Is Security Your Financial Institution’s Weakest Link?
Financial security systems have changed dramatically in the last 20 years. Gone are the days of high-walled booths, metal bars and bolted vaults standing in the way of criminals. Today’s threat landscape spans a range of electronic devices. This is due in part by the increase in internet access and usage of digital banking (particularly via mobile devices), which makes data more vulnerable and offers more outlets for criminal intrusion.
As a result, today’s well-funded professional hackers are focused on information theft and compromising data for both monetary gain and “professional” recognition. The financial services industry continues to be heavily targeted because of the sensitive financial data that institutions hold – data that can be used by hackers to commit fraud themselves or sell to a third-party. Cybercriminals are displaying new and advanced levels of sophistication, knowledge and ambition to execute attacks including: malware threats, DDOS attacks, phishing attempts and data breaches.
Importance of Being Secure
Falling victim to security breaches and associated attacks is very costly for financial institutions, both from a financial and reputational standpoint. According to Cybersecurity Ventures, the global cost of cybercrime damages will hit $6 trillion annually by 2021. This includes damage and destruction of data, theft of personal and financial data, and disruption to the normal business operations, among others.
In addition, as the number of security threats continues to increase in the financial services industry, regulators are taking a closer look at financial institutions’ policies and procedures to ensure that they can effectively safeguard confidential and non-public information. As an example, the Federal Financial Institutions Examination Council’s (FFIEC) Cybersecurity Assessment Tool (CAT), which was released in June 2015, is designed to ensure banks are prepared in the event of a cybersecurity attack. The FFIEC CAT is now the guide regulators are using to examine institutions and determine their level of cybersecurity preparedness.
Some of the most common security threats financial institutions face today include:
Malware and Ransomware
Ransomware has established itself as one of the leading cyber threats for many organizations, but especially financial institutions. A Cisco 2017 report states that ransomware is growing at a rate of 350 percent annually. Many legitimate websites have been unknowingly infected with malware and more emails are getting through with malware than in years past. Malware is no longer characterized by simple aggravating popups and sluggish computer performance, but rather the encryption of all data on a machine, rendering it unusable. It is capable of gathering credentials from specific users, or even documents and information that resides on the machines themselves. According to Cybersecurity Ventures, ransomware damages reached $5 billion across all industries in 2017.
Internet of Things (IoT) Attacks
Unsecured Internet of Things (IoT) devices such as DVRs, home routers, printers and IP cameras are vulnerable to attack since they are not required to have the same level of security as computers. To breach a financial institution, attackers will target insecure devices to create a pathway to other systems. Unsecure IoT devices are also used to launch distributed denial-of-service attacks (DDoS) against institutions. These DDoS attacks prevent legitimate users from accessing computer systems, devices or other online resources. The perpetrator floods the victim’s machine or network with false requests from various sources to overload the system and prevent legitimate access. A well-executed attack can interrupt a host of banking services including website access, ATM networks, and online banking platforms, in addition to internal systems and functions.
Phishing scams that specifically target financial institutions’ employees, attempting to obtain sensitive information such as usernames and passwords, have become increasingly common within the last few years. The goal in such attacks is to trick employees into clicking on links or opening attachments that redirect them to fraudulent websites where they share login credentials and other personal information. These compromised credentials allow cyber criminals to read a bank or credit union’s critical information, hack into the employee’s bank and social media accounts, send emails on an employees’ behalf, and gain access to internal documents and customer financial information.
Lack of Third-Party Vendor Security
While a financial institution might have the right security systems and policies in place to protect itself and its customers from a cyber-attack, its third-party providers may not have the same level of security and diligence. This creates a major vulnerability for the financial institution. Without a proactive approach to vendor management, financial institutions are opening themselves up to increased levels of risk that can have a negative impact on the institution’s financial standing, compliance posture and overall ability to serve its customers. Federal regulators have issued guidelines to help institutions better understand and manage the risks associated with outsourcing a bank activity to a service provider. The FFIEC IT Examination Handbook was revised to help guide banks to properly establish and maintain effective vendor and third-party management programs.
Often, all it takes is a disgruntled employee or ex-employee to release valuable security information and compromise system and data security. Additionally, cyber criminals are increasingly realizing success through bribery as a means to entice bank employees to give up their login credentials or other security information, allowing direct access to internal systems.
Lack of Employee Training and Security Expertise
Cyber-attacks are often able to outpace cyber-defense due to a shortage of qualified cybersecurity personnel and the limited IT staff bandwidth to stay abreast of a continually evolving security landscape. Employee testing and training is critical for financial institutions to decrease vulnerabilities and ensure that their staff — at all levels — understand their roles and responsibilities in protecting against security threats. Until this learning gap is resolved, financial institutions will continue to struggle to efficiently manage cybersecurity threats.
Combating Security Threats and Ensuring Bank Security
With so much at risk, it is imperative that community banks and credit unions have the proper security layers in place to protect against these attacks and stay updated on all emerging security threats. While cybersecurity has become a major issue for the financial industry, the truth is that many financial institutions are too complacent when it comes to protecting themselves. Some community banks and credit unions believe that doing the bare minimum for protection is enough. The recent data breaches and cyberattacks in the financial industry prove that this is simply not true.
To adequately protect against security threats, financial institutions must ensure that every device on the network has up-to-date antivirus software, adequate firewall protections and that all patches are up-to-date as a minimum requirement.
In addition, financial institutions should also employ a strategy that places many uniquely tailored layers throughout their networks, from the end-user to the internet to establish a secure IT environment. Adding preventive, detective and responsive layers to IT security strategy will help strengthen an institution’s approach and build an effective security foundation.
A uniquely tailored layered security approach enables financial institutions to:
- Monitor antivirus for servers, workstations, and off-site laptops;
- Use services that evaluate site lookups to avoid exposure to compromised websites;
- Scan the network for vulnerabilities and detect unusual activity against hackers and rogue employees;
- Block access to all external ports while also monitoring the access of various machines;
- Meet government regulations and requirements;
- Counter extortion threats by preventing a hacker from holding your customer’s personal data for ransom with special customized software for stopping ransomware; and
- Patch machines, encrypt laptops, and install alerts on new devices plugged into the network.
The security landscape is constantly evolving, and it is imperative to have a solid security plan in place that accounts for this evolution. It should be a fluid document that is frequently reviewed, updated and that specifically outlines administrative, technical, and physical controls that mitigate evolving risks. It is also important to test the full plan on a regular basis to ensure all procedures can be executed successfully and verify that all regulatory requirements are met.
Managing Security Needs
Many community banks and credit unions find that managing the security needs of their organization can be a time-consuming and challenging task. To help augment the security responsibilities, these institutions are turning to financial industry-specific IT and security service providers to act as an extension of their organization, provide timely support, and help the financial institution successfully design and execute a comprehensive security strategy. The right solution provider couples security measures with an understanding of and support for the unique security and compliance demands of the financial industry.
At Safe Systems, we believe that proactively protecting customer data will always be more cost effective than falling victim to malicious activity. To that end, we have the unique expertise to ensure that financial institutions employ the right combination of both broad and specific security products to create an ecosystem of protection. Safe Systems helps secure an organization’s endpoints, devices, and users by assessing vulnerabilities, detecting unwanted network activity, safeguarding against data loss, and preventing known threats while staying ahead of developing ones.