The financial services industry is a juicy target for cybercriminals, due to the tantalizing balance between risk and reward and the rapid evolution of technology – both for businesses and consumers – which presents an assortment of new potential vulnerabilities.
Cybersecurity is therefore a priority, as evidenced by growing IT budgets and the battle to recruit experts capable of combating bad actors in a changing threat landscape. What are the best practices in this area and how can we ensure business protection?
“While we often read that manufacturing or industrials are targeted, the financial services sector may in fact be considered the ‘most at risk’ or targeted by groups around the world, simply because it is the fastest route to a payday,” says Ric Longenecker, Chief Information Security Officer at Open Systems.
“Unfortunately, it’s nearly impossible to completely secure data until we implement homomorphic encryption,” adds Kevin Curran, IEEE senior fellow and professor of cybersecurity at the University of Ulster. “Cybercriminal tactics are constantly evolving, so it’s really up to the owners of the data to keep it secure.”
In other words, FS companies are a tempting target and there is no practical well to fully protect your business, so what can you do?
Understanding the basics is fundamental, and that starts with understanding both the attack surface and all of the vulnerabilities that criminals are likely to prioritize within your organization, throughout its supply chain and even the customer base.
Hybrid work structures, for example, present new complexities. In 2020, at the start of the Covid-19 pandemic and while the lockdown was in full swing, 44% of financial services organizations suffered cyberattacks, according to Akamai Technologies.
Denial of service attacks increased 110% in the same year, with overall online targeting growth climbing 62%, with Akamai spotting a total of 736,071,428 web raids on businesses in this industry alone.
Protecting an organization from such an onslaught is no small feat, but your defenses should include three general elements: people, technology, and planning. Recruiting cyber talent is obvious, if challenging, but perhaps less so is the equally critical need to train non-technical personnel to mitigate, identify and respond to threats.
“Cybersecurity isn’t the sole responsibility of the security team,” said Richard Meeus, director of technology and security strategy EMEA at Akamai. “Enterprises are vulnerable due to a mix of outdated technologies, “good enough” defense strategies focused only on perimeters and endpoints, a lack of company-wide training and awareness, and a bad security label.”
Coaching people on the risks of cybercrime, with regular refreshers, helps strengthen your defenses, which is especially useful when hiring high-level security professionals becomes increasingly difficult.
Trellix found that 85% of cybersecurity professionals globally believe labor shortages are impacting their organization’s ability to secure complex information systems and networks.
“[It’s] a potentially lethal notion in the current climate,” says Fabien Rech, EMEA Vice President of the organization. “IT teams are under increasing pressure and under-resourced. Going from mounting threats during the Covid period to responding to the crisis in Ukraine has fatigued cybersecurity professionals, increasing the chances of a serious threat slipping through the net.
Alongside competent, aware and qualified people, new technologies provide an important layer of protection. Like car thieves, cybercriminals most often focus on soft targets, which means making your business difficult to take down might be enough.
Richard Meeus Akamai says there are some solid options here: “Organizations can reduce the attack surface by ensuring staff use FIDO2 multi-factor authentication. [passwordless solutions, such as fingerprint login] whenever possible and by conducting regular phishing awareness campaigns.
“Layered defenses and segmentation make web attacks costly for opportunistic attackers and act as a compelling deterrent. MFA is a key tool in Zero Trust Network Access, a strategy that limits and controls access, enforces continuous authentication and authorization and puts in place defenses so that incident detection is as fast as possible.
Investing in modern and powerful detection tools to detect an ongoing ransomware attack, clear data visibility and segmentation, and deception tools including honeypots will save valuable time in the event of a attack, he adds.
But for the right people and the right technologies to work seamlessly, you need a plan that encompasses prevention, identification, and response. Experts recognize that no organization is tight and that IT teams need to think when, not if, an attack will happen.
“It’s essential that, even if an organization has personnel skilled in compliance, that operational or ‘hands-on’ security, compounded by reasonably funded IT services and outsourcing, remains a strong and well-understood consideration,” says Ric Longenecker, Information Security Manager at Open Systems.
“Ultimately, compliance is underpinned by good technical management and principles – and that’s what keeps an organization afloat when under attack.”
A plan must incorporate all of these factors, while negotiating the delicate balance of keeping people safe while allowing business as usual.
According to Fabien Rech of Trellix: “To mitigate ever-evolving threats, financial organizations must implement a living security strategy, transforming the once static shield into an adaptable shield.
“Extensive detection and response can provide enterprises with a holistic ecosystem that consolidates all security products into an interconnected, continuously communicating platform that continuously learns and adapts to new threats. As a result, they can stay ahead of their adversaries, adapt to new threats, and accelerate detection and remediation throughout the defense lifecycle.
The problem of cybercrime is not completely solvable, but companies that combine a sophisticated and adaptive combination of technologies, protocols and relevant teams will avoid many of the pitfalls that others fall into.