This post is also available in: 日本語 (Japanese)
Cybercriminals grow in both number and sophistication, and their targeting has become more strategic, focusing on maximum effectiveness and profitability. As data pours in on global cybercrime, the financial services industry has solidified its position as a target of choice.
Even though financial services consistently outspend most of their vertical sector peers in cybersecurity staff, tools and associated investments, the cyberattacks keep coming.
Here are three key reasons why financial services are a top target for cybercriminals, the most prevalent cyberattack types and how organizations can fight back.
It’s no coincidence that financial services are disproportionately targeted by threat actors. The rationale is quite simple. Threat actors target organizations that have what they want and what pays big – data and money. Data can be sold for money and vulnerabilities that enable access to both data and money.
Threat actors are becoming more sophisticated with their approach to targeting and how they determine the most profitable industries, organizations and individuals. Cybercriminals are doing more research and reconnaissance every year to better target victims, maximize their financial return and improve their likelihood of success.
With a plethora of rich financial and data assets, financial services are the optimal target. Not only do they control and manage valuable data, but they are also challenged to meet the growing demands of customers for an engaging digital experience.
Customer demand for convenient and immediate access to financial data is driving digital transformation for financial services. Cloud technologies, data analytics and robotics are becoming essential tools for larger institutions as they work to meet the challenges of the digital economy and customer expectations. However, these new technologies expand the attack surface and the ability of threat actors to capitalize on vulnerabilities.
Additionally, financial services are now partnering with traditional competitors, fintech companies and even big tech companies to provide more engaging digital experiences for their customers. Customer data is collected by financial services and shared with partners to gain insights, tailor offerings and so on. However, this opens the door for data loss, misuse and even business disruptions.
More capable, secure digital service models and third-party partners are required to help financial services meet digital demands efficiently, but that often leads to more security complexity. These increasingly complex IT systems are harder to secure end-to-end. In addition, focusing solely on regulatory compliance can leave gaps.
Another potential point of vulnerability is leveraging third-party providers via remote access technologies. This can affect financial services, which can be configured insecurely without the institution’s knowledge.
In contrast to larger institutions, smaller financial institutions (including credit unions and asset managers) may not have the expansive IT or security staff onsite to provide in-depth cybersecurity services. These smaller firms may also use email to conduct financial transactions, presenting an opportunity for threat actors to insert themselves into the process.
Securing digital assets is not a one-and-done process. It requires ongoing monitoring and management to keep pace with the constant evolution of both the digital landscape and in-use systems.
However, sourcing the right internal IT security personnel and third-party cybersecurity vendors to support this technology can be challenging for organizations of all sizes.
Implementing IT infrastructure takes time and expertise. It requires organizations to source the right team members to educate and lead the organization through new processes. Additionally, monitoring and managing data security requires constant training, vulnerability testing and a focus on staying ahead of new and evolving threats. As new cloud-based technology is adopted, team members must also understand the “Shared Responsibility Model” and how to execute cloud security controls and settings that protect sensitive data.
Financial services are affected by a full span of threat types, including business email compromise (BEC) and insider threats.
According to the FBI, BEC is “a sophisticated scam that targets both businesses and individuals who perform legitimate transfer-of-funds requests.” Attackers frequently carry out this scam by compromising legitimate email accounts to perform unauthorized transfers of funds, though BEC can include other variations as well. With so many email accounts directly accessible from the internet, stolen credentials can lead not only to loss of funds, but also a breach of sensitive data.
Insider threats occur when a member of your organization removes or reveals data or information. This is done for personal or financial gain, or to damage the reputation of your organization. Insider attacks can include leaks of confidential information, theft of intellectual property and unauthorized access to sensitive information.
In addition to these attack types, financial services are disproportionately affected by inadvertent disclosure of sensitive data – the accidental exposure of sensitive data, often through misconfigurations of cloud settings or web-facing applications. Because financial services rely heavily on cloud solutions and customer-facing applications to keep up with data management and customer service models, the opportunity for error is increased. Threat actors continually scan for such opportunities to compromise exposed data.
To appropriately protect your financial services organization from cyberthreats, it’s important to implement cyber hygiene measures and security best practices, including Zero Trust, multi-factor authentication (MFA), DevSecOps, etc.
Investing in cybersecurity testing and training is also essential. This includes conducting biannual, in-depth security awareness training that goes beyond the basics, so employees learn to spot advanced threat tactics. The training program should include customized modules focused on each group in the company, addressing how they may be targeted. Training examples should cover advanced phishing techniques (getting increasingly harder each time), a broad range of social engineering tactics, signs of insider threat activities (including anonymous methods to report issues) and physical security.
Focused, in-depth training of security and IT personnel on cloud platforms is also essential.
No industry is without vulnerabilities, but financial service organizations are frequently targeted by cyberattacks because of the financial and data assets they control. Ensuring that security investments are targeted in the right areas and that staff is trained appropriately to monitor and manage threats will help financial service organizations to better weather the hacker storm.
To help optimize and prioritize security expenditures, security assessments and penetration testing can identify weaknesses and better target investments when conducted with the appropriate level of rigor. Contact Unit 42 for more information about how to proactively assess your cybersecurity readiness and needs.