Digitalisation, cyber security, disruptive innovations and new business models – the banking world has a lot of issues to deal with. Traditional banks in particular are having to reconsider their business models if they want to be viable in the future. A key step is to adopt a new and, at the same time, networked way of thinking, which is a critical success factor in the age of digital banking. This is the only way to better identify risks and to preserve opportunities today and tomorrow. We spoke to security expert Herbert Saurugg about the methods involved, and how the transformation process can be successful.
Mr Saurugg, how do you do your banking?
Herbert Saurugg: Since I've had Internet access – so for 20 years – I've almost exclusively used online banking.
What do you think: Should customers turn back to the old-school way of doing things and go to the counter to make their transactions? And, in the age of increasing cyber attacks, would that be an effective way of protecting themselves against attacks?
Herbert Saurugg: Of course, this would be more secure at first glance, but would you really want that today? I certainly don't. Apart from anything else, an increasing number of bank branches are being closed on cost grounds and it would involve a massive effort on both sides. I've never had anything go wrong in the last twenty years, at least as far as I have seen. There was one large false entry but that was not caused by a cyber attack, and it was corrected thanks to my attentiveness. But you do hear that in recent decades banks have often managed to smooth things out in the background before customers noticed that anything was amiss. The work involved is said to have risen significantly, resulting in an increasing impact on costs.
Nevertheless, the banking sector is definitely one of the most secure, as it has very long and very intensive experience with the dark side of the Internet. In spite of this, there are still successful digital bank robberies, as we can read in the media from time to time, particularly when very large amounts are involved. I think that online banking remains very secure for individuals provided they observe certain basic rules and exercise common sense. With today's two-factor authentication, you have to do a lot of things wrong to have your money stolen. Abuse tends to take place at other levels, particularly through social engineering, where common sense is outsmarted or greed overrides it.
The continuous trend towards digitalisation and networking is clearly apparent in the financial sector. Banks propound paying by app as an easy and secure option. Do you agree, particularly with the last part of the statement?
Herbert Saurugg: The main benefit of continuous digitalisation is that it can prevent expensive media discontinuity. I think it brings positive effects for all parties. Whether the cost savings are passed on to customers is another matter.
Are the apps secure? At least until we have proof to the contrary. I'm really confident that banks will not take frivolous risks here. We need to make sure that business interests do not have a higher priority than security considerations.
In spite of everything, I think the risk to individuals from this side remains negligible. Of course, what I said before applies here too – exercise common sense and caution, and remember that greed can override the brain.
If your wallet is stolen or lost, the money is gone, even faster and more easily than in a digital environment. Therefore, we need to keep things in proportion, even if security risks change.
Let's stick with the issue of digitalisation. Young start-up companies – the so-called FinTechs – are providing huge competition for established banks. What steps do the major players need to take to remain competitive in the future and, at the same time, to make sure they do not neglect the necessary security in banking business?
Herbert Saurugg: My personal assessment is that we will experience huge upheaval and turbulence in the coming years. This sector will not come through unscathed. One the one hand, the global financial system is on very shaky foundations, even if this is often disputed or represented otherwise. But even the major crises that were triggered by the financial system starting in 2007 were not predicted and their full impact was not recognised. The fundamental causes have not been eliminated, therefore we still have a systemic risk that is likely to come back to haunt us in the foreseeable future. This time, though, there will be no safety nets as we have used them all up in the last ten years. On the other hand, our dogmatic pursuit of economic growth is increasingly coming under pressure. If currently hyped issues such as blockchains become established, which I think is realistic and fits very well into the general decentralisation trend as we see a transformation to a networked society, it would turn the banking sector on its head. Automation is likely to overrun the sector sooner rather than later. Strictly speaking, this has already been happening for many years, but the speed will continue to increase.
To keep pace with these developments, things need to be considered and understood in a different way. This is certainly happening as part of a fundamental transformation and it is why established models no longer function. A central point is that networking increases complexity and complex systems cannot be centrally controlled. Well-intentioned top down banking regulation, which affects even all the small commercial banks in the same way, is overwhelming the system. The actual purpose of these banks – regional lending – is almost impossible to fulfil. As a result, a kind of "creative destruction" is taking place. New solutions will simply solve problems better and more quickly, thus rendering the old systems superfluous. Take crowd funding as an example.
I think it's important to emphasise that it's not a case of either/or, it is always possible to have both. There will definitely still be niche markets for traditional financial business, but its importance will decrease. On the other hand, decentralised solutions, such as those associated with blockchains, will allow low-cost complementary regional currency and exchange systems, which make the banking system superfluous. Anyone who continues to think in terms of old models will sleep through these developments and the associated opportunities.
This doesn't really have much to do with your original question, but if you don't understand these overriding issues or at least have them on your radar, you will end up investing a lot of energy in solutions that soon nobody will need. This is something that doesn't just apply to the financial sector.
What risks do you think will impact on banks in the medium term in terms of cyber security?
Herbert Saurugg: As I said, banks were certainly one of the leading targets for cyber attacks, which means that they have gained the most experience in this field – after all, they have plenty worth stealing. Now that banks have achieved a very high security level, other sectors are increasingly becoming the focus of cyber criminals.
For example, since last year there has been an explosive increase in extortion using encrypted harmful software, which can and is affecting many people. Why carry out a sophisticated attack on a bank when you can get away with money much more easily? Of course, all the effort can certainly be worthwhile if we look at the very large attacks involving amounts running into billions. Unfortunately, though, we cannot just sit back and enjoy a sense of Schadenfreude. Attackers only have to be successful once but defenders have to be successful every time. So I think that by far the bigger risk for the banking sector currently comes from a totally different direction in terms of the foreseeable disruptive developments. Nevertheless, the sector needs to keep its eye on the ball as the other side is constantly vigilant.
Last year, Andreas Dombret, a Board Member at the German Bundesbank, said: "The financial sector is not only an important target for cyber attacks, but also susceptible to almost every conceivable cyber risk. This is regrettable for the financial sector, but good for other sectors as it makes the financial sector a source of exemplary practices that can also be used in other areas of the economy." Would you back up this "role model function" of banks?
Herbert Saurugg: Yes and no. As already discussed, the banking sector certainly has plenty of experience and know-how when it comes to preventing and dealing with cyber attacks and others can learn from this and should use it.
On the other hand, there remains a difference between defending primarily virtual systems and business models based on physical infrastructure systems, where a failure can lead to very different consequential effects from money being stolen virtually, which may be possible to recover.
The financial sector has impressively demonstrated that "too big to fail" systems can cause huge social damage. So we should mainly learn from that. Unfortunately the converse tends to be the case at present. Many sectors are seeing huge acquisitions and mergers, resulting in even more "too big to fail" systems. The shipping industry is already under massive pressure and others such as the pharmaceutical industry will follow. When the cracks start to appear in these areas, it will have an impact on all of us. Again, I've moved away from the topic but to be honest these are things that I'm more concerned about than the immediate cyber threat to banks.
Let's imagine the following scenario: You hold a responsible position in a bank and have to play a leading role in a strategic realignment towards more digital services. What would you do, and what safeguarding mechanisms would you consider and, where appropriate, put in place?
Herbert Saurugg: Luckily I'm not in that kind of position! I wouldn't ever want to be and nothing in the world would persuade me to swap places with someone in that position. Nevertheless, from a systemic perspective there are some basic rules for a viable system design that could be successfully used in this situation.
The first is cutting energy and resource requirements as this can reduce dependencies and vulnerability. This can involve simpler systems that can still be monitored and controlled, both by the user and by the designer from a security viewpoint. However, we tend to go the opposite way as hardware resources facilitate this and are becoming cheaper, and at the same time we do not take the time to clear things up and simplify them. Of course, this increases potential vulnerability.
The second aspect is decentralisation and reach limitation, to ensure that any faults or losses are unable to spread widely and that complex systems remain manageable. This does not mean isolation, as that would run counter to the concept of digitalisation. But we can limit interaction with other systems to what is absolutely necessary. This reduces the potential for abuse. This also makes us more flexible and adaptable and brings us closer to actual customer requirements. This aspect primarily affects the management organisation.
The third aspect is error friendliness and tolerance. The well-known IT security expert Bruce Schneier recently made a very accurate statement that we should finally give up trying to patch people as it simply doesn't work. People are increasingly becoming more creative, in both a positive and negative way, than stressed developers of technical (security) solutions. A very simple method of dealing with this is to use plausibility checks, which are used very successfully in the banking sector but are still frequently ignored. Just think of the recent incidents involving the "Fake President Fraud" where large sums were stolen. A simple verification of whether it was true could have prevented all that. We also need to look at diversity, which can result in increased costs for the operator but monocultures are more susceptible to attacks and are also more attractive targets.
Let's look at some of the morbid crash scenarios involving a partial or total failure of systems. Would it not be wise and perhaps also safer for a citizen to keep some of their money in cash "under the pillow"?
Herbert Saurugg: Again, a mixed approach is best. It certainly makes good sense to have a certain amount of small denomination notes and coins at home to maintain a capacity to act in case of major infrastructure problems or even failures. Just think of the widespread ATM faults that repeatedly occur. I'm also thinking about the effects and consequences of a Europe-wide power or infrastructure failure – a total blackout – that would turn our lives upside down for a time and where it would definitely be useful not to be dependent on electronic money alone.
On the other hand, there is no sense in hoarding large quantities of cash under the pillow due to the justified fear of a financial crash. If such a crash were to occur, it is likely that physical money would also lose its importance and value. It would be much better to think about alternatives. Merely giving some thought to this possibility is likely to raise additional options that would not be available without proper preparation. Albert Einstein is reported to have said that problems cannot be solved with the same way of thinking that was used to create them. This applies to the cyber sphere and to many other current challenges. If we genuinely want to prepare ourselves for possible turbulent developments, we should start with simple precautions that will enable our families to survive self-sufficiently for a few days as that is when there would be the greatest social vulnerability. It makes no difference what causes this interruption of supplies.
Although we have addressed a wide range of issues and got into some quite morbid scenarios I'd like to end by emphasising that we should continue to make use of the positive aspects of digitalisation. At the same time, we have to be aware that it could also have a dark side and be associated with huge social changes.
Unfortunately, we are still very much tied to a simple linear cause/ effect mindset that is increasingly ineffective when it comes to solving problems. Therefore, there is already a need to catch up with the consequences of the technical networking we have created. We can't turn back the clock. As a result, we have to work on our way of thinking, as networked thinking and cooperation are key elements for a successful future and for addressing security problems. There is plenty we can learn from cyber criminals, who are already doing this very efficiently, but unfortunately for the wrong reasons.
Herbert Saurugg, MSc, an expert in preparation for the failure of critical infrastructures, was an officer in the Austrian armed forces for 15 years, most recently in ICT/cyber security. Since 2012, he has been working on the possible consequences of increased networking and complexity, particularly for the European power supply system and a Europe-wide power and infrastructure failure ("blackout"). He writes an extensive blog on these issues.