An Interview with Steven York, General Manager, Group Compliance and Chief Security Officer, Bank of Queensland
To build confidence with customers that a bank is protecting their personal data, a bank firstly needs to have confidence in their cybersecurity protection and detection mechanisms. These protection and detection mechanisms should reflect in the way the bank interacts with a customer and manages customer transactions.
FST Media: How has cybersecurity ‘threatscape’ evolved over the last 18 months and where do you see it developing over the next 18?
York: There is a general view that the threatscape has, to some extent, evolved from random cyber-attacks focused on extortion for financial purposes (e.g. ransomware) to more focused attacks from larger organised cybercrime groups and highly funded rogue nation-states with the primary objective of disrupting critical infrastructure.
However, we should not discount the ever-increasing attacks from small cybercriminal groups still overwhelmingly focused on stealing personal data, credentials, and credit card information for fraudulent purposes.
FST Media: How should financial services go about establishing a common defensive framework to tackle this multi-pronged cyber scourge?
York: Corporate cybersecurity regimes within the financial industry have been working more closely over the last few years, meeting regularly to discuss and exchange information on the latest cybersecurity threats to the industry and sharing common best practices.
The Australian Government is also actively driving cybersecurity information sharing and collaboration across industries via the Australian Cyber Security Centre (ACSC), with offices in major cities. The ACSC is working very closely with organisations as a collaborative approach to knowledge sharing and education, and furthering the industry’s capacity to assist, react, and respond via cert.org.au.
FST Media: It is said that people, not machines, are the weakest link in any security perimeter. Despite an overall increase in digital literacy, phishing, baiting, and other socially engineered attacks are on the rise. What explains this growth and how can FSIs best mitigate their exposure to socially engineered attacks?
York: A three-pronged approach to limiting the risk associated with cyber-attacks aimed at people greatly reduces the risk and impact of attacks. This approach comprises:
- User education – Continued education of not only employees but also customers and third parties
- Measured communication – Limiting communication to customers and other third parties to secure communication channels e.g. communication with customers via secure online banking rather than unsecured email channels
- Knowledge of offenders – Cross-industry collaboration and sharing of information allows for greater insight as to cybercriminals and their methods e.g. sharing of phishing attack signatures of cybercriminals targeting multiple organisation to better understand the origin of the attack and filter these requests at the point-of-entry to an organisation
FST Media: In an age of persistent and, too often, indefensible cyber breaches – where customer data is often outsourced to third parties with limited security resources – what can banks do to ensure customers’ confidence in the protection of their data?
York: To build confidence with customers that a bank is protecting their personal data, a bank firstly needs to have confidence in their cybersecurity protection and detection mechanisms. These mechanisms should reflect in the way the bank interacts with a customer and manages customer transactions. Appropriate customer identification measures – including face-to-face interactions and secure authentication – when transacting provides a window into the bank’s approach and attitude towards the protection of customer data.
In instances where customer data is accessed by third parties, the customer should be made aware of the sharing of the customer’s personal data and, where practical, consent should be sought from the customer for sharing the data. Internally, the bank should ensure that third parties have appropriate cybersecurity practices in place that align with that of the bank and, on a periodic basis, confirm that the third party is operating within the boundary of the bank’s policy.
FST Media: Open banking and associated APIs are set to radically transform the way Australians bank. However, they also present considerable challenges to cybersecurity systems and the integrity of customer data. How can FSIs best prepare themselves for this radically new data-sharing regime?
York: In May 2017, the Australian Government undertook a review of open banking and set a date to commence the scheme on 1 July 2019, with a delay of 12 months for the non-big four banks. Open banking will essentially transform the way customers interact with the banking system by giving customers the right to share their data with other financial institutions. Open banking API’s provide the means by which financial institutions can access the customer’s information.
Taking into consideration the recent European legislation for open banking and recommendations from the Australian open banking review, financial institutions will be challenged in how they evolve their current processes and technology for:
- authenticating customers;
- gaining consent (authorisation) from customers to share data with partners;
- recording consent for audit purposes;
- allowing customers to revoke consent;
- vetting partners and their cybersecurity capability;
- granting secure access to partners to customer information (and only the information that the customer has consented to share).
FST Media: What emerging cyber threat do you feel is not being adequately addressed by FSIs?
York: It is less of what cyber threats are not adequately addressed and more about how FSIs can ensure that they continuously adapt to proactively identify and manage emerging threats – after all, the prevalent cyber threat of the day will likely not be the most prevalent threat next week or next month.
Looking at recent changes in regulation, for example, the EU's GDPR (General Data Protection Regulation) and APRA’s CPS234 Standard for Information Security, there is a definite focus on better management of data breaches and management of cyber threats associated with third parties. Most organisations incorporate the services of a third party in one form or another, whether it be cloud-based storage or third party of the organisation’s IT infrastructure; proper due diligence, from an onboarding and ongoing perspective, should be in place, and even more so where a third party has access to FSIs customer information.
FST Media: In addition to your role as Bank of Queensland’s CSO, you’ve served as mentor and Director for crowdfunder PledgeMe. What advice can you offer to budding leaders (in security or otherwise) wanting to make their mark within FSI?
York: I was given the opportunity and the permission by BOQ to become a Director to PledgeMe, a fintech start-up. I first became involved through the Queensland Government’s HotDesq innovation grant program. I was asked by that program to mentor a number of innovators. I worked with Anna Guenther, the CEO of PledgeMe in developing her company from an innovative idea into a financial services company.
PledgeMe is a crowdfunding platform, providing a way of raising money from your friends, family, customers, and fans, ensuring that there is an auditable trail of pledges and on-going recognition of that money. Think of a goal and make a plan for how you’ll achieve it. Go to your crowd and ask them to pledge to your campaign. Perfect for those projects that banks cannot finance due to the increasing credit requirements post-Royal Commission.
This experience has really taught me that ideas can come from anywhere and that everybody has an idea that they wished they had turned into a business or career. The key is in the execution – taking that risk and filling a need that is required by the community to get things done in a sustainable way within the system (in this case, the regulated financial services industry).
Anna had the drive and the talent but did now necessarily have the experience of dealing with those everyday issues that only come with time. I found it refreshing that someone far younger than me enjoyed our interactions and listened to an ‘old campaigner’. I went away better educated and far wiser in the use of technology platforms that could literally change the world (the Ubers and Airbnbs, for example). I think all leaders should mentor young people; I am sure they will find their horizons expanded, better placed for change and far more in touch with other people that think differently.
Steven York will be a featured keynote presenter at FST's Future of Security 2019 event series, in Sydney (2 April), Melbourne (4 April) and Auckland (9 April). Don't miss your last opportunity to register for these exclusive events.