Banks need best practice to combat growing cyberattacks
Cyber attacks on the financial sector have increased steadily. According to VMware, financial institutions experienced a 238% increase in cyber attacks only during the first six months of 2020. In 2021, the trend continued with financial institutions / fintech being affected by, among other things, ransomware, phishing, SQL injection, social engineering and denial of service attacks.
Public agencies have tried to stem the trend with regulations, resources and regular warnings. But has this been enough, and can financial institutions / fintech companies do more to protect sensitive data of their customers and their own proprietary information? The answer is yes, and it means that managers gain a better understanding of the development of cyber attacks in the financial sector and answers to them, together with the implementation of best practices for cyber security that address current threat vectors.
On 14 September 2007, the online brokerage house TD Ameritrade reported that it had experienced a data breach that resulted in the theft of 6.3 million customer account items. It was one of the first major wake-up calls for the financial sector and would unfortunately be followed by many others. A report by Boston Consulting Group stated that financial services companies are 300 times more likely to experience a cyber attack than companies in other industries. Their costs from a cyber attack are also higher. Accenture reported that the average cost of cybercrime per finance company in 2018 averaged $ 18.5 million compared to $ 13 million for companies in other sectors. It is likely that the amount has increased. The good news is that there is greater awareness and action in place to help fight cybercrime. This increased awareness combined with best practices can be extremely effective.
Serious cybercrime incidents in 2021
Since the tracking and reporting of cyber attacks began, there has been a long pipeline of various cyber attacks against banks, credit unions, credit card companies, mortgage lenders, investment firms, cryptocurrency platforms, etc. worldwide. Cybercriminals have included Russian hacker groups such as TA505, ransomware groups such as DarkSide and Ragnar Locker, international crime rings and botnet campaigns such as SharkBot and UBEL. Some of the cyberattacks on companies in the financial sector that made headlines in 2021 include:
- A stolen SSH key that led to the crypto-trading platform Bitmart experiencing major security breaches that allowed hackers to withdraw nearly $ 200 million in assets.
- The hacking of Robinhood, an American stock trading platform, which gave the cyber thief access to approximately seven million customers’ personal information.
- A breach was experienced by insurance technology startup BackNine, which revealed 711,000 files containing customers’ sensitive personal information, including medical histories.
- A denial of service attack on a German IT company operating technology for Germany’s partner banks disrupted operations at 800 financial institutions in the country.
- A 300% increase in phishing attacks from May to August 2021 was experienced by Chase as reported by Cyren Research.
- The ransomware attack on CNA Financial that disrupted employees and customer service for three days.
Measures to mitigate cybercrime
These are just a few examples of hundreds of cyberattacks that hit businesses in the financial sector in 2021. These incidents gave rise to growing warnings from government agencies. In the United States, cyber-threat warnings are issued regularly by the Federal Bureau of Investigation (FBI), the Department of Financial Services (DFS) and the Federal Trade Commission (FTC). The United States has also developed various laws and standards to improve cybersecurity in the financial sector. For example, there have been cybersecurity components added to the Sarbanes-Oxley (SOC) Act of 2002, the adoption of the Bank Secrecy Act, the Gramm-Leach-Bliley Act and the Payment Card Industry (PCI) data security standards. More recently, US President Biden’s administration introduced new cyber security rules for the financial sector.
The FTC made changes to the Gramm-Leach-Bliley Act that require FTC-regulated financial institutions to develop and implement cybersecurity requirements as part of their information security programs. In addition, the US Securities and Exchange Commission (SEC) announced new enforcement measures against companies in the financial sector for inadequate disclosure controls of their cybersecurity risk. It is also expected that other agencies such as the Office of the Comptroller of the Currency (OCC), the Federal Deposit Insurance Corporation and the Federal Reserve System will also follow and issue new cyber security regulations.
Within the EU, it is the European General Data Protection Regulation (EU-GDPR), and since Brexit, the United Kingdom has created its own version of the GDPR (UK-GDPR).
In 2015, the “Financial Services Sector-Specific Plan” was issued jointly by the US Treasury Department and the US Department of Homeland Security. It outlines a comprehensive cybersecurity plan for companies in the financial sector that covers a strategic framework, objectives, guidelines for information sharing, best practices, response to incidents, recovery and benchmarking. It’s a good basic guide, but not enough. Companies in the financial sector must implement industry-driven best practices.
Best practice for cybersecurity in fintech
Many financial institutions / fintechs have extensive IT departments. They are well staffed by computer engineers, technicians, network administrators, etc. under the supervision of an experienced Chief Information Officer (CIO). These organizations also rely on Managed Service Providers (MSPs) to perform various functions such as preventative system maintenance and software updates. In many organizations, both internal IT staff and MSP staff often take on a role in cybersecurity, but this is not the ideal situation, and no doubt these people should not perform certain critical tasks such as vulnerability assessments, penetration testing and benchmarking.
These tasks should be outsourced to a third party cyber security firm. These companies have experienced cybersecurity experts on employees who hold key credentials such as Computer Hacking Forensics Investigator, Certified Information Systems Auditor, Certified Ethical Hacker, Certified Information Systems Security Professional and Certified Information Systems Manager. In addition to their specializations in cybersecurity, they provide an objective evaluation of a finance firm / fintech’s systems that would not be compromised by their primary roles, for example in the case of internal or MSP employees.
Measures to build a sound cyber security initiative
Recognition – An organization’s cyber security should be driven by strong detection measures. It starts with a third-party cyber security company performing a vulnerability assessment on all of the organization’s IT systems to identify vulnerabilities and risk levels. In addition, penetration testing (ie ethical hacking) should be performed to assess how easily a cybercriminal can enter and attack the organization’s networks, ports, databases, emails, etc.
Damage limitation – When the vulnerability assessment and penetration testing has been completed, it is important to assess the remedial measures recommended by the cyber security company. To reduce threats and increase system security, the company can recommend new firewalls, anti-keylogging encryption software, endpoint protection, multifactor authentication, password and SSH key management and other measures to secure system access.
Framework and guidelines for network security – A formal document should be developed to break all network security related policies, procedures and best practices. They will include data backup and backup of data recovery, implementation of software updates, regular vulnerability assessments and penetration testing addressing the latest threat vectors, restrict access to sensitive data for selected authorized employees, a password management directive and eliminate any unnecessary technology. This document should be shared with employees and vendors whose roles involve access to the organization’s technology. The document should also include a section indicating the organization’s cyber security insurance company and coverage, which should be reviewed on an annual basis or more frequently if the organization has experienced an increase in cyber attacks.
Incident report and recovery plan – A plan that includes all measures to be implemented in the event of a cyber attack. Like a disaster recovery plan, it should include key personnel and their responsibilities, a communications policy (ie which persons and entities are to be notified and in what order), documentation procedures and any crisis management and damage control measures to be implemented.
Training of employees in network security – It is also crucial that all employees’ awareness of the threat of cyberattacks is increased with training and education. Many cyberattacks start with an unsuspecting employee opening an email attachment or link that they should not have and by doing so, exposing the organization to a major breach. It is important that employees are familiar with common cyber attacks. These include:
- Phishing attacks (ie, cybercriminals send emails that appear to be issued by a credible organization (many times a relationship) and request proprietary data (e.g., financial account information, passwords, etc.)
- Ransomware attacks in which hackers place malicious software to encrypt a school district’s data and then demand ransom in order for the organization to regain access to its data.
- Malware is malicious software that is placed on computers or a network and allows cybercriminals to take control of the computer to monitor the user’s keystrokes and actions, and gain access to confidential data. The malware enters a computer when the user clicks on a link or opens an attachment.
- Denial-of-service attacks temporarily shut down a machine or network, making it inaccessible to its intended users.
- SQL (structured query language) Injection attacks that target servers that store proprietary / critical data and use SQL to manage their databases. A SQL Injection attack uses malicious code to target the server and cause it to pass privileged information.
Securing the financial sector
The American Institute of Certified Public Accountants (AICPA) reported that eight out of ten U.S. adult citizens are concerned that businesses are unable to secure their personal financial information. The high incidence of breaches in the financial sector has done nothing to allay these concerns. Nor do the statistics for security breaches from Positive Technologies that 92% of ATMs are vulnerable to hacks instill in customers’ trust. Companies in the financial sector should use the mantra that it is not a question of, but when their organization will experience a cyber attack. By implementing effective precautions and best practices, financial institutions / fintechs can know that they are proactive in the fight against cyber attacks.
About the author: Joseph Saracino is the President and CEO of Cino Security Solutions. Former Naval Intelligence Officer with the US Navy Saracino’s team offers innovative products and solutions that are relevant in today’s global business environment.