Navigating the new threats to cybersecurity
Join Coincover’s Chris Pace and a panel of experts in their discussion exploring the challenges of cybersecurity in a decentralized world.
Good morning everyone. Really lovely to see everyone here, bright and early this morning. I'm Sid, I cover banking fintech at the Financial Times and I’m really delighted to be talking about cybersecurity as a topic which became more and more important during the pandemic, as we've seen, businesses, including financial services, shift primarily to remote or hybrid working.
I am delighted to be joined by Chris Pace, Chief Technology Advocate at Coincover, which is a firm which works on using tech to protect against theft, loss, fraud around crypto assets.
We are joined virtually as well, by Sujata Dasgupta, the global Head of Financial Crime Compliance advisory at Tata Consultancy Services.
Finally, Samantha Biden. Global Head of Information, Cyber Security policy and Standard Reporting at Standard Chartered Bank.
Thank you very much for joining us virtually and thank you to our virtual audience.
So just to start us off with a question at Chris, since you're here.
Thinking about the idea of, what is the biggest threat in cyber security, facing financial services, and you know obviously what biggest means can vary from sheer numbers of attacks to the actual cost to companies or reputation, and increasingly, the geopolitical aspects, as we've seen, obviously in the last few months in particular, but that's become a primary focus of discussions.
The question itself raises more questions because biggest is like, you know well you work in cybersecurity, that's not going to really mean anything you know. Am I target of it? So therefore, is it big to me? Because if I talk to you in the context of threats that face us, ransomware is the most obvious. Ransomware is such a pervasive threat that it has murdered an entire cyber insurance industry. That's how big that is. So basically we look to insure a thing and then we said, “Oh no, we can't cope with the risk of that anymore. Ransomware is too big, we now can't offer cyber insurance” so there are companies pulling out of it, so that's big, ransomware is big.
Financial services, though specifically, are more interesting because we don't hear much reported and actually you can't get away from reporting in the context of ransomware because attackers tend to advertise the fact that you've been attacked, and so in the context of financial service, you don’t actually see all that much in financial services, which is kind of interesting, and I suppose is a little badge of honor that maybe the industry can wear because, probably those financial services organizations are particularly good at securing, managing, patching up data infrastructure and ransomware. That’s the biggest opportunity really, something open that enables the attacker to get inside.
So thinking about the two halves nation state, it wouldn't really impact on financial services, but nation state is very focused on those kind of hyper targeted, looking for vulnerabilities in infrastructure trying to find ways to get into organizations and other nation states. On the cyber-crime side though, so the sort of financially motivated threat actors, obviously the lowest barrier to entry for them is the is the is the user, is the consumer or the customer of the financial services company. You know all the traditional stuff, phishing attacks represent still a massive vector in order for, you know, finding ways to access people’s finances and basically con them out of their money.
And then I suppose I have to talk about, you know, the nature of emerging threats in the context of crypto. So crypto investors are particularly targeted around phishing attacks to look to access and drain wallets, so that would be my sort of summary of what the threat surface looks like today. It doesn't really answer the question of what's the biggest because it depends which one is attacking you that morning.
Yes no, absolutely thank you and we'll touch on digital assets more in a little while. Sujata, I don't know if you'd like to give your thoughts on this this question.
Yeah, sure, thanks Sid, I think that's a brilliant question to start this discussion, because that is the problem. In fact, cyber-crime is among the top eight priorities or if we talk about USS FinCEN, they listed cyber-crime as one of their eight priorities last year. Similarly, the EU money laundering directives among the 22 predicate crimes, we know that cyber-crime is among those, so even among institutions the national governments regulators, I think cyber-crime has assumed a very significant importance. And like Chris mentioned, it's about the impact and who is getting impacted? So definitely, ransomware is one of the primary threats, but then again, beyond that I think while financial institutions have been able to secure their data and we don't hear so much of data security issues with financial institutions. But we know we are living in an interconnected world and data security breaches even in any other organizations, can reveal a lot about consumers.
So with the data breaches, what happens is, a lot of data is then out with the criminals, which they go and sell on the dark market. Then this leads to another series of frauds and cyber-crimes like identity thefts, account takeovers, social engineering scams. So I think data breaches, whichever organization it is, I think every customer data is out there in the dark market and we know early June, the Department of Justice, closed down SSNDOB. That's a dark market which was actually selling the exact same thing, SSN and date of birth of various individuals in West. And this is the kind of threat that cyber security breaches can perpetuate. So it starts with a data breach, then it goes to identity theft and various other, say online frauds, account takeovers, malicious scams
So if we have to talk about the scale, since we are talking about the biggest threats. If we talk about scale, probably ransomware takes the trophy there. But if we talk about the damage that is done and the costs to institutions and customers, I think that is massive. I was reading a report from Cybersecurity Ventures and they have estimated again nobody knows the exact number, but the estimate comes to for 2021 alone, the total cost was about six trillion dollars, that’s just one year, and this cost has been increasing at a pace of about 15% annually. So we estimate that by 2025 the total costs of cyber-crime related risks would be about over 10.5 trillion. Now that is a massive number, so this I think this is what makes it big, the kind of crimes and the after effects of those crimes, because there is data which is stolen or damaged, there is financial loss to customers or through ransomware. Then there is the costs of investigations. The cost of getting things back because there is a business and their entire supply chain that is disrupted. So there is a lot of operational loss to the businesses, getting them back on track. This involves a lot of costs along with reputation damage. So I think that is what makes cyber-crime a really big threat.
Thank you Sujata. And Samantha, from your perspective in a bank, I’d be interested to hear what you see is the largest threat coming down the line in terms of cybersecurity?
Yeah, sure, you know we're concerned with state sponsored attacks. A huge range of different phishing attacks, all the things that Sujata and Chris have just mentioned. An example of a state attack directly at a financial system, something like the Bank of Bangladesh incident in 2016 where an attempt to redirect a number of payments, to the value of approximately one billion U.S. dollars by North Korea was nearly successful. I highly recommend actually the Lazarus Heist podcast by BBC because this explores this whole event in a lot more detail.
More recently the SolarWinds Hack in 2021 and demonstrates the potential scale of the impact when data breaches occur, affecting multiple industries and the broader context here, I guess is also digital transformation driven by significant amounts of data and our ability to interpret it in different ways. So attempts to exfiltrate this sensitive and valuable information could also be incredibly damaging.
More recently you know, particularly during the COVID-19 pandemic ransomware has been mentioned. It definitely is one of the most prevalent attacks that we're concerned with.
Earlier this year the UK's National Cyber crime, Cyber Security Centre released an advisory along with the US and Australian counterparts noting how in 2021 they had observed an increase in sophisticated high impact ransomware incidents against critical national infrastructure globally, so the threat is both direct in terms of the potential disruption caused and the need to respond, recover and maintain resilience. But also maintaining the trust of our customers and clients should an incident occur. So obviously, that's a big concern for us.
One of the insights in that report, provides a view of the scale of this challenge is the redirection of mid to late 2021 of ransomware attacked against mid-sized victims as well as defenses of the major organizations getting better. There is clearly an awareness of half of the attackers, of just how interconnected the global supply chain is and how it may be more effective for them to target large organizations for their third party. So you know, we're always concerned about making sure that we work very closely with our third parties to make sure you know they are aware of the threat.
And as we continue to witness the hostilities in the Ukraine, we're still wary of potentially collateral damage, but cyber dimension to that occurred when NotPetya malware which was targeted against Ukraine entities in the 2017 propagated worldwide causing you know billions of dollars of damage.
I think as a leader I'm also acutely aware that my organization’s resilience is dependent on my team as well. So that's kind of, it’s not a threat as such. It’s a side thing that we need to be concerned with. And then given those, you know threats that we've all outlined here, I think there's always a push to sustain delivery of new capabilities to protect our customers and clients but I need to balance this with a number of factors so the fact that cyber skills and experience are relatively scarce, and therefore the need to retain the great talent we already have. The need to ensure our workforce is diverse and inclusive, providing a motivating environment, you know growth, somewhere that people are happy to work. And the need to adapt to a vast array of working styles and preferences in a post-pandemic environment. And I think one of the other things that you know we're constantly concerned about is avoiding burnout and ensuring that our attrition rates are kept within levels that we're happy with. So while there are threats like ransomware and such, there are these blind threats as well.
Brilliant, thank you. We've touched on a few topics there so maybe actually it makes sense to start on that last point on skill shortages and sort of how do we counter them, you know? Where in the pipeline is most effective for governments or for the private institutions to effectively, you know, set about ensuring that the future supply of the people with the skill in cybersecurity continues? Chris, if you'd like to start on that.
Yeah, I think what's interesting about trying to meet a challenge like a shortage of human capability in cyber security is actually the nature of many of the kinds of individuals who would look to want to move into those roles, and it's highly unlikely that traditional training methodologies or even you know degrees or you might even try to wrap it up as vocational training we have limited success in that area actually where certainly in my experience, we've seen the most success is where we can begin to build out a kind of hands on threat specific, I would hesitate to even call it, training. Exercising that can enable individuals to wrangle with this stuff in a way that feels very real to them and that enables you to kind of ramp their capability whilst at the same time exciting them about the things that they get to do.
And there's also a neurodivergent angle here. So, to that last point, that's a great point around the diversity. But neurodiversity is equally part of that. And again, when we when we look at the makeup of, you know, the cyber security workforce today. Today neurodivergence is heavily represented, so we need to think about ways to enable those kinds of individuals to be able to maximize their capability to better defend organizations and nations.
Sujata, how do we solve the skills shortage?
I totally agree with Chris here that you know we do face a skill shortage and like you mentioned it's not something which you can do it in classrooms by just making them read books. So this is a niche skill and it requires a lot of you know, special training. But then again we appreciate that this skill is in very high demand because every organization is looking for people with such skills and it is in short supply.
So I think what organizations are now looking to is augmenting this workforce with the digital workplace and we've been hearing a lot about, you know, incorporating AI and machine learning and advanced technology into this mix, because these kind of solutions, they have a capacity of processing huge volumes of data. I mean, we're talking terabytes of data and they're trained on, say, decades of accumulated data. So that is something which I think organizations are looking now towards.
While they have to work along with your own office staff, they will have to be of course upskilled or trained on this, but I think this digital workforce augmentation is one of the areas which institutions have been thinking about deeply.
And then of course there is this cyber hygiene which customers also need to be educated about because they also form the first line of defense. If we are talking about financial institutions.
Customers also form the first line of defense and there are a lot of people who are not aware of the dos and don’ts. They may have newly onboarded this world of digital payments, maybe during the COVID or due to digital. You know the quality of life becomes better when you're doing everything online.
So that kind of cyber hygiene also has to be communicated among the customers, so I think, along with training your own internal people, augmenting with digital workforce and customer education on cyber hygiene could be some of the mechanisms.
Thank you. Samantha, one thing I hear a lot when speaking to banks is that they are trying to actually be really focused on their own workforce and upskilling sort of really to Sujata’s point is that something that you see within your institution is that sort of core focus?
Yeah absolutely. I think we have to ensure that our organizations are really attractive to individuals with varied skillsets and from a variety of backgrounds. We’ve started a Cyber Acceleration Program, which is a great example of combining sort of formal learning and targeted mentoring and so we support junior female colleagues into cyber security roles where they're currently significantly underrepresented. There may be a cyber skills shortage but there is no shortage of talented people.
I've got a degree in sociology psychology and you know, I landed in cyber-security five years ago, totally not expecting to be here and it just demonstrates that, you've got all sorts of skill requirements from highly technical, creative, psychological, you know. You understand the threat landscape and people that are operating as criminals and such and I think having these combinations is actually crucial to addressing that gap and formal learning and certifications are definitely helpful, but I think so are soft skills and abilities. It's really a field for anybody that has interest in it, there’s always a way to contribute from a skills perspective.
I’ll just add something here because I think there's, risk wrapped up in this as well. So one of the challenges that we face as a cyber security industry is that it is built fundamentally on putting bits of technology in places to solve problems. I think the risk is that we could end up with technology almost becoming an alert factory for people trying to do security every day to be security practitioners. And so I think there's actually a responsibility that the technology providers have to take in thinking about, does the product that I'm building and delivering to solve a problem for an organization, do we ensure it doesn't create more problems for the practitioner that has to use it. I don't think today that's part of how the building of those products is rationalized. And actually, I think somehow this has become completely divorced from the skills shortage when actually they're completely intertwined, and I think that's the thing that the industry needs to take a.long hard look at itself in order to help organizations be able to maximize the skills and capabilities of their people.
Well, I mean actually talking about sort of new skills and areas and thinking ahead and digital assets is obviously a topic that we discuss a lot and you know, sort of moving beyond people stealing NFTS of monkeys and so on. As somebody working in protecting the digital asset space, coming on from that last point, sort of. Where do you see the security sector moving. How do you secure digital assets?
So at the risk of showing my age, I remember a time when we were just beginning to discuss the prevalence of threats using things like SEO poison. And effectively using the tools that marketers use today to get you to go to websites. But using those tools to drive people to websites and drive by attacks were the latest thing. Then there were thousands of them, and then how are we ever going to cope? And I remember that moment in time and, this is where we are today, it feels very similar to that actually. So you know, don't we have already quite a large volume of documented attacks on digital assets, specifically in the first part of 2022, last year, something like 400 billion worth of crypto or digital assets were stolen. It feels like we are at the beginning of an upward curve of attacks on digital assets, and I want to separate that from scams, rug pools like those are sort of inherent challenges in the crypto industry, and you know, like my Nan would say, that's not for here and that's fine. But thinking about how people are being attacked, we're seeing a lot of phishing. We're seeing now a lot of specialized malware that targets wallets, so an example I could give you, there's a bit of malware called CLIP miner and basically all it does is install itself onto systems and look for wallet addresses in the clipboard and we've seen that targeted at individuals who work in crypto businesses for example and because of the open nature of the way blockchain technology works, it opens us up to those kinds of threats.
I think what's more interesting is we're seeing the bridge now being built between traditional financial services organizations looking into implement crypto and blockchain technologies. Now that may be to service their customers, or it may be ledger technology that helps them internally. But the more of that we see, the more attack surface that that creates and therefore the more risk that creates. And of course, and to go back to what we were just talking about, a lack of skills and understanding in that area makes that threat surface worse. Even in the context of everything that's happened over the last four weeks, and whether it's a crypto winter or not, I am sure that traditional financial services organizations are looking to find ways to make crypto assets part of offerings to their customers. If they are going to look to do that, they must consider how is that risk managed. How is that threat surface understood? How are we ensuring that we're giving our consumers the best possible protection in order for us to be able to make that next step into the mainstream. So those are the things that we think about in the context of digital assets.
And on slightly a more positive note, we're interested to hear from your perspective what those technologies you see are emerging to counter some of these threats.
The irony is we are seeing a lot of advanced technology and while institutions are trying to use them to protect themselves, criminals are trying to use them to create more sophisticated solutions for, you know, for committing crimes like cyber-crime. Let me let me concentrate about what institutions are doing to protect themselves.
So yes, definitely, I think the. liveness detection that you mentioned, this comes with dynamic biometrics, so if I have to talk about the emerging solutions, there's so much going on but I’ll talk about the top three.
One is of course you know the secure authentication, in which dynamic biometrics is the one of the methods there, earlier it was just static images. For example, just your face, but then that started getting spoofed so people were using high resolution images and from there we have now moved on to dynamic biometrics where it's a selfie or even it's a static image, but there's a liveness check that the person himself or herself is in front of the device and taking the picture so that liveness check.
And then now we also moved on to several other kinds of detection. For example, earlier there was the IP address check, but then criminals started masking the IP addresses to proxies or VPNs. So now we've moved on from IP address, checks to Geo location checks to see the actual customer’s location. Also, we have device fingerprinting now, so that the device that is being used by the customer has to be trusted and even if that device is stolen by somebody and it's being used, then there is behavioral biometrics, which works in the background. That is the way your customer was originally using that device, the angle at which it was held, the speed of scrolling or clicking or even the keystroke dynamics. So all of these together they form the secure authentication and then of course there are bot attack defenders which can detect if it is actually a bot or the human.
So there are so many kinds of authentication that goes on, something on the user interface itself, and a lot of it in the background. So there is definitely a lot of advancement in the authentication space where earlier it was more of ID and passwords, so that is about the stronger authentication.
The second I think is about enabling a multilayer defense, so moving on from only the credential check. Now there are defenses around your network so there is security built around your network. Then there is the device, then application and then comes your account that's your banking account or the card account. But at each level there are again multiple attributes that are being checked.
What happens is right from the moment that a customer or criminal tries to log in until the time that actual transaction is executed there's a network layer, device layer, application layer, and the account layer and multiple attributes we want to check whether this is the genuine customer who's doing a transaction, or if it is an identity theft or fraudulent cyber-crime attack.
So the multi-layer defense what happens is at every layer there is incremental data that is collected by the solution. And even before execution, it can be identified, so these are real time solutions which can identify that this could be a fraud and it could take a decision there based on the risk scoring of the transaction and the event, it can stop the transaction there if it identifies it as a fraudulent transaction. So this was about the multi layer defense.
And the third one which we are talking a lot about these days is about zero trust access. So this is this is a bit different from the traditional, you know trusted access, because for example the corporate boundaries, they had a certain perimeter, so we were all working in our network. So once our devices or the user is trusted within that perimeter within that network, then you can continuously do work within that within that space. But now the environment in which we work has become so complicated. We are accessing cloud applications, using mobile devices, personal devices which may be IoT connected. We are doing remote work so there is a lot of interconnected nature. Then of course there is IoT itself that connects us to so many other different devices. So that border has dissolved completely. So where is that border to trust? That is why we are now moving towards zero trust access where nothing is trusted but verified every time. And this is the principle which is being adopted more strongly. So our time is limited and we could go on and on, but these are some of the advanced technology solutions which are using a lot of real time detection, advanced protection, secure authentication to prevent and detect such cyber-crimes to the extent possible.
Thank you and just one more before I open up to Q&A, Samantha. I was actually just going to go back to what you're saying about state sponsored attacks and was curious from your perspective around the role of the central government in protecting against cyber-crime and sort of where that fits in with the financial services sector.
Yes, I think governments play a significant role actually in tackling cyber-crime, both in the sort of short-term sense that they work with law enforcement to track and identify offenders, but also through a longer-term sense of setting a strategy for individual countries in cyberspace and embedding practices which help develop cyber skills for the future.
So, firstly central governments play the role of facilitator coordinator, don't they? For example, they support information sharing activities between themselves across private sector entities and have the convening power ready to get the right people together into those conversations. There are a number of such groups which we actively participate in, and they include Bank of England cross market operational resilience groups and the National Cyber Security Centre's ICS supply Chain working group, which also allows us to share with and learn best practice across the industry.
And secondly, they have the ability to influence broader education and training policy. Central government can also influence the role of skills development as we've been talking about and a great example of this is the national cyber security Cyber First Program which sets the agenda for encouraging participation in STEM. So that's certain science, technology, engineering, and math subjects from a young age and providing exposure to cyber security and potential career paths at the appropriate point and time. And then outlining a consistent curriculum framework for learning about cyber security, through the cyber body of knowledge and allowing academic institutions to align their teaching and research to a number of central themes and subject areas and supporting consistency in teaching and training that is provided. Similarly in Hong Kong, we see that the HKMA, the Hong Kong regulators Cyber Security Fortification Initiative has a professional development program, a certification and training scheme for cyber professionals designed with key banking industry and research situation stakeholders and their aim is to upskill cyber practitioners and enhance technical capabilities across the industry.
And then finally, central governments can support standards and best practice within industry through regulatory bodies. For example, we see that the Bank of England led the way globally on operational resilience requirements. So, we're you know, doing exercises like the quantum series which brings together law enforcement, financial industry and central government that represents North Asia, Europe and America and provides a very practical opportunity for us to rehearse our incident response mechanisms, developing and pushing forward best practices collaboratively. So, clarity of requirements and ongoing engagement in open and honest way with regulators is obviously a key priority for us and we welcome the same approach from our regulatory counterparts. And of course, the ongoing challenge for us is to have to do this across our footprint of 50 countries. So where possible you know we welcome harmonization between regulatory governments across the globe. So, there is a huge role for the government to play.
Thank you like to open the floor to any questions.
Hello, I had a question about the Metaverse. So, with financial services companies wanting to enhance their customer experience using it. What do you feel the implications of that and cyber security? Because I feel like that's probably the next wave that's going to be coming up right now if that's something that you guys haven't been looking into.
One of the blessings and curses of blockchain technology, which is fundamentally what we're talking about, the metaverse, that's the foundation that it's built on, right? It's great that it's open and it means that it can be used in lots of similar but different ways across different kinds of organizations. But what it also means is that as an attack vector, it's straightforward.
Now the other thing we should say is that the blockchain itself is inherently massively secure. That's not the problem. If no humans use the blockchain, it'd be brilliant with a perfect system. But the problem is of course humans will be inserted into these systems just like every other system that we've ever invented. And so, I think there are challenges around identity which we've already alluded to. Those challenges remain the same, because in order to operate at a level where someone has a digital self inside a system like that, that means that their identity has to exist inside that system, and that then creates a whole ton more security challenges. So those are the things that for me, those are the things that are most important.
For example, connection of someone's digital identity to a wallet that contains virtual or digital assets of some type is an amazing vision of the future, dripping with risk and security challenges. And I don't think we are yet in a place where we've truly understood what that future looks like. And so therefore, what are the risks that we potentially would need to address and like every forward thinking new technology, security is not yet really the consideration that it should be, and the example that I would give there is virtualization. So when we started doing virtualization, we're like this is amazing, we can set up servers where are we like whenever we want to, and engineers were going mad doing exactly that. Then some clever person in security realized, hang on a minute, this is creating an entire service that we have no knowledge of, why did we not think of that? And we didn't think of it because we were caught up in the benefits of the new technology. And that's the thing that we have to keep in mind. So as traditional financial services institutions, particularly organizations start to look to make that move, security has got to be baked into those conversations, we've got to bring the things that financial services are great at, understanding of risk, you know, compliance, protection of consumers. We've got to bring those mindsets into the Metaverse. Not very sexy, but we have to do it in order for consumers to be ready to make the leap, because the reality is, mass adoption of the Metaverse crypto, however, you want to define it, is not going to happen without that confidence, and that's what consumers need. That's what financial services can help to bring.
Sujata, do you have like these discussions about Metaverse something that you're having with clients? Is that thing that comes up a lot now?
Well, I have not reached that stage yet, so no, I'm not discussing Metaverse yet, so I'm still catching up.
Fair enough, Samantha. I don't know if Standard Chartered is discussing metaverse in great detail at this point.
I think you know Chris has summed it up nicely, but what I would say is that new technologies provide both new risks and opportunities, don't they? You know, we've got it's kind of a double-edged sword here. And you know, we can be harnessed and trying to enhance what we're doing so one of the things that we're doing from a risk perspective is we're looking at shifting our focus to cyber-attacks. We're looking at reducing our inherent risk with complementing our existing processes that manage our residual risk so I think in all that we're doing with all of these new technologies, what we’re looking at is, what is the risk around this? How do we factor that into our cyber-attack surface and then produce mitigating action to protect the organization.
Brilliant you there any more questions from the audience point?
I'll actually lead on the next question about consumer attitude. How have, how have you seen consumer behavior affected and trust affected by these attacks?
I'm going to use crypto with a small C. Is this a place where we sit down and we say you know my name is Chris and I'm not massively into crypto, I mean I’m into crypto a bit, but I think a lot of people are into crypto a bit. I think a lot of people are like me, we define these people, as the crypto curious, right? It could be something you could use it for something we could use it to buy stuff eventually, we could use it to make the world financial system flatter and more accessible, and is that something that the financial services industry should want to be part of? Like to be able to access a completely untapped market in I don't know, Sub Saharan Africa, all of that stuff is hugely exciting in the context of what blockchain and crypto with a small C technology can offer.
But whilst adoption is rapid, it's not as rapid as people think, and my personal view is it will hit a chasm where people like me will say, and we've done research that proves actually, I'm only prepared to invest what I can risk losing, so I'm actually never going to get to a point where there's trust enough for me to think that this is a place where I would make significant investments. Now there's work that we can do across industries as we begin to implement and see the obviously ultimate value of these technologies. But consumer trust as part of that is enormous. It is in fact everything, and one of the things that you know we talked a little bit about government intervention and regulation, one of the things that's kind of sad is that in a lot of the proposed regulation around crypto today there is big talk of, how do we stop crypto being used to launder money as the proceeds of cyber-crime? So for example, the EU regulation has 16 mentions of how we deal with cyber criminals using cryptocurrency. In terms of mentions of how consumers are protected, how their investments are protected, four. What that says to me is that there is a fundamental uneasiness around what crypto is by those mapping out that regulation. Maybe we need to reframe it as, how do we regulate use of blockchain technology as opposed to focusing on crypto assets as investments for example? But I think those are just some of the concerns around consumer protection, ensuring consumers get the protections that they that they deserve, because although they're not using a traditional financial services approach that is still an investment they've made that's still their asset. They're still a citizen of your country and I think we do have to start thinking bigger about how we protect consumers, to build that trust so that these options become attractive to larger financial services institutions and these things begin to go mainstream. But I think we're some way from that, unfortunately, I would say.
And you know Samantha as the larger financial institution just thinking about consumer trust and cyber security, obviously, that's a big part of your job. How do you see this changing over time?
With consumers, we're seeing attitudes and behaviors of consumers vary across the continents, regions and countries obviously as a global organization. My sense is that there's a growing proportion of consumers that are becoming increasingly aware of valuing more privacy for their data and the cyber security the companies they choose to bank or invest with. There is research to suggest that this is the case, but again it's slightly limited. So, for example, a survey of nearly 2000 users in America the UK, France and Germany in 2020 found that nearly 90% of the respondents will research into the trustworthiness of a business prior to purchasing their product or service, and that 59% of consumers would likely avoid doing business with that organization if they’d experienced a cyber-attack in the past year, and you can see that in the security magazine, in 2020
But despite this, we need to continue to support customers to understand security risk themselves. Including, you know, supporting them with tips and easy to implement actions which could be impactful for them. For example in 2021, IBM research found that in a survey of 22,000 people, 82% of respondents admitted that they reuse the same credentials in online accounts and you know we read about this, don't we? But yet still people are doing that very basic thing that they could change to make themselves that slightly more secure and should a breach occur of you know one of the websites for which these users employ, these credentials, they obviously get compromised on other platforms relatively easily. So, just an example of one small change they could make to support their security. And we also have to realize that we need to provide the right balance of security and user experience. Because the poor interaction with our products or services could also damage that customer’s view of our brand.
Thank you and Sujata, we just about a minute so just very quickly, do you have any last thoughts on consumer attitudes.
OK so I I'm saying that I agree with Samantha there, that you know consumers are getting more aware of their data security and I don't think people would now do online transactions or even browsing to a great extent or filling up details of online forms when they are in a public network. I think the most trusted networks we now know are your office network, home network that even your mobile data provides them. But we do not do the other, say financial transactions or even filling out your online forms, providing your personal details. So, I think that kind of awareness has definitely increased and if we hear that there has been some data breach with some organization, or say even a store, because we understand that all of these data are interconnected, so the data breach may have been with some, say telecom provider, but then that data we know it has a lot of my personal details which will be used for taking over my bank account. So, if such a situation occurs where I know that my data is there with a particular organization, which has been breached I would probably stop being a customer there and switch or not engage with that organization anymore. So I think these kind of awareness and trends are something that we are seeing because we are hearing so much more about data breaches and how they affect the general consumer, because ultimately consumers also lose a lot of money through these online frauds. But we are also seeing that while financial institutions are doing a lot to include a lot of say, fraud detection or security in the customer journey, probably customers still want a frictionless experience so that is a trade off that we still have to balance.
Perfect well thank you so much for out of time unfortunately but thank you to Chris, Sujata, Samantha. It's been a real pleasure, thank you to everyone here and virtually.