A primer on various threats looming over financial companies and the steps that these organizations can take to counter them.
Companies operating in the financial services industry aren’t by any means strangers to being targeted by various forms of financial crimes and fraud. However, over time, the playing field has changed and threat actors have adapted their tactics to better suit the digital world. Cybercriminals now use different flavors of fraud and extortion as well as directly breach companies to line their pockets.
The seriousness of the threat cybercrime poses to businesses offering financial services can be illustrated by the cost of a data breach in the financial industry. According to IBM’s Cost of a Data Breach 2020 report, the average cost of a data breach in the financial services sector was US$5.85 million compared to US$3.86 million across respondents in all sectors in its survey.
Furthermore, the financial sector remains an attractive target for bad actors, especially due to the type and amount of information it collects from its customers. In the event of a successful breach, the data could be used to commit identity fraud or sold on dark web marketplaces, which could lead to reputational damage to the entity that was breached as well as possible reputational and monetary damages to the affected customers.
Verizon’s 2020 Data Breach Investigations Report estimates that 63% of attacks carried out against financial institutions are done by external threat actors motivated by monetary gain. In these cases, organizations can expect that cybercriminals will employ credential-stuffing attacks, social engineering attacks, fraud, DDoS attacks, and malware.
The COVID-19 pandemic has exacerbated the risks, especially because many companies were forced to shift to working remotely – a move that introduces its own set of challenges. Since the shift was so sudden, companies may not have had enough time to properly institute cybersecurity policies that would deal with possible weak points due to employees suddenly working from home.
There’s a clear need for organizations to bolster their security measures to mitigate the chances of falling victim to the myriad attacks launched their way. Indeed, a recent ESET survey among 10,000 consumers and senior business leaders in various parts of the world revealed that 45% of the businesses had experienced a breach.
The human aspect
Employees are the cornerstones of their organizations, there should be little doubt about it. However, as the age-old adage goes “to err is human”. The IBM report found that human error is one of the three major root causes of data breaches, accounting for 23% of breaches.
The mistakes committed by employees can take a variety of forms – they can fall victim to phishing or more targeted social engineering attacks, or they could misconfigure a system. The first two mistakes are particularly threatening due to the pandemic-powered shift to remote work. Since companies were not prepared for the rapid and unexpected transition, instead of being able to deploy a well-thought-out plan, many were forced to act reactively, which led to newly-minted remote workers not receiving any additional cybersecurity training.
Attackers could utilize one of the most financially damaging online crimes – a business email compromise (BEC) scam. During a BEC attack, the black hat targets their victim from the compromised email account of a more senior staff member, or of a staff member at a business partner, asking them to perform a legitimate task like purchasing and sending items or wiring payments; however, instead of a legitimate address or bank account, the fraudster adds their own, defrauding the company out of money. Alternatively, targets may receive a fraudulent email containing a link or attachment hiding malware, which if downloaded will infest their computer and may even spread across the network.
To mitigate the chances of any of these scenarios happening, companies should provide proper cybersecurity training to their employees. Exercises where employees are taught how to spot phishing or social engineering attempts should be conducted routinely. Additionally, a good measure would be to regularly provide workers with tips for safe and secure remote working, as well as with guidance on how to communicate using videoconferencing tools with security in mind, or how to secure remote access to the company’s systems in a safe manner.
By taking the necessary measures, now the company can protect itself from incurring monetary and reputational damage in the future. An additional perk would be that these cybersecurity practices will prove to be useful long after the pandemic has passed, since not everyone will be eager to switch back to working from the office.
The technical factor
While educating your employees is an important aspect of boosting your cybersecurity, it is just one piece of a larger puzzle. The brunt of the defense against cyberthreats should be shouldered by technical solutions implemented throughout your business infrastructure. Although some may question the need to invest hefty sums, it is always better to hope for the best but plan for the worst. According to the ESET survey, 28% of businesses are not actively investing in new technologies to help secure finances or at least don’t know if they are.
Every company, no matter its size, should have a business continuity plan in place in case a cyberattack occurs. A proper plan should always include data backups and, if budgeting allows it, a whole backup infrastructure; these can come in handy, especially if a ransomware attack occurs. However, for the backups to be effective, they must be both updated regularly and tested frequently to ensure that they are operating properly.
All of your operating systems and software should be updated and patched regularly. If you employ a professional or have a department dedicated to cybersecurity, they will most probably manage these updates themselves or set up your systems in a way that will automatically update to the newest version available. The same should be done if your systems are managed by a third-party service. The importance of this step shouldn’t be underestimated, considering how much havoc has been wrought thanks to the infamous WannaCryptor, also known as WannaCry, that propagated via unpatched machines.
Distributed denial-of-service (DDoS) attacks that are aimed at crippling a target’s ability to provide services are another threat companies may have to contend with. If a company becomes a victim of a DDoS attack, its systems will be flooded with requests, which will overwhelm their website(s) and take them offline. This could easily translate into hundreds of thousands of dollars in lost revenue for the targeted business. To lower the chances of that happening, companies should enlist the help of DDoS mitigation services as well as using an internet service provider that has sufficient bandwidth, equipment, and skills to handle such attacks, and throttle the influx of bad traffic.
While financial organizations remain lucrative targets for most cybercriminals, they can still ramp up their defenses enough to mitigate the possibility of falling victim to most threats. However, to build up sufficiently strong defense mechanisms, companies need to take a holistic and balanced approach, which consists of investing both in employee training and adequate technological solutions and business continuity plans.
written by Amer Owaida, ESET We Live Security