The financial sector is one of the main targets of cyber-attacks. Money is a big lure for cyber criminals and banks are a profitable venture that offers multiple avenues through extortion, fraud, and theft. The compliance and regulatory bodies ensure strict controls in order to increase security standards to protect financial institutions.
Banks, credit unions, investment firms etc. are entrusted with highly personalized data called Personal Identifiable Information (PII). It constitutes contact details, social security number, phone number, email address, banking details, and income information of customers and clients. This data is very valuable on the darknet and precisely the reason that the financial industry is under the radar of cyber criminals.
Due to non-cash payments via net banking, mobile apps, and other online payment gateways such as Google Pay, Paytm etc. there is increased use of internet and mobile usage worldwide. The use of advanced technology has resulted in increasing the attack surface and consequently in increased vulnerabilities. Also, with the help of social media and consumer databases, financial institutions are able to better serve their customers and make new ones.
Cyber criminals are discovering new areas to attack and come up with more sophisticated hacks. This has resulted in creating pressure among the cyber security professionals to stay a step ahead of the attackers. The financial sector is on tenterhooks, struggling due to lack of skilled cyber security professionals. Apart from this, the pressure from compliance and regulatory bodies has forced the financial sector to invest significantly and collaborate with outside vendors to improve their cyber security posture.
Phishing and malware are two most common forms of attacks. They take up 75% of the breaches. Insider threats are also to be considered which can occur either on purpose or be accidental. These contribute approximately 25% of the total hacks. Although consumers are protected, if an errant transaction is notified within a stipulated period of time by federal laws; banks are however not offered any such protection. Thus, the onus lies on the bank to protect themselves.
Why are financial institutions the biggest target of cyber criminals? Simply put, that’s where the money is! Financial institutions are especially vulnerable due to the vast amount of money they handle. The number of clients is huge and managing their money by investing into various funds, schemes etc. is a complex affair. Cyber criminals take advantage of this fact and come up with sophisticated breaching methods to divert funds into their accounts.
Compliance and regulatory bodies are aware of the dire situation financial companies find themselves in, and thus enforce strict standards in order to protect clients and their sensitive data. The financial institutions are left with the challenge of enforcing these standards so that the clients can place their trust in them.
Yet another challenge faced by the industry is the issue of third-party vendors which are a big part of their business. A number of small business units provide their services to the bigger financial institutions, which can become problematic if they are inadequately protected or secured. The process of vetting and auditing each individual business unit puts a strain on the financial industry.
Last but not the least, the demands of cashless transactions by consumers are a challenge, as financial services have to strike a balance between ease of use and security. Consumers demand that all services be provided at the click of a button yet they must be very secure. Thus, the finance companies are on the lookout for latest advancements in computer and application security technology to meet their demands, which further fuels the need for skilled cyber security experts.
Legacy systems, which are a threat to financial institutions, have to be replaced in order to keep pace with technological innovations, which can prove costly as well. On the other hand, advanced technologies make it easier for hackers to hack the legacy systems. For instance, MFA (multi-factor authentication) systems are yet to be instituted by all banks. It is a system that requires two modes of authentication before a consumer can access his account. Albeit a tad inconvenient, it is in the best interests of the consumers.
In order to keep consumers happy, the banks have to invest in advanced application systems to make the process easy and enhance customer experience. Essentially a DevSecOps environment has to be installed that ensures that the responsibility for security is shared among the development and operations team
As is often quoted in the cyber world, the hackers have to get it right just once, whereas the security team has to be right all the time! This puts tremendous pressure on the cyber security team to constantly trace out vulnerabilities and identify weak links in the system. Ironically, the weakest link is often found to be the human element.
Social engineering in the form of phishing is widely prevalent across industries. After sending out feelers in the form of mailers, spam, etc. the hacker builds a relationship with the employee(s) who either under pressure or for profit, helps the scammers to install spyware or malicious software into the systems. In order to counter this threat, banks with the help of external cyber security vendors exercise the option of either creating or hiring red and blue penetration teams to expose vulnerabilities and weak links in the systems.
Financial companies manage mammoth amounts of sensitive data of lakhs of customers that involve complex and critical transactions with help from a number of third-party vendors. According to PwC’s Global Economic and Fraud Survey 2022 , 46% of the surveyed organizations reported fraud and other economic crimes in the past two years. Also 70% of organizations that experienced fraud said that the majority of the disruption came from external attacks or collusion between external and internal sources.
Trust is the foundation for the existence of a financial entity. Investors, consumers, stakeholders, and regulators need to be able to place their trust in you. Investors need to know that their money is being put to legitimate use and profits derived are from sound business practices.
The customers / consumers need to know that their money is in safe hands and being invested in profit making ventures. Stakeholders need to trust that their personal data is being protected and the online applications are secure.
Lastly, the regulatory authorities need to know that you are playing by the rules and are in compliance with the standards set by them. Neglect or failure in any of these areas can result in not just monetary loss but also loss of confidence and reputation. These positions are hard to come back from.
The fundamental strategies that finance companies needs to use to secure its businesses:
This step is indisputably always the first. Everything else follows, only if security of assets in the form of data and information are taken care of first. Either join hands with external cyber security vendors or quip your internal IT team to take care of the security of the network systems, data, and infrastructure of the company.
They are not synonymous. Regulations have to be upheld at all costs and this compliance does not equal security. Identify the biggest threats to your organisation and focus time and effort on those. Prioritize these risks in order of disruption or impact it can have on mission-critical operations and develop methods to mitigate them. Design an enterprise solution that balances people, processes, and technology and secures them.
In all likelihood, the technology innovations adopted by you for growth and cost optimization, are bringing with it a new set of threats and vulnerabilities. This necessitates the need to stay vigilant and introduce a continuous process of assessment and evaluation to ascertain strengths and weaknesses,
Ensure that all your cyber security solutions provide visibility across domains inclusive of processes, data, infrastructure, and network systems.
A firewall helps protect your assets by monitoring incoming and outgoing traffic and helps prevent unauthorised access. A software program that acts as a firewall is called a client firewall that monitors network traffic on computer systems. On the other hand, an appliance firewall is a physical device between the internet and the computer.
This step is often ignored because it is time consuming and appears to disrupt the flow of our work. But it is important not to skip this as it ensures compatibility with new software’s, applications etc. Most importantly it eliminates software bugs that might have cropped up unknowingly into the system.
A backup becomes extremely important at the time of an attack. Backups can be done daily, weekly, monthly depending on the size of your business. With the advent of cloud service providers, the data and its security lie with the provider. Thus, it is prudent to keep a copy as an additional backup.
Cyber security is the responsibility of all the people involved. Thus, educating your employees and staff about the different forms of attacks and ways to mitigate them is crucial to provide complete security cover.
Employees should be granted different levels of access based on their role and accorded just enough permissions to do their jobs. This helps in reducing insider threats significantly. Keep revising these accesses to ensure they are in order and have not been misused.
Passwords must be unique and changed frequently to avoid detection. Old passwords must not be reused. Passwords should not contain easily obtainable information such as name, date of birth, city etc. Hackers often resort to ‘brute force’, a technique where the computer tries thousands of combinations per second. If the password is hard to crack, it will make it that much more difficult for the hacker to crack it.
A form of social engineering; it tricks users into revealing data such as login credentials to gain access into the network. The unsuspecting victim could be the recipient of a convincing email that looks legitimate. Sometimes victims reply to an existing email thread unknowingly, this is referred to as email conversation thread hijacking.
In ransomware incidents, the victim is locked out of his/her own computer using encrypted malware software. The information can be decrypted only after paying a ransom. Hackers use a number of extortion tactics to get what they want.
A number of queries are made by an application to its database; during the course of which a web security vulnerability called SQL injection plays interference and allows the hacker to read unauthorised data. Moreover, it allows the attacker to modify or delete the data.
Due to the diverse nature of business the financial sector is involved in, the DDoS form of attacks are most common. It can attack the banking infrastructure, customer accounts, payment portals, etc. There can be two possible outcomes to such attacks, one a ransom is paid and the attacker reveals the DDoS attack surface. Second, the cyber criminals continue to target the network systems while the cyber security experts are distracted with the DDoS attack.
Financial institutions function as a cohesive unit comprising many independent business units. Often, these third-party vendors are used to target a bank by circumventing the security controls. Unfortunately, this may also occur due to the fact that third-party vendors often do not properly secure their networks. Thus, a weak link in the supply chain could cost dearly as the vendors store data of many companies.
A bank drop is a fake account created by the hackers with real information stolen from legitimate users. These could constitute the full name, date of birth, address, contact numbers, credit details, banking details, social security number etc. These fake accounts are used to store stolen funds.