In 2018, about one in five attacks targeted the finance and insurance sector, according to the IBM Threat intelligence Index 2019. That made it the most targeted industry for the third consecutive year.
It's no mystery why: Hackers go where the money is.
According to Verizon's 2019 Data Breach Investigations Report, financial gain was the most common motive in data breaches across all industries, with 71 percent of breaches financially motivated. And in the financial and insurance sector, the number was even higher: 88 percent.
Furthermore, the majority of midmarket companies (with 250-499 employees) surveyed by Cisco experienced a breach, which indicates that smaller companies are an increasingly attractive target. The survey also found that one-fifth of those victimized said the breach cost them more than $1 million.
For a small business, that's not pocket change—it’s a devastating loss.
To avoid becoming another breach statistic, financial institutions should always follow these best cybersecurity practices:
1. Establish a Formal Security Framework
There are currently several core security frameworks to help financial institutions manage cyber risk more effectively. These include:
The National Institute of Standards and Technology (NIST) Cybersecurity Framework: This framework covers best practices in five core areas of information security – Identify, Protect, Detect, Respond, and Recover.
The Federal Financial Institutions Examination Council (FFIEC) Information Technology Examination Handbook: This manual provides a comprehensive list of security guidelines that cover everything from application protection and end-of-life management to vendor management and the rule of least privilege.
Use the NIST and FFIEC guidelines to start establishing baseline security capabilities that make the compliance processes for GLBA, PCI DSS, and SOX standards easier.
2. Arm Your Employees with Knowledge
The vast majority of malware proliferates through online social engineering schemes that manipulate unsuspecting users to open the door wide for hackers.
One of the most common examples of this is fileless, or zero-footprint, malware. These strains are effective at bypassing firewalls since they take advantage of existing applications rather than attempting to sneak a payload through a web filter.
A user may receive an email from an unknown sender (or worse, from a known contact whose account was compromised) containing a seemingly legitimate Excel spreadsheet or Word document. Upon downloading that attachment, the recipient may be prompted to enable macros, which are legitimate scripts used to run certain tasks.
But in reality, that macro will issue a command to a remote server to download malware.
Employees are your first line of defense against such threats. All those involved in the lines of business must learn how to spot phishing schemes. Attachments without context or vague subject lines, for example, even when sent from an existing contact, are dead giveaways.
Teach these identification techniques and other security best practices—like using password managers and logging out of your devices before leaving them unattended—to employees to significantly curb the risk of user-driven compromise.
3. Perform Continuous Threat Monitoring
Especially in finance, 24x7 threat monitoring is critical, as the real damage is often done when you're caught unaware.
The majority of data breaches are furtive in nature. After hackers worm their way onto your network, they'll attempt to cover their tracks in order to be persistent. They sneak in, perhaps by first stealing login credentials through a phishing campaign, and then they attempt to mask their activity using a series of advanced tactics.
Once they're inside, the risk multiplies exponentially as they try to move laterally to other systems with sensitive information. This has potentially catastrophic consequences for firms in financial services, as the next step is to create backdoors through which they can slowly siphon data for use in future attack campaigns or to sell on the dark web.
In some cases, hackers will take more direct action.
In one of the boldest attacks against a financial institution to date, hackers used the SWIFT banking network in 2016 to wire themselves $81 million after breaching the Bangladesh Central Bank using a series of phishing scams.
This incident, and others like it, highlight the significance of real-time threat monitoring. The sooner you detect an indicator of compromise, the more quickly you can take action to prevent harm to your financial institution. And early detection can be the difference between a minor setback and a major nosedive.
4. Assess and Manage Vulnerabilities
The IBM X-Force report found that more than 140,000 software vulnerabilities were reported just in the past three years, a significant increase over previous years. Additionally, organizations had 1,440 unique vulnerabilities on average. The researchers noted this was the direct result of an increased attack surface, as the adoption of new technology such as the Internet of Things (IoT) adds more contact points that attackers can exploit.
With the average organization deploying 129 apps, there are ample opportunities for bad actors to find weaknesses. And that's just the apps IT knows about—shadow IT increases the risk. Gartner estimates a third of successful attacks next year will involve shadow IT.
No organization can address all vulnerabilities, even with the best IT teams and technology in place. That's where a vulnerability assessment comes in. They help you:
- Gain visibility across your environment, so you know what software and systems have weaknesses.
- Prioritize the most critical vulnerabilities so you can mitigate those first.
Vulnerability management is one of the most effective ways to reduce your attack surface. However, it needs to be done consistently. If you're only performing vulnerability scans periodically, it's still not difficult for opportunistic attackers to find their way in.
5. Manage Third-Party Risks
Financial institutions rely on a variety of vendors, suppliers, and partners—and those relationships bring exposure to the business.
Even if you have a strong security posture, your adversaries can simply find the weakest list in your supply chain.
Consider the case of data and analytics company Ascention, which serves financial institutions. Earlier this year, a misconfigured online server exposed 24 million financial and banking documents dating back more than a decade. The leak was due to a vendor the company used. As a result, customers of numerous financial institutions had personally identifiable as well as financial data exposed.
Across all sectors, Ponemon Institute found that companies share information with an average of 583 third parties, and 59 percent of those surveyed said they've experienced a breach due to a third party. Yet only about a third kept an inventory of their third parties and even fewer—16 percent—said they effectively mitigated the risks.
Steps that minimize third-party risks include:
- Establishing and verifying security posture for vendors and partners.
- Requiring business associates, through your service agreements, to maintain security best practices.
- Segmenting your network and limiting third-party access to critical assets.
- Monitoring your network for anomalies by using a threat detection and response solution.
6. Create a Strong Cybersecurity Culture, Starting at the Top
A strong cybersecurity culture goes beyond an employee awareness program by positioning cybersecurity as “everyone's business," not just an IT problem. It means all stakeholders—from the board of directors and the executive leadership down to every line employee—view themselves as a critical part of a strong security posture.
The NIST Cybersecurity Framework has four tiers of implementation, with the most-rigorous tier 4 being “adaptive."
In a survey of CISOs who were members of the Financial Services Information Sharing and Analysis Center (FS-ISAC), Deloitte found one of the core characteristics shared by adaptive organizations with the most-successful cybersecurity programs included active involvement from the board and executive leadership team.
With an engaged board and senior leadership that makes cybersecurity a priority, it's much easier to get buy-in for the resources you need for your cybersecurity initiatives. And when the executive leaders emphasize a cybersecurity culture—and implement programs that align with that culture—it's much easier to get buy-in from all stakeholders across your organization.
7. Devise Comprehensive Incident Response Plans
Incident response (IR) should never be treated like an ad-hoc process. Assume that you will be breached. Because you will.
Your IT organization should already have a well-defined methodology and IR playbooks that can be quickly implemented to quarantine, block, or eliminate malicious network traffic.
But it's not just frontline security analysts and incident responders that need clear IR protocols. Dealing with a major compromise swiftly is a joint, organization-wide effort. This ties back to having a strong security culture in your organization. Every employee, from the CEO to the summer intern, needs to know the standard operating procedure in the event of a cyberattack.
For example, whose job is it to inform clients if the breach has impacted them? If data has been lost, what should an employee do to try to recover it, or whom should they contact? Answering these types of questions ahead of time can reduce post-intrusion confusion and pave a smooth path to recovery.
A Robust Approach to Cybersecurity
For comprehensive cybersecurity, only a fully functioning security operations center (SOC) combines the people, processes, and technology needed to be truly effective at monitoring, detection, and response. Unfortunately, for small to midsize enterprises (SMEs), this isn't always an in-house option because the technology is expensive and requires a skilled security team.
With SOC-as-a-service, SMEs can implement best practices affordably and attain threat monitoring and detection services that can help stop attacks before they do damage. Learn how SOC-as-a-service can help your organization