“If there’s an IT issue, probably it will have an impact on the business lines,” says Lars Weber of the Spuerkeess, talking about the bank’s--and the wider industry’s--changing strategy towards cybersecurity. Photo: BCEE

“If there’s an IT issue, probably it will have an impact on the business lines,” says Lars Weber of the Spuerkeess, talking about the bank’s--and the wider industry’s--changing strategy towards cybersecurity. Photo: BCEE

It’s a never-ending cycle: cyberattack schemes grow in complexity, people get wise to them, the schemes grow more complex again, etc. Where are we now in the cycle? And, with technology becoming scary-advanced, what help are we getting?

Cybersecurity, in its current form, is a world of multilayer identification, LuxTrust codes, transaction notifications and streamlined communication channels (e.g. between bank and customer), all built upon preexisting layers of anti-virus software, firewalls and encryption techniques.

But you can throw all of that--along with your gigantic randomised password full of special characters--out the window if an attacker manages to trick you into sharing your own sensitive information or, heck, just sending them the money yourself.

This particular vulnerability, meaning human beings, was the subject of Information Security Education Day (ISED) 2023, where IT experts discussed new threats and how to meet them.

“People have mental models of how things work,” security researcher Jean-Louis Huynen of the CIRCL--Computer Incident Response Centre Luxembourg--wrote on his PowerPoint slide, explaining how human decision-making is prone to exploitable misconceptions.

In other words, when a process follows a familiar pattern, people are likely to trust it: whether it’s the series of buttons you click when making an online purchase or the decision you make to respond to a legitimate-seeming sender.

The buck stops with you

Several speakers at ISED stressed that the individual must be vigilant, since schemes are maturing and becoming harder to spot. “Today, you get perfect Oxford English,” said Lars Weber, information security officer at the Spuerkeess, talking about phishing emails. “Professional layout, sophisticated… no pushy attempts to create a sense of urgency.”

To wit, attackers aren’t (just) blanketing ten thousand marks with one bizarre email anymore, but taking their time with a single, high-value target. At the conference, Weber talked about one incident where the attacker had hacked an inbox, read a real conversation two people were having and used that information to improve their own credibility when approaching the target.

In this context, the message at ISED was clear: it is the responsibility of the individual to anticipate and recognise suspicious activity. You must train your employees, train your customers. “You have to explain to your customers what social engineering is about, how you will contact them, how you will not contact them,” said Weber. “You have to explain this a lot. Again and again and again.”

Actually, maybe the buck keeps going

At the same time, however, no amount of personal vigilance will ever eradicate cybercrime. “I wouldn’t say here, in front of an audience, that I would never fall for a social engineering attack,” admitted Weber, a veteran of 20 years’ experience in information security. His point: schemes like phishing, vishing, deepfakes, etc. have become so personalised and sophisticated that you can’t, in fact, rely solely on vigilance--neither your own nor that of others--to avoid them.

Indeed, human vulnerabilities are intrinsic in, well, humans. This has been a weak point in encryption systems probably since such systems began. In the nineteenth century, for instance, France had a network of semaphores: towers with multiple wooden arms that could make complex shapes visible from miles away, i.e., from the next tower. Via this network, the government could send sensitive information across the country much faster than the speed of a horse.

But--of course--in 1834 two bankers hacked it: they bribed an operator, gaining the ability to pass insider market information and thus make profitable stock moves, which they did for two years before getting caught.

It might therefore be accurate to say that cybersecurity (like any form of security) is just an ever-evolving game of cat-and-mouse: as people get wiser and wiser to schemes, the schemes themselves evolve, and people must catch up again, and so on.

If schemes can perpetually be novel, creative and unexpected (and indeed the French bankers weren’t punished because no laws yet existed to regulate what they had done), then it wouldn’t be fair to blame the victims of social engineering schemes. (Summarily, at least.) And particularly not in an age when attacks are reaching new heights of complexity thanks to artificial intelligence and other technologies, and when they are so prolific: Cybercrime Magazine , worldwide, a ransomware attack takes place once every 11 seconds.

The answer? Fire on all cylinders: promote vigilance, but also , encrypt the data you can, improve your contingency plans, update the regulatory environment, etc.

“It’s not a binary approach,” Lars explains in an interview with Delano. “You cannot just go one side or the other… you have to combine various mitigation solutions at different levels.”

Other bullets in the bandoleer

The EU is in the process of trying to get its member states on the same page when it comes to cybersecurity. Generally speaking, the reasoning is that doing so will ensure a high standard everywhere against attackers, while also making it easier to share information about attacks elsewhere in the network--in this case, quite a big network, the European Union. (For firms, another benefit is that a single reporting framework means they won’t have to report the same information in three or four places and in various formats anymore; so, less work.)

First up, law-wise, is the Digital Operational Resilience Act, aka “Dora,” which goes into effect in January 2025. Dora essentially requires financial institutions to implement measures that help prevent and mitigate cyberattacks.

Read also

“One of the main advantages [of Dora] is that it tries to align the standards, or the requirements, at a European level,” says Weber. “That’s interesting, even if it’s quite challenging because there are different technical setups, different ways of doing business.”

The next one is NIS2, an update to the Network and Information Security Directive of 2016 and which goes live from October 2024. Among other things, NIS2 broadens the scope of whom the original directive affects. For example, it will now extend to digital infrastructure providers who are outside the EU but who operate services (cloud storage, social media networks, etc.) inside the bloc. The idea, like with Dora, is to harmonise standards across member states and sectors.

There is also the Cyber Resilience Act, proposed in 2022, which is aimed more at improving the resilience of products during the design and building stage. “Cybersecurity should become an inherent feature in the DNA of any hardware and software,” said Lorena Boix Alonso, the European Commission’s director of digital society, trust and cybersecurity, at a Luxembourg For Finance webinar on cybersecurity last month.

More locally, a new label by Post and Luxcontrol that confirms a company’s maturity in terms of cybersecurity.

For firms, a shift in strategy

We can perhaps, broadly, term this understanding of risk mitigation--firing on all cylinders, trying to stop attacks at every point and with every resource available--as holistic risk thinking. And along those lines comes a change at the Spuerkeess, whereby the fields of operational and IT risks have now been merged. “We came to the conclusion that IT issues normally tend to produce operational impacts,” explains Weber.

Indeed, the worlds are intertwined. “Especially if you’re talking to an executive committee,” says Weber. “They have a business view, so you have to explain IT problems and IT-related topics in business terms. You have to have to understand both worlds in order to get the message across.”

“Four or five years ago, they were independent pillars,” he adds, talking about operational risk and IT risk. But no longer. And, he says, it’s a trend: “More and more banks are going this way.”

This chimes with what was said at the LFF webinar on cybersecurity. “It’s a systemic issue. It’s not just an IT issue,” said Jelena Zelenovic Matone, the EIB’s head of cybersecurity, on the topic of cyber threats.

For , CEO of the Luxembourg House of Cybersecurity, the field is no longer, really, a “field” at all: “We cannot say, anymore, that there is a cybersecurity ‘specialist’,” he commented at the LFF event, “because cybersecurity has become so broad a topic.”

It is perhaps a paradox: even if the game of cat-and-mouse is endless, the fight against cybercriminals always seems like it’s getting harder. For Weber, the regulations will help: “If you have… common standards that everybody has to adopt, I think this will raise the bar for the attackers.” Still, obviously, and forever: beware of strange emails in your inbox.