November 2020
And how does it help financial institutions (FIs) to fight financial crime and promote financial inclusion?
The financial services sector has been experiencing widespread digitisation for several years, but the pandemic has suddenly forced financial institutions all over the world to step up their digital pivot in order to continue offering seamless services to their clients.
In turn, this has widened the scope for cyber risks and financial crime. When it comes to cybercrime, humans are more vulnerable to exploitation than machines.
Together with leading cyberpsychologist, Professor Mary Aiken, Standard Chartered has recognised the importance of SafetyTech, to protect people online and to create cyber situational awareness within the financial ecosystem, positioning the sector for longer-term sustainability.
WATCH THE WEBINAR HERE
Cybersecurity at FIs is about more than just protecting computers.
Protecting data, networks and systems is vital, but it is equally important to protect the people who use the systems from online harm. People are arguably one of the most vulnerable parts of the security equation. Protecting people in cyber contexts requires understanding not only those who are attacking the institution, but also the people financial institutions serve and employ.
What is the difference between cybersecurity and cyber safety – according to Professor Aiken "its binary, cybersecurity focuses on protecting data, cyber safety or 'SafetyTech' focuses on protecting people."
A new sector, the online safety technologies or 'SafetyTech,' which complements the existing cybersecurity industry is gaining prominence.
SafetyTech describes the emerging online safety technologies sector which delivers solutions to facilitate safer online experiences, and to protect users from harmful content, contact or conduct, protecting users from everything from misinformation to online harassment.
To take one example, Standard Chartered uses safety technology to block access to certain websites and dark net platforms.
The COVID-19 pandemic has changed how we live, accelerating FIs’ digital pivot and multiplying associated risks. According to INTERPOL, the pandemic has seen criminals shift to targeting major corporations and governments and propagating fake COVID-related news. In one month, one country reported 290 postings of such fake news, with the majority containing concealed malware1. In this context, "SafetyTech is not an invention; it's a catch-up,” explained Professor Mary Aiken, a world leading expert in Cyberpsychology who has done extensive pioneering work in this new field, and a guest speaker at the Standard Chartered Correspondent Banking Academy Masterclass on 10 November. “Online safety technologies or SafetyTech ensures that the levels of assurance we expect in the real world are matched in cyber-contexts.”
1 Interpol, "INTERPOL report shows alarming rate of cyberattacks during COVID-19", INTERPOL News, 4 August 2020
SafetyTech aims to ensure that humans are resilient and secure when interfacing with technology.
To this end, Professor Aiken said that financial workers should be trained to have increased cyber-situational awareness and trained to become more aware of their “digital exhaust,” that is, the identifiable traces people leave on the Internet, for instance on social media. Professor Aiken recommended that in order to develop cyber-situational awareness and to check out your digital footprint, you should search yourself often, and when you do this, use a private window or incognito mode option. Personal information attained online facilitates a range of cybercrimes from socially engineered attacks, to identity theft and cyber fraud.
“Basically you need to think like a profiler, be cognizant of your digital exhaust and develop cyber situational awareness,” said Professor Aiken.
Professor Aiken suggested multiple levels informed by the online safety technologies taxonomy2 whereby FIs can implement SafetyTech:
In the information environment: Flagging content with false, misleading and harmful narratives, through fact-checking and disrupting disinformation (e.g. by tagging trusted sources and building confidence in them).
Via online professional safety services: Through training for increasing psychological resilience, cyber situational awareness and cyber safety practices, along with research frameworks and methodologies for auditing, evaluating or mitigating potential harms. In addition, advisory support for implementing technical solutions, enabling the development of safer online communities by embedding safety-by-default.
2 https://www.gov.uk/government/publications/safer-technology-safer-users-the-uk-as-a-world-leader-in-safety-tech
Human behaviour can change in cyber-contexts, Professor Aiken noted, due to powerful psychological drivers such as the Online Disinhibition Effect, compounded by anonymity afforded by the Internet.
Behavioural evolutions, coupled with the 24/7 'always on' nature of digital services, along with the profusion of communication channels, has increased the risk of vulnerability to cybercriminality, and has expanded the potential attack surface. Professor Aiken is working on the development of a SafetyTech service in the form of 'cyber-psychometric' testing, that would be of particular relevance in terms of tackling Insider threats, bottom line she says, "you need to know who your employees are in the real world, and you need to know who they are online."
Professor Aiken points out that on the dark web (i.e. that part of the internet which is invisible to search engines and can only be accessed with dedicated browsers), insiders can sell access to their employers’ confidential systems, they can also be recruited by sophisticated threat actors.
Understanding the motivation of insiders who have the potential to cause damage – whether disgruntlement, revenge or outside influence – is crucial to identifying and preventing it.
The impact of implementing SafetyTech goes beyond protecting institutions and businesses and has broader societal implications.
One key to achieving the UN’s Sustainable Development Goals is extending financial services to unbanked people3.
SafetyTech can help to build the trust of the unbanked in digital banking, while preventing them being exploited by unscrupulous third parties, for instance those that overcharge migrant workers for remitting money to their families.
To date, much of the cyber-safety discussion on the societal level has focused on protecting children and teenagers.
"We don't really see the same focus when it comes to vulnerable adult populations," Sullivan noted. But in many cases, it is urgently needed. "At our bank we have a strategy to provide microfinance to women in need in vulnerable populations, as well as certain countries where additional economic support is needed, for instance to combat corruption,” Sullivan explained.
“In those populations there's a lack of feeling of safety when on the internet. Women most definitely tend to be more targeted when using the internet. Some countries also lack the same protections around freedom of communication. SafetyTech can come to the rescue and really shore-up the digital products we're offering. We want our clients to feel that they are not going to be victimised when accessing our digital banking platform."
3 UNCDF, “Financial Inclusion and the SDGs”
To date, Standard Chartered is the first, and to the best of our knowledge, the only financial institution to recognise the importance of SafetyTech from both a financial crime compliance (FCC) perspective and as a means of building long-term resilience.
SafetyTech speaks to the bank’s three Sustainable Agenda Pillars: Sustainable Finance, Responsible Company, and Inclusive Communities.
By ensuring that people are just as well protected from cyber-threats as are machines and data, FIs can promote the sustainable financial inclusion of those who need it most, while at the same time shielding their employees from harm.
Essentially SafetyTech ensures a focus on People risk and vulnerabilities and is another dimension to cyber leadership that is critical in the fight against cyber risk and cybercrime, concluded Sullivan.