Why SWIFT’s CSP Isn’t Enough To Protect Your Organization

2555

It was around this time last year that SWIFT members started making major headlines regarding security breaches. The $81 million heist in Bangladesh. $12 million in fraudulent transfers from Banco del Austro (BDA).  An attempted attack on Vietnam’s Tien Phong Commercial Joint Stock Bank.  It’s a long and serious list that prompted SWIFT’s own chief executive of the America’s and UK, Javier Perez-Tasso, to issue a warning that the financial services industry was facing a defining moment in the fight for cyber security.

In fairness, SWIFT itself was never the direct victim of an attack. Insufficient security controls employed by their members were the root cause. As a result, SWIFT has now launched a Customer Security Programme (CSP) to compel more consistent and stringent security measures amongst its ranks.

It’s a valiant step in the right direction, but on its own it won’t work. Here’s why:

To begin with, SWIFT’s own documentation admits that the CSP “should not be considered exhaustive or all-inclusive and does not replace a well-structured security and risk framework.”

It’s a smart disclaimer that puts the burden of responsibility on member organizations if they still get hacked after implementing the required controls. And the harsh reality is, if all companies do is meet the mandatory requirements of the CSP, they are still at a high risk of getting hacked. Frankly, even meeting all 11 advisory controls doesn’t guarantee any degree of protection against payment fraud –- and that’s where the strength of the CSP is focused (more on that later).

It all comes down to this: the CSP is a great start, but organizations should in no way rely on it as their sole source of protection. To do so would be a trap. As with all regulations, the CSP is only meant to enforce a minimum set of security standards. To future proof your organization against payment fraud, you will need to do more than the bare minimum.

The second reason the CSP isn’t sufficient is because of the 11 advisory controls. For the most part these controls support the main objective of the overall program by calling for common sense measures such as user session integrity, physical and logical password storage and scenario risk assessment. The weight of these controls, however, lies in the section that calls for logging and monitoring. It’s the strongest protection found in the entire CSP and focuses on recording security events to detect anomalous activity within the SWIFT environment. On the surface this sounds like a great idea and seems to be exactly what the industry needs – until you realize that the logging and monitoring is called for in end-of-day reports.

Only finding out that fraudulent payments have taken place at the end of the day is too late.

You wouldn’t have a home security system that only photographs intruders as they leave your house with your stuff, so why would you implement end-of-day log file reporting and consider yourself secure?

There’s no question that something needs to be done to stem the significant financial losses and reputational damage that are occurring as a result of the meteoric rise the industry has seen in fraud threats. Business email compromise threats alone have risen 1300% since January 2015. We are under siege. But we’ve got to do better than end-of-day log file reporting, because that’s just a Band-Aid that creates the illusion of security.

Ultimately, you have to stop fraud before it happens. Protect each and every payment that passes through your hands.

That means taking a proactive security stance, one that monitors users and SWIFT payment flows simultaneously to help rapidly detect anomalous activity. The technology is certainly available to achieve that level of protection. It’s completely possible to arm yourselves with a solution that offers dynamic profiling coupled with scoring and predictive analytics to produce alerts and prevent fraudulent transactions from taking place.

So find one and implement it as soon as possible (or, if you use a bureau, find out what level of protections they offer). It’s the best recommendation I can give to organizations who are interested in actually securing their systems, rather than just meeting security requirements. Now is the perfect opportunity to take the few extra steps necessary to protect your organization well into the future, not just until the next breach happens.

About James Richardson
James Richardson, Head of Market Development, Risk and Fraud at Bottomline Technologies
In this article