It is not surprising that the financial sector attracts more than its fair share of attempted and successful cyber attacks. Financial firms not only have their own substantial assets but provide a potential access route to the sensitive, personal and financial data of others, namely their customers.
To successfully future proof themselves from cyberattacks, financial firms need to first understand the scale and scope of the threat they face. They then need to flesh out a comprehensive risk management strategy – one which takes into account both technological and human factors.
Understanding attack vectors
To begin to get a handle on cybersecurity , financial firms need to first understand the sources of the threats they face.
For a start, they can expect cybercriminals to continue to use social engineering based attacks such as phishing due to their proven success. These attacks are likely to become more sophisticated as criminals learn which techniques work best and why.
Hacking tools stolen from the National Security Agency (NSA) are likely to cause further breaches where companies are slow to apply operating system updates. EternalSynergy, EternalChampion and EternalRomance have joined the infamous EternalBlue (behind the WannaCry breach) on the danger list. White hat hackers have already demonstrated how these can be tweaked to hack any version of Microsoft Windows from the past twenty years.
Other sources of attack come from within the company. Where significant sums of money are involved, employees must be monitored for signs of insider trading and theft. Any type of employee can potentially be a source of insider attack. Short-term employees such as temps and contract workers are a risk because they are naturally less invested in the company's long-term health. Meanwhile long-serving employees have more inside knowledge and so could launch more dangerous and insidious attacks.
Finance-specific threats
In addition to the common threats provided by phishing, compromised operating systems and internal fraud, finance firms need to be vigilant about sector-specific attacks. These include authorized push payments (APPs), unauthorized payment fraud and call center scams.
APPs usually use a tailored form of social engineering with the goal of getting one person to transfer funds from their account to another one operated by the cybercriminal.
To do this, they will usually impersonate a trusted organization such as a bank or the IRS. The attack might make use of email (as in standard phishing), SMS, phone, letter, social media or a combination of methods. A major problem with APPs is that the payment, having been authorized by the account owner, can be difficult to recover.
Unauthorized payment fraud is an umbrella term covering a wide range of techniques for stealing money from bank accounts and credit cards. One of the most common types of unauthorized payment fraud is remote purchase fraud where cybercriminals obtain credit or debit card details from third party databases (often populated via phishing scams) to make online or telephone payments for purchases.
Call center scams involve cybercriminals posing as an account holder and attempting to get through the bank or financial institution's security process. One successful method scammers use for this purpose is 'SIM swapping.' This is where they contact an individual's cell phone provider and ask them to transfer their number to a new device which they own. This can enable them to pass two-factor authentication via SMS message.
Tips for cyber attack risk management
The most important step any financial firm can take to manage their cyber attack risk is to treat it as a business priority. Those firms who integrate cyber security measures into their top level business strategy will be best prepared to thwart the worst attacks and to recover quickly from any minor breaches.
The above sentence also embodies an important message. Financial firms need to work from the basis that they will experience a negative cyber event at some point in the near future. This will avoid any 'head in the sand' attitude and focus efforts on damage limitation and recovery. Just as soldiers need to train rigorously in peace time to be ready for the next conflict, employees of financial firms should act as if the next cyber attack is just around the corner – because it probably is.
Prior to drawing up your cybercrime prevention and disaster recovery plan, you need to know what you are protecting! This requires a comprehensive data audit. You will need to identify how data enters, travels through and exits your network. This must include any mobile devices which employees use for work and any network-attached storage (NAS) devices.
As well as general cyber security and data protection compliance (e.g. GDPR compliance), financial firms will need to ensure their cyber security measures meet the requirements for financial-specific compliance. Examples include the Gramm-Leach-Bliley Act (GLBA), the National Credit Union Association's regulations (NCUA), the Payment Card Industry Data Security Standard (PCI DSS) and Sarbanes-Oxley Act (SOX).
How technology can help in the fight against cybercrime
A financial firm will find it difficult to successfully tackle cybercrime without the help of technology. For a start, there is a talent shortage when it comes to suitably qualified IT security personnel which means that those that are available come at a high price.
Fortunately, tools incorporating artificial intelligence (AI) and machine learning (ML) can sift through vast amounts of data to pick up on the subtle patterns which betray external cyber attacks or unauthorized user behavior. Some repetitive tasks can be delegated to robotic process automation technologies (RPA), reducing further the number of boots on the ground needed to manage cyber threats. The affordability of these tools also means that even small businesses can benefit from industry-leading cyber security.
Sophisticated next generation firewalls can add threat detection and prevention to the perimeter of your network while virtual private networks (VPNs) can ensure data is encrypted while traveling between premises.
Addressing the human factor
Despite the advancement of technology , it is still human error which poses the biggest threat to a financial firm's data security. Therefore, cyber security needs to become part of company culture. Everyone from the board and c-suite down need to think of cyber security as a priority. Every employee should regard a successful cyber attack as a serious risk to the business and potentially even their personal life. Training should be of a consistent high quality and frequently refreshed with occasional cyber intrusion drills to assess company preparedness. Penetration testing and simulated attacks should also be frequently scheduled to highlight vulnerabilities so that they can be dealt with proactively rather than waiting for a malicious hacker to stumble across them.
Access control lists (ACLs) should be regularly reviewed so that all employees are given the minimum access they need to do their jobs. Password hygiene should be enforced in line with the latest best practice guidelines.
By making the most of both your human and technological resources and backing everything up with a solid cyber security and disaster recovery plan , your financial firm will be in the best position to weather the next cyber storm.
Brent is the CEO of DCG Technical Solutions Inc. DCG provides the specialist advice and IT Support Los Angeles area businesses need to remain competitive and productive, while being sensitive to limited IT budgets. The company provides a range of cyber security services including security risk assessments, employee security training and breach response services. Brent has been featured in Fast Company, CNBC, Network Computing, Reuters, and Yahoo Business. He also leads SMBTN - Los Angeles, a MSP peer group that focuses on continuing education for MSP's and IT professionals. DCG was recognized among the Top 10 Fastest Growing MSPs in North America by MSP mentor. Twitter: @DCGCloud