LIVE FROM GSMA MOBILE 360 – PRIVACY & SECURITY, THE HAGUE: Day two’s keynote saw a panel of experts discuss how C-level executives can deal with breaches and leaks, and how financial institutions are particularly vulnerable to hackers.

Wendy Cheshire, director – cyber security at Control Risks, who was moderating the panel, said firms should always try to predict where a hack may come from by adopting “an attacker mindset”, and must be ready with a response plan of their own.

James Hatch, director – cyber services at BAE Systems Applied Intelligence, echoed these sentiments when he said that “the bottom line impact depends on how well prepared you are”.

He believes C-level execs should not try to fix everything at once, and work for days at end without a break. He recommends they share responsibilities, assigning shifts to each executive so no one is working round the clock, and decide on “phases” of response.

His recommended phases are to stop the leak, stabilise services, and then work to improve security for the future. Hatch also believes execs need to decide before an incident actually occurs as to what their stand will be, especially if the media is involved.

Banks are “prime targets”
Meanwhile, Alexander Glaus, associate general counsel at Deutsche Bank, said the financial industry is at a “turning point” because, although IT budgets are constantly being reduced, “the digital agenda has reached the industry” thanks to fintech, putting pressure on banks to evolve and keep up.

He believes banks are “prime targets” for security risks because they need to have interfaces with clients as well as other banks and it’s not just money hackers are after, but sensitive information too.

Moreover, services such as the cloud may have good security standards, but that doesn’t mean they are good enough for financial institutions, who need to be extremely careful.

Another challenge is that banks often work internationally, falling under the regulators of several countries.

They therefore need to be capable of fulfilling all regulatory requirements, some of which can be challenging. For instance, the European Central Bank wants to know about any security incidents within two hours.

Glaus believes banks must not only bullet-proof their own environment but also that of their service providers through penetration testing, source code testing and updating software.

A common theme of the event is that employees are the weakest link, something Glaus reiterated, and suggested dry runs of security risks, coupled with employee training be implemented.

However, he cautioned that while suspicious behaviour must be analysed, employment rights and privacy should be kept in mind. If staff are constantly monitored and scrutinised, employee relations and morale are likely to take a hit.