Rod Holmes, vCISO, The Crypsis Group.
Financial services organizations consistently outspend most of their vertical sector peers in cybersecurity staff, tools and associated investments, but the cyber hits just keep coming. According to our recent report, the financial services industry received the highest number of business email compromise (BEC) attacks in 2019 and the second-most cyber incidents across all types, following the healthcare sector.
For years, financial services has led the pack in cybersecurity spending. In 2015, for example, a Homeland Security Research study concluded the U.S. financial services cybersecurity market was the largest and fastest-growing nongovernmental market in cybersecurity.
In 2019, financial services companies dedicated between 6% and 14% of their annual IT budgets to cybersecurity (an average of 10%), according to a Deloitte study. (Current recommendations are between 4% and 10%; however, most companies fall short). In light of increasing Covid-19-related threats, these institutions plan to increase it yet again to 10.9% in 2020.
Despite the healthy investments, financial organizations continue to find themselves on virtually every “most-hacked industries” list. What factors contribute to this trend, which threats are of chief concern and what can they do to defend themselves?
Financial Services Disproportionately Targeted
Threat actors target organizations that have what they want — most often money, data they can sell for money and vulnerabilities that enable them to access data. Our research shows that attackers are doing more reconnaissance every year to better target victims in order to maximize their financial return for their efforts and their likelihood of success.
The fact that financial services organizations often get breached doesn’t necessarily mean they are falling behind their peers in security diligence; it means they are being disproportionately targeted by threat actors because of their rich financial and data assets, and a percentage are successful due to their specific cybersecurity challenges, yielding an overall higher number of attacks.
Regulations, Flexible Customer Service Models And IT Complexity
Financial services organizations face security challenges on numerous fronts. They have very hefty regulatory requirements, customers who demand more capable and secure digital service models, and third-party vendors that help them meet these demands efficiently (but also bring more security complexity).
Cloud technologies, data analytics and robotics are becoming essential tools for larger institutions as they work to meet the challenges of the digital economy. But these new technologies also expand the attack surface. More complex IT systems are harder to secure end to end, and a focus on regulatory compliance alone can leave gaps.
On the other end of the spectrum, the sector also includes accounting firms, credit unions and asset managers, some of which are smaller and may not have the expansive IT or security staff on-site to provide in-depth security monitoring and management.
Many also use email to conduct financial transactions (an issue that has been compounded during the pandemic), presenting an opportunity for threat actors to insert themselves into the process. They also heavily leverage third-party providers using remote access technologies, which can be configured insecurely without the financial institution’s knowledge — another potential point of vulnerability.
Which Threat Types Loom Largest?
As noted earlier, BEC attacks are a growing threat and were most frequently targeted against financial organizations in our 2019 sample. Many of these were launched against smaller organizations with fewer controls in place, but any organization can be a victim because this threat type targets unwary people in the business using increasingly sophisticated spear-phishing tactics.
Insider attacks are also a significant concern. According to the 2020 Verizon Data Breach Investigation Report, 30% of breaches were the result of an internal threat. While our data revealed insider threats can be influenced by a range of motives, such as revenge against the employer, a desire to steal personal work to gain new employment and fraud, stealing funds is not only a frequent motive; it is typically the primary motive in the financial services sector. With the increase of anonymization capabilities and crimeware as a service, the barrier to entry is lowering for an insider looking to turn criminal.
Finally, inadvertent disclosure of data (e.g., accidental cloud or web application misconfigurations that expose personally identifiable information) significantly affects financial services. These organizations are increasingly using complex cloud and digital customer access solutions, opening more opportunities for security control and settings errors.
What Can Organizations Do To Keep Up?
A common element among the threat types affecting financial services is that they tap into human vulnerability. The risk of BEC, insider threats and inadvertent disclosure of data can all be reduced through more rigorous training.
I advise conducting biannual in-depth security awareness training that goes beyond the basics so employees learn to spot advanced threat tactics. Training should address advanced phishing techniques (getting iteratively harder each time), a broad range of social engineering tactics, signs of insider threat activities (as well as providing anonymous methods to report issues) and physical security. The training program should include customized modules focused on each group in the company, addressing how they may be targeted.
Focused, in-depth training of security and IT personnel on cloud platforms is essential. Managed security services that offer 24/7 monitoring and response capabilities are an excellent way to augment smaller IT operations, but larger organizations often use them as well due to the increasingly specialized skill sets needed in today’s environments.
To help optimize and prioritize security expenditures, security assessments and penetration testing conducted with the appropriate level of rigor can identify weaknesses and better target investments.
No sector is without vulnerabilities, and all are being targeted. However, financial services is bearing the brunt of attacks because of the financial and data assets they control. Ensuring that security investments are targeted in the right areas and that staff is trained will help financial services organizations better weather the hacker storm.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?