CTO at Clearswift, Dr. Guy Bunker, discusses his views on the top threats to finance and how to mitigate them.
Recent reports show that cyber-attacks on financial services sector rose fivefold in 2018 and in April 2018, seven of the UK's biggest banks suffered major cyber-attacks that forced them to reduce operations or even shut down systems. The cyber threatscape is ever-evolving and financial institutions are being targeted by cyber-criminals in new ways due to the increasingly significant value of financial data. It is therefore vital that financial institutions are not only aware of the rising threats from malicious cyber-criminals but should also go above and beyond to secure their critical data.
Today’s cyber-criminal is unlikely to be an individual, but is more likely to be part of a gang of highly trained people who will buy and sell the information they collect on the dark web, as well as information on vulnerabilities they find in the networks they are attacking. The software they use will typically be multi-purpose and ‘commercialised’ by other cyber-gangs. This is no longer the era of a ‘hacker’ in the back-bedroom trying to make a name for themselves, cyber-crime is big business and unfortunately growing.
Email is a gateway to data theft
One of the most significant risks to financial sector organisations is loss of customer data. Cyber-criminals target financial institutions in the hope of stealing customer data such as account details with credit / debit card details, including CVV numbers, social security numbers and other private financial details. While there are multiple ways in which this information can be maliciously obtained, the most prominent today are phishing emails or links in both corporate or personal email. Cyber-criminals use seemingly innocent emails and links to hide malicious code that, once activated, can compromise the individual and then use their credentials to gain access to entire databases of critical data. In depth access to transactional financial information gives cyber-attackers a wealth of opportunities to either make money by stealing from customers themselves (if they gain access to card details) or by holding the information to ransom. In the case of ransomware, then whole systems and network drives can be held to ransom as the data is encrypted.
When it comes to data breaches, there are a multitude of different financial legislations which can be used to impose fine, including the ever present GDPR with its huge fines of up to €20 million, or 4% of global turnover, that can be levied against firms who breach the regulations. While the maximum fine has yet to be imposed, the values are rising, so it is only a matter of time.
New innovations bring new threats
New assets being introduced into the financial space – such as bonds, bitcoins and other forms of crypto-currency – are also targeted by cybercriminals and with less traceability with these new technologies, are becoming increasingly popular targets. Anonymity is one of the primary reasons bitcoin became so popular with users, however that is also why its popular with cyber-criminals. It is the payment option of choice for ransomware but is also a target in and of itself. Bitcoin lets customers store their currencies remotely in offline wallets and initially appear to be more secure because cyber-criminals can’t easily attack the decentralised network. However, they are finding new ways to get around this to attack the source, including installing keylogger malware on devices in order to find the access codes. There have been a number of instances where financial institutions using bitcoin have been attacked by cybercriminals looking to gain access to codes to wallets – and succeeded, including Zaif, Mt. Gox and Coincheck. Needless to say, this doesn’t just put the customer and their funds at risk, it also jeopardizes the financial organisation's reputation and its whole asset base. The crossover and interorganizational complexity of transactions across new and old financial institutions in the future will continue to create opportunity for cyber-criminals if they are not addressed upfront and continuously monitored.
Cyber-criminals are going under the radar
However, it is not just ‘obvious’ account data which is of value, other information can also be sold to competitors or on the dark web for other cyber-gangs or hacktivists to use. Corporate espionage is nothing new, but the Internet has opened the door for attacks from anywhere. Spear-phishing where cyber-criminals target individual employees through any and all the information they can find online to build trust is commonplace. They will also target personal email, with a view that the individual will open it while on a corporate device on the corporate network. Imagine an innocuous weaponised document entitled “Job offer”, wouldn’t you open it?
Business Email Compromise (BEC) is also growing, where cyber-criminals pose as the CEO of a company, spoofing their email address, and sending emails with criminal intent. For example, asking for fake invoices to be paid, or requesting information on exchange rates from bank tellers in a certain region. In the case of the latter, the information can be sold on to competitors in order to gain commercial advantage. It’s not just the CEO, all the executive team can be targeted for impersonation, for example the Head of HR could request information on employees. A list of all employees and their salaries puts the entire organization at risk, and not just fines from a data breach. Staff poaching and reputational damage will also be a major issue.
Preparation is key
So how can financial institutions protect themselves against this plethora of threats? Firstly, education is vital. From the bank tellers to the security team, everyone needs to understand the current cyber security threats, what they look like and how to best protect against them. Data breaches can come from anywhere, even simple tasks such as opening emails, clicking a link or downloading a file can result in a breach and can therefore be directly or indirectly caused by any member of staff, no matter what their role. Every employee in a financial organisation needs ongoing training and education to teach them about the latest threats and what to do should they think they have been targeted or fallen for one.
It has recently been reported that financial institutions are 300 times more likely to be subject to a cyber-attack than other industries. Detailed processes need to be in place for all employees to follow if there has been an incident, and the correct protocol followed. Don’t shoot the messenger. The organization needs to encourage employees to report incidents no matter how small they think it might be. We are all human and if a mistake has been made, its better to know about it sooner rather than later. If there has been a data breach, then timely communication, including to customers, is essential as part of the process to resolve the incident. Ignorance is not bliss.
With the average cyber-attack costing $1 million, it is vital to have cost effective preventative measures in place. Financial organisations cannot stop working with data because of the cyber risk attached, so technology needs to be in place to underpin security. Today’s email and web solutions can provide extra layers of threat detection and prevention against the new generation of information borne threats with functionality such as document sanitization. While automatic redaction based on both content and context will help prevent exfiltration of data into unauthorised hands, whether it is sending the wrong information to the right person or sending any information to an unauthorised recipient. The latest security solutions create a seamless safety net to protect data and employees on a day-to-day basis.
Although cyber threats are undoubtedly growing, financial institutions need to be aware of the new threats and that there are solutions which can protect against them. Deploying the latest security technologies will mitigate the risks, keeping the organization, its information, staff and ultimately customers safe