We're living in a golden age for hackers, with gigantic data breaches occurring seemingly on a weekly basis. From the Capital One data breach announced in July 2019 (which affected 100 million Americans), to the 2018 attack on HSBC's American operations, customer records are under constant assault.
This means that it's absolutely essential to understand the changing threat landscape encountered by financial companies. This blog sets out to offer a few pointers about the lay of the land, and how banks and insurers are responding. We don't have space for a comprehensive overview, but hopefully we'll provide enough evidence to make CFOs think twice about the efficacy of their cybersecurity strategies.
Sometimes, the most serious dangers to the financial sector emerge from within companies themselves, or third party data handlers that they trust to keep customer records confidential. This was vividly exposed in the recent Capital One data leak scandal, which involved Amazon Web Services.
As it transpired, 100 million US credit card records were harvested from Capital One's records by an Amazon employee who was tasked with managing Cloud storage for the bank.
When the case was investigated, the engineer was arrested, but the bank was pilloried by the authorities for its lack of safeguards. It also cast a huge shadow over the viability of Cloud-based banking - something that Capital One had championed in the past as a way to reduce costs.
In that sense, the scandal wasn't just a wake-up call around cyber-security. It betrayed the folly of pursuing lower costs instead of formulating valid cybersecurity protocols and funding them properly. It's a lesson that all banks using the Cloud need to learn.
Other threats to the financial system are more insidious and targeted. Take "whalers" for example. These criminals target corporate executives and managers at the top of the food chain. They use in-depth social engineering techniques to make contact and form bonds of trust with their targets, before persuading them to take dangerous actions.
This could entail downloading ransomware or tracking agents, or facilitating illegal transactions. In any case, it's bad news.
And it's not a hypothetical danger by any means. The "London Blue" network has been accused of targeting 35,000 executives around the world - mainly in the financial sector. Based in Nigeria, this group of social engineers is itself organised much like a corporation, with lead generators, financial managers, an HR department, and grunts who actually move money around.
The evidence suggests that groups like this are more proactive and dynamic than the companies they target, who rarely put in place effective anti-whaling protocols.
However, according to the FBI, since 2013 around$12 billion has been extracted from banks worldwide by coercing Chief Financial Officers in this manner. It's an industry in its own right, and one that requires a response.
The problem with phenomena like whaling is that they are pushing against an open door. In the financial sector, as with almost all areas of the global economy, companies are still staffed and managed by people who don't take personal responsibility for their cybersecurity. And good leadership from the top is sorely lacking.
As one survey of over 1,000 UK professionals found, 67% of workers have a basic password, which is a short word or contains successive numerals - the kind of password any hacking group could crack in seconds. And, what's worse, 63% of respondents share their password with co-workers.
At the same time, financial companies are happy to delegate authority around cybersecurity to C-level officers. By doing so, executives are able to take a step back and forget about complex issues (as well as their potentially disastrous implications). And this makes sense, in a way. After all, expert IT officers have the skills to investigate dangers that are lacking at boardroom level.
However, that's not the whole story. For one thing, data suggests that C-level employees below exec level are represent the greatest cybersecurity weakness in modern companies. Moreover, delegation means that executives very rarely devise enterprise-wide cybersecurity strategies.
This makes it virtually impossible to take a holistic approach to cybersecurity, taking into account customers, staff members, corporate partners, regulators, and structural issues within financial companies. It may make life easier for those at the top for a while, but in the long-term, if they don't take control, the consequences will be dire.
Spanish bank BBVA may have a solution to some of the vulnerabilities exposed by whaling and malware attacks: creating a vibrant human community that is dedicated to mitigating threats to financial infrastructure.
The company has recently started a program of family days that are devoted to cybersecurity. These events bring together corporate leaders, employees, and family members, providing a forum to share knowledge about how to stay safe online, and key issues such as phishing and password sharing.
This may sound corny, but it isn't. In the end, our efforts to counteract cybersecurity threats will depend on the communities that work in the financial sector. If people can pull together to keep IT systems safe. the risks of malware attacks and ransomware are much, much lower.
The bottom line is that finance will never be completely free from cybersecurity vulnerabilities. Attackers are becoming ever more sophisticated, technology is helping them mount attacks that are harder to detect and more devastating. And the pace of technological change often runs ahead of banks and insurers, leaving them in the dark about what dangers they face.
However, there's no doubt that by fostering a cybersecurity culture and investing in technology to detect malware, encrypt communications, and learn more about the nature of threats, financial companies can hit back. And that's the major challenge for financial companies in 2020. With coordinated effort, serious leadership, and proper investment, we can manage cybersecurity risks, even if they can't be removed completely.
Author Bio: Olivia Scott is a cybersecurity enthusiast at vpnpro.com. Her key competencies include data safety, privacy tools testing, and Wordpress vulnerabilities."
Image source: https://unsplash.com/photos/uPXs5Vx5bIg