The Current State of UK Bank Security
SecurityScorecard Digs into the Grades of UK Banks
A Freedom of Information request in the UK has revealed 791 data breaches occurred at most of the region’s major banks since the start of 2013 (with 585 of the incidents occurring in 2014). The FOI request was spawned by Egress Software Technologies, an email encryption provider, that recently reported a 183% rise in Data Protection Act (DPA) breach investigations. The DPA, which became law in 1998, aims to protect the personal data of UK citizens.
“Across all industries, the ICO has issued civil monetary penalties in excess of £7.5m, £455,000 of which were levied against financial services organisations,” wrote Egress in its press release on the matter. It should be noted that Egress stands to potentially gain more business by more stringent encryption requirements for email in the UK. However, this potential gain does not, in the eyes of most security experts, discount the need for stronger encryption use and stronger authentication practices in digital communications across a spectrum of technologies in high use by employees and customers.
It should come as little surprise to security professionals that banks are big targets given these companies are in the business of money-based transactions with huge IP footprints and large employee-bases scattered all over the world. An article in Computing names seven banks that showed up in the FOI request. The banks included: Barclays, HSBC, Lloyds Banking Group, Natwest, Nationwide, and Santander.
SecurityScorecard Finds Major UK Banks Receive an ‘A’ for Application Security
Given the recent news of these past breaches, we took a look at their security grades over the last six months to see if there have been improvements in the posture of the banks named in the FOI.
“It seems that financial institutions primarily have a focus on their external security postures of their most high value web application portals, such as login portals or applications that handle sensitive financial transactions,” said Alex Heid, Chief of Research at SecurityScorecard. “If an attacker were to target the web applications using standard attacks, such as SQL injection, that would most likely set off an alert and it would be mitigated.”
Six of the seven banks also scored well in network security and endpoint security (with grades of an ‘A’). Only one of the seven scored poorly for network security (with a ‘C’ grade).
Some UK Banks Score ‘B’ or Lower for Malware Events, ‘C’ or Lower for Password Exposure
“A more successful and common attack vector is the use of the spear phishing email, whereby an attacker is able to convince an end user to click a malicious link or download a malicious attachment,” said Heid. “Furthermore, the reuse of breached credentials from third party breaches are also a big threat to the internal networks of financial institutions.”
Other problem areas for some of the banks include patching cadence, social engineering, and IP reputation. One bank showed up with a ‘B’ grade with one issue discovered in hacker chatter forums. Another had an ‘F’ for password exposure.