Banks and financial institutions are responsible for customer’s money and sensitive financial information and are held to a higher standard for security. Data breaches can have severe consequences and cost a bank much more than just stolen information or funds. A cyberattack can significantly damage a company’s reputation, tarnishing its image for years and costing it customers over time.
A successful data breach also diverts time and resources from a bank’s usual operations to fix the problem. Banks have a lot to lose from a breach but fortunately, there is also a lot they can do to protect their data and the data of their customers. To do so, they must understand the nature of cyberattacks in the financial services industry and what security measures will most effectively reduce their risks.
According to Verizon’s 2019 Data Breach Investigations Report (DBIR), 88 per cent of all cyber incidents within the financial services and insurance industries were financially motivated. Cyber attackers look for the easiest path possible to financial gain and the financial services industry can be a cash cow.
Within the space, many cyberattacks target web applications (like cloud-based email) with the use of phishing and stolen credentials. Threat actors send phishing scams to trick users into sharing their email credentials and then use these stolen credentials to access the email account and other company systems. From there, the attacker can send fraudulent emails to customers and request funds from other employees.
Phishing has been a security concern for years, but the threat continues to evolve. It’s not just rank-and-file employees who get caught in these scams – C-level executives are increasingly the target in phishing attacks. The DBIR found that senior executives were twelve times more likely to be the target of a phishing attempt than in previous years. Click-through rates on phishing links are declining (in test simulations, rates fell from 24 per cent to 3 per cent in the past seven years) but research shows that mobile users are more susceptible to phishing.
Social engineering attacks remains rife in India. In fact, together with malware, and stolen credentials, these three threat actors are responsible for close to 80 to 90 per cent of breaches.
Cyber attackers also steal credentials or compromise financial accounts via banking Trojan botnets – malware designed to capture login details and steal information. Denial of Service (DoS) attacks are now common and are used by attackers to disrupt services by flooding the bandwidth of a system to overload it. These kinds of attacks are pervasive – data shows over 40,000 breaches in the financial sector associated with botnets and 575 DoS incidents.
While the majority of breaches in the financial services industry are perpetrated by external actors (72 per cent of threat actors are external), privilege misuse and miscellaneous errors by internal actors are also common. Misuse is characterized as the unapproved or malicious use of organizational resources. Employees may misuse their access for personal gain – either to steal money directly or to take sensitive information to give them an advantage at another company. Internal actor involvement in a data breach, however, does not necessarily indicate malicious intentions. Miscellaneous errors include incidents in which unintentional actions result in a security compromise, such as misconfiguring servers to allow for unwanted access or publishing data to a server that should not have been accessible by all site viewers.
Physical attacks against ATMs and card-present breaches involving point-of-sale environments continue to decline, at least in part because of the progress made in the implementation of chip and pin payment technology. While it is much less common for cards to be skimmed a cash register, banks and retailers must now combat malware attacks on e-commerce applications that gather users’ payment information.
The good news is financial service organizations can take several steps to lower their risk of a data breach and defend against different means of attack common in their industry. The cybersecurity measures and methods that financial companies should consider include:
• Phishing prevention: Hold frequent employee training so they can recognize and avoid phishing scams and give employees an easy way to report phishing attempts. The majority of phishing emails are most successful in the first hour, so a good reporting system can prevent future clicks by alerting the entire organization of a phishing attempt early on. Looking beyond employees, banks can also spread security awareness to customers on the prevalence and danger of phishing.
• Two factor authentication (2FA): Financial companies should use two-factor authentication on customer-facing applications and any cloud-based email accounts. With 2FA, even if bad actors steal a set of credentials, they can’t easily access the system because it requires additional information to authorize access.
• Monitor system access: To avoid and detect privilege misuse, banks should monitor and log employee access to sensitive financial data. They should make it clear to employees that system activities are supervised for fraudulent transactions.
• Malware monitoring and protection: Financial services organizations should monitor their systems for suspicious behaviours that indicate a botnet or DoS attack or the presence of malware.
Additionally, they should ensure that they have adequate protection against these attacks by implementing anti-malware defenses.
Companies can reduce their risk of cyberattack by remaining vigilant about system activity and access, implementing authentication safeguards and by training employees to be aware of phishing attempts. These security measures can help financial services companies from falling victim to data breaches and keep their customers – and their money – safe from cyberattacks.
By Robert Le Busque, Managing Director, Verizon