Within the global sector of cyber security, the two major areas that are constantly under attack are financial and governmental. Financial organisations that hold consumer data, in particular those that provide financial services to retail and commercial customers, including banks, investment companies, real estate firms, retail banking and insurance companies, are an obvious target for the simple fact that this is where the money is. At the end of the day, unless an attack is of a personal nature, in which the reputation of an individual or business is targeted, monetary assets are the endgame.
Now imagine a cyber threat the same as you would a burglar walking down the street. When a thief leaves their home, they do not necessarily know what they are going to target, unless they have done some reconnaissance and are after something specific. In most cases, however, the target itself is not premeditated. And a house which is more vulnerable and has less defences, will always be the first point of call. Given the choice between a house with an open window and lights out, and a house with attack dogs, security cameras and search lights, nine times out of ten a burglar will take the opportunity to infiltrate the house with the open window. Why? Because it is easier and quicker to break into this house successfully.
The same applies within the finance industry. If there is a vulnerability, it will be the first target. In response, banks and financial institutions require tailored and sophisticated security to support their systems and people, and to defend against an onslaught of complex and aggressive cyber-attacks. Not only must security compliance within the financial sector be tenfold, but it is essential that security precautions evolve, to mirror the growing threat landscape.
But as new cyber threats develop daily, this is easier said than done.
To uphold compliance, and elements such as GDPR, antifraud systems within the finance industry have developed significantly over the last few years to safeguard credentials. To do this a combination of key codes, two factor authentication, voice ID, behavioural analysis, one-time passcodes, protective messaging, and digital fingerprinting have been widely integrated.
In fact, if you look at the document, ‘Comparison of banking providers’ fraud controls’, from the Financial Conduct Authority (FCA), the majority of banks use a combination of these systems. With organisations including the Bank of Scotland, First Direct, Halifax and HSBC, using touch identification. An element that would seem almost impossible to recreate virtually.
But cyber criminals have a concerningly accurate knowledge of the internal workings of banking and banking systems. And, in 2019, an arena known on the dark web as Genesis Market was uncovered. Within Genesis Market, digital fingerprints, stolen from PC’s, were/are sold. And, with each fingerprint, a user’s digital identity provides the means to bypass security measures and gain access to accounts.
According to darknetstats, Genesis Market is accessible by invitation alone. Once in, not only are fingerprints available, but so are passwords, credit card information, cookies and more.
It is no wonder that retina scanners are developing in the biometrics/banking sphere.
It can be argued that the reason why many cyber criminals know so much about the inner workings of financial organisations is because, at one point or another, many worked legitimately within the industry. Internal teams pose as much of a threat as external attacks. In every Bond film there is always an insider guy. But whether an attack is malicious or accidental, internal security breaches are regular occurrences. Which us why User Behaviour Analytics is crucial to understand the actions within a team, and to highlight and stop unusual activity before the damage is done.
Another element that is important to recognize with regards to internal threats, is that many employees/insiders are completely unaware that they are a threat in the first place. Take, for instance, an employee working remotely. This employee may be sat at a local café where they decide to work on a company device. If this device was unknowingly hacked while using a different Wi-Fi, the user may be completely unaware that they are spreading malicious malware via their device throughout the company.
Say a crime group has gained access to personal accounts. The next logical step is to blackmail the victim/organisation via ransomware. Unfortunately, as a public security breach would cause mass panic and many potential lawsuits, banks will often pay off cyber criminals into an anonymous cryptocurrency account, rather than lose client data. Crime groups know this.
Sometimes victims speak out, but this does not always end well. Take Travelex, the currency exchange company, for instance. Following an attack by a Sodinokibi ransomware in January, $6 million was demanded in exchanged for 5GB of personal data. Since the attack, Travelex has fallen into administration, with PwC saying that the ‘foreign exchange firm was acutely impacted by COVID and the recent cyber-attack.’
For financial organisations, ransomware can and will destroy a whole business. And, if they lock you out of an account, you are finished.
Apps surrounding investment and finance have grown substantially in 2020. This, in part, is a good thing, as the ability to invest online is quick and easy, and accessible to all. But due to the demand, many of these apps were developed quickly and are underprepared for cyber-attacks.
For instance, many do not provide two-factor authentication, are not supported by the appropriate regulations, are not patched or maintained properly, and do not have contingency plans in place to mitigate the effects of a cyber-attack. As a result, personal information of app users is relatively easy to steal and sell. This can be done by creating duplicate fraudulent apps to trick the user. On these duplicate apps, the imagery and language of the genuine app is mirrored. And, once the personal information is supplied, both real and virtual money is then accessible. Thus, the circle of ransomware ensues.
Another element to take into consideration over recent months is, of course, COVID-19. According to ComputerWeekly, ‘what has been referred to as an “unprecedented anomaly”, cyber criminals are increasingly targeting the financial services sector during the Covid-19 coronavirus pandemic, with attacks on banks and other financial institutions spiking by 38% between February and March to account for 52% of all attacks observed by VMware’s Carbon Black Cloud.’
Read our blog on ‘Exploiting Fear in a Cyber World’, for more on how COVID-19 has altered cyber security on a global scale and in every vertical.
These days, few organisations work on their own. The majority use third parties, including vendors, partners, e-mail providers, service providers, web hosting, law firms, data management companies, subcontractors and so on. With regards to many of these, from IT systems to sensitive information shared with legal teams, these third parties could easily be a backdoor into your financial systems for attackers to infiltrate.
According to Ponemon Institute, ‘53% of organisations have experienced one or more data breaches caused by a third party, costing an average of $7.5 million to remediate’. For a large organisation, this can be crippling. And can wipe out a small organisation in a matter of minutes.
To manage third parties, financial organisations must have the ability to detect threats, and the capability to respond to them. Which requires the right combination of people, processes, and technologies.
But half the battle is locating vulnerabilities in the first place. Which is why cyber resiliency needs to be sharp, and why investing in the best managed security services is essential. From Firewall Management, to Decoy Deception and Honeypots, it is important to know what services will support an organisation best. This will depend on factors including location, company size, current security measures and more.
Cyber threats will continue to grow into 2021. That much is clear.
Financial organisations have either already tackled a cyber-attack, will tackle one in the very near future, or maybe a target of one currently, but are simply unaware of the fact.
Effective security comes down to three key elements. Processes, people and technology. Processes must run seamlessly alongside the organisation. Security experts must have the capability to detect, react and understand the context of a risk. And the technology must be superior, to keep up with cyber threats. All elements are equally as important, and you must have all three to ensure security.
In times like these security measures are more crucial than ever. Especially for those within finance. So that our life savings are secure, the security of our loved ones is maintained, and the livelihoods of those employed within the financial world continue.
HedgeThink.com is the fund industry’s leading news, research and analysis source for individual and institutional accredited investors and professionals