Increasing security threats, hybrid working, uneven economic outlooks, geopolitical conflicts and ever-increasing regulatory compliance mandates have all put untold strain on the financial services industry in recent years. While organisations in this sector are typically ahead of other industries in cyber defence maturity due to their highly regulated nature, they continue to be considered high value targets by cyber criminals and nation-state attackers.
Financial services organisations are particularly impacted by security issues due to highly distributed infrastructures, high value assets, a prevalence of exploitable IoT devices, and the human factor –which continues to be the weakest link in security defences. The industry must be more proactive when it comes to future-proofing and digital transformation, to ensure that attackers are out-innovated. There is a need for collective action, international and cross industry collaboration and policy intervention moving forward.
The weakest link
A large percentage of successful cyber-attacks against financial services organisations are due to user error. Typically beginning with a successful phishing attack that provides an initial foothold into an organisation, enabling a full-scale ransomware or malware attack.
Criminals need only find one human—preferably one with high privileges—using poor password hygiene or who can be tricked into releasing information, to gain this foothold. From there ransomware, malware and other tactics can result in breaches and failed audits. Data loss from breaches continues to be problematic due to low encryption rates and overly complicated key management practices, which tend to run at odds with one another.
Mitigating this risk is difficult, while cyber resilience training is a good first step, it cannot completely remove this risk of human error. This is where digital transformation comes in, although there might be a concern that greater reliance on technology can increase risk, in this case it’s actually the opposite. By integrating technologies such as AI and automation to undertake processes prone to human error, organisations can actually strengthen their business processes and significantly bring down the risk of attack.
According to our recent data threat report, the majority of security leaders across financial services organisations ranked malware and ransomware as the leading cause of cyber-attacks. Unsurprising, as these attacks are relatively low costs but can result in big pay-outs for threat actors. In fact, in recent years, ransomware has almost completely changed breach economics.
Given the highly regulated nature of financial services, the risks of losing highly sensitive data as well as the reputational damage as result of these attacks are extremely high. For many financial services organisations, just paying the ransom is potentially less damaging than risking any additional impacts.
For example, Flagstar Bank, a major mortgage lender in the United States, was attacked by ransomware in 2020. An initial foothold was gained through a software vulnerability in Accellion’s account software, followed by a ransomware attack which resulted in system outages due to encrypted data, plus the extraction of up to a decade of sensitive customer data. The attackers threatened to release this data as a further incentive to pay the ransom. These significant pay outs from high value organisations, further encourage similar attacks from threat actors.
As well as the current threat landscape and ongoing security challenges, emergent technologies including AI, Blockchain, Quantum and 5G all have the potential to change the face of cyber security in Financial Services and completely revamp current practices.
For example, a single powerful quantum computer may be able to break the current public key encryption algorithms (cryptography) used by virtually every financial institution today, threatening to compromise everything from client data to the secure websites and software they use to interact with customers, to the hardware used to authenticate, encrypt and decrypt payments. However, it is important to say that pulling off this type of attack would still be very challenging even for the most accomplished cybercriminal.
Financial institutions are required store certain data for decades, threatening a ticking time bomb as quantum technology continues to develop. While these threats might seem years away, it’s vital organisations look at developing a robust quantum strategy now, in order to prepare for these future challenges.
Adopting a zero trust approach
Financial services organisations typically have highly distributed infrastructures that include retail storefronts, IoT devices, and a hybrid workforce that can work from literally anywhere. Adopting zero trust principles can be a key strategy by ensuring “least privilege” access to highly distributed, high-value data and assets. Not surprisingly, financial services organisations with a formal Zero Trust strategy are less likely to have been breached.
The transition of standalone devices such as ATM machines and kiosks with proprietary, dedicated connections to IoT has also greatly increased the size, complexity, and elasticity of underlying networks, while also greatly increasing the attack surface. These environments are generally well served by zero trust security strategies.
As organisations move forward, they’ll need visibility not only across their infrastructure, but throughout their organisation. Establishing a common understanding is a key part of effectively setting priorities and executing security projects. When security teams are aligned with the key parts of the business, they can work together to effectively and efficiently address whatever issues the future holds.