Did you know financial services companies are the most vulnerable to cyber attacks? In the study commissioned by Deloitte, out of 26 industries most targeted by cyber criminals, financial services came out on top. Not exactly the kind of competition any business wants to win! To make matters worse, in the past year, 70% experienced a successful cyber attack – said to be accelerated by the global pandemic.
In recent years, the finance industry has experienced a marker of changes. To mention a few: Increased competition from new digital entrants and online banks, changes in legislation such as PSD2 and the rise of Bitcoin, and the use of blockchain technology (solution or threat? TBD).
In the face of this fast-moving environment, financial institutions are embracing digital transformation activities and increased digitization. Flexible, scalable software foundations have been recognized as essential to facilitate the immediate release of new services. APIs are also being employed, enabling businesses to diversify their service and technology offerings. To improve the end user experience, other advanced technologies are progressively being adopted; for instance: digital account opening, person to person (P2P) payments, and cloud computing.
While these newly developed technologies offer immense benefits to the industry and customers alike, what about the cybersecurity risks?
5 Top Security Threats for Financial Services
Onboarding new technologies enables institutions to reach customers in fresh and innovative ways, although it also raises the potential of putting sensitive data at risk. In fact, it’s some of the most sought-after data in the world – think credentials, bank and credit account details, usernames, and passwords – and when a breach occurs, the results can be devasting to both companies and end customers.
Let’s dive into the key cybersecurity threats experienced by financial institutions.
1. Supply Chain
It is a strange concept that financial services companies have a supply chain since we usually associate supply chains with the process of moving objects and goods. It is no surprise then when you discover financial institutions’ supply chains look very different to that of a company selling physical goods. The supply chain consists of several threats, a few key components are listed below:
- Transfer of knowledge and information
- Cash cycles – varying in length depending on the transaction
- Sharing data with third parties and vendors
- Storage of data
Each of these engender risk and create a target-rich attack surface.
Firstly, knowledge and information are held and shared by the people who make up a company’s internal and external network, so there is always the risk that data will be lost through complacency, fraud, or human error.
The longer the cash cycle, the higher the risk. If more checks are required this results in increased passing of information, again escalating the potential for sensitive details to become compromised. Often, at various points within the cash cycle, third parties and vendors will become involved. A lack of transparency between third parties along the supply chain – in other words, limited understanding of how these organizations operate – can be particularly dangerous. If their cybersecurity protocols are limited and cyber hygiene is low, all information or data shared with that vendor becomes at-risk.
This leads to the final point, storage of data. Many organizations use shared or cloud drives to share and store information. These systems are highly useful but if not set up appropriately, hackers can easily gain access to data. To be safe, businesses should make sure they put controls in place, such as limiting access to trusted users and enabling multi-factor authentication.
2. Emerging Technologies
As mentioned, financial institutions are utilizing new technologies in a bid to stay competitive. Emerging technologies are a double-edged sword. At one end they enable innovation and efficiency, but at the other they create additional risk by potentially providing new doorways into the organization. Blockchain, IoT, and 5G are hot on the radar of CIOs and CTOs. Unfortunately, in many cases, the risk is high with these types of technologies, often with little regulation, software vulnerabilities, and the absence of a universal security standard for IoT. Also, cybercriminals are often one step ahead when it comes to new technologies, deploying them for the purpose of attacks.
3. Data Theft and Data Manipulation
Due to the liquidity within financial firms, data theft can result in a high return for cybercriminals. Data manipulation is also on the rise, with hackers threatening to destroy or change data – breeding distrust on a global level. Despite the clear dangers of financial data being altered and/or stolen, many organizations have experienced a ransomware attack – with cybercriminals demanding a fee in exchange for the return of data or for access to their data via an decryption key.
4. Talent Shortage
With the current climate of remote working and advancing technologies, one talent gap has been made abundantly clear: cybersecurity professionals. Cybersecurity professionals have a huge job on their hands especially if a company manages its public key infrastructure and software internally. On top of this, without the right minds in the driving seat for cybersecurity, employees of the organization are not likely to be taught cybersecurity hygiene and best practices. The workforce of the financial institution could then become their biggest threat.
5. Malware Attacks
A security report by Akamai revealed 4 specific types of malware were used in more than 90% of attacks on the financial services sector:
- SQL Injection (SQLi)
- Local File Inclusion (LFI)
- Cross-Site Scripting (XSS)
- OGNL Java Injection
Each are used to attack data-driven web applications. Code is inserted to trick a site into revealing information or allowing the upload of files to the server. If sensitive information is kept on these applications, then an organization could be in serious trouble.
Security Tips & Best Practices for Financial Services
Having looked at the key threats and risks to the financial industry, we want to highlight a few potent methods financial services firms can implement to boost their cybersecurity:
As already pointed out, a company’s workforce can become their biggest threat. Financial organizations should work to change this through educating and training employees around cybersecurity dangers and best practices. Key areas to focus on include:
- Password usage – Ensure employees are using secure passwords incorporating a mixture of letters, numbers, and special characters.
- Two-factor authentication – Set up an extra layer of protection on employees’ work devices as well as their personal devices, especially if a ‘Bring Your Own Device’ (BOYD) policy is in place.
- Social engineering attacks – Look out for warning signs of baiting or attempts to trick employees into giving away confidential information.
- Phishing scams – Train employees to check emails before opening or downloading attachments, keeping an eye out for emails that originate from unknown addresses and avoiding suspicious links which could open a pathway for hackers.
A simple tip to reduce the chances of a successful attack is to update all of your company’s systems and applications. While it sounds relatively easy, if the company uses bespoke software or has a vast digital environment this could become a mammoth task. Hence the need for good cybersecurity hygiene, which includes making updates on regular basis so as not to disrupt daily responsibilities.
As highlighted previously, financial data is a jackpot for hackers. All digital systems contain sensitive data of some kind, hence the need to protect them through encryption. Often IT professionals within an organization will not have the time or specific skills set to do this for all applications, that is why it is necessary to seek help from cybersecurity experts to secure and encrypt emails and other systems.
Audit Cybersecurity Security Solutions and Strength
Financial firms should regularly test the strength of their cybersecurity efforts, especially when onboarding new technologies and changing applications and software. One way to do this is through utilizing white hat hackers, who are given permission to hack organizations (also known as ethical hacking). Feedback is then provided to the company regarding any vulnerabilities. To confirm the financial firms’ confidentiality, integrity, and security controls, they should seek to obtain certification from the International Organization for Standardization (ISO) for information technology and security techniques.
Invest in Cybersecurity Measures and Professionals
Financial services firms can secure their network through employing a scalable, high-bandwidth network infrastructure. Enabling enhanced security options and employees to work securely. Also, investing in authentication which controls users’ access to systems and verifies the users and devices – we offer this service at GlobalSign. Finally, employing cybersecurity professionals to ensure good cybersecurity hygiene as well as creating a positive cybersecurity culture among the workforce.
As outlined cybersecurity is especially essential for the financial services industry and requires dedicated time, planning, and investment to create a secure environment. Don’t know where to start? Get in touch with our PKI experts!