. Also worth considering is the fact that as the threat landscape evolves, controls that are currently advisory may end up becoming mandatory anyway.
Ultimately, the CSP program is a positive step in the right direction for defining a strong baseline of security standards for the SWIFT community. You should look to build on it as a foundations for a broader security playbook designed to stop fraudulent payments before they happen.
It would be a mistake to view having to comply with the CSP as a distraction from the real focus of your business. Instead embrace it and use it as an opportunity it enhance your organization’s overall security procedures. This is a perfect chance to evaluate whether or not your security is up to the challenge of protecting your payments against modern threats. Fraudsters are using every tool and trick available to them. Are you?