Business
How bug bounty programs can help financial institutions be more secure
Published
4 months agoon
By
admin
Rodolphe Harand, Managing Director at YesWeHack
Financial services have been one of the most heavily targeted industries by cybercriminals for several years. One alarming stat from the Boston Consulting Group found these firms to be 300x as likely as other companies to be targeted by cyberattacks.
Furthermore, the pandemic has led to a significant increase in the number of cyberattacks targeting financial institutions (FIs), with around 74% experiencing a spike in threats linked to COVID-19.
With FIs holding some of the largest collections of sensitive and private data, it’s clear they will remain an attractive target for malicious actors, especially as any data stolen can be used for fraudulent activities. This leads to the reputational damage of the financial entity that was compromised and has a knock-on effect in terms of monetary and reputational damage to affected customers.
For CISOs at FIs, the conundrum faced is how do you protect intellectual and customer data, and ensure accountability and transparency for clients and stakeholders, at a time when the pandemic has created budget constraints. Research from BAE Systems found that last year alone, IT security, cybercrime as well as fraud and risk departments had their budgets cut by a third.
Below we look at how bug bounty programs can help to address these pressing issues.
Protecting valuable data
Protecting customer and intellectual data has always been a top priority for FIs. However, as opportunistic cybercriminals have a lot to gain by stealing this valuable data, there is a constant evolution of threats, which means FIs must stay on their toes. By deploying a bug bounty program, FIs can work with ethical hackers that have a wealth of experience and unique skills when it comes to identifying security weaknesses within a FI’s defence, thus helping to implement effective security measures to help prevent data breaches.
Building trust among various stakeholders such as customers, suppliers and investors is critical for achieving business goals. By deploying a bug bounty program, FIs send out a message that they care about protecting the security of the data of those they work with – which in turn can have a cascading effect resulting in better business performance.
Improving accountability
For FIs to win customers and keep them happy, amidst the growing threat of neo banks and customer-centric fintech organisations, speed of innovation is crucial. As such, many FIs have adopted an agile approach to build, test, and release software faster to bring online and mobile banking solutions to market quicker. However, this can create frictions between development and security teams. Security mandates are deemed to be unnecessarily intrusive and a cause of delayed application development and deployment.
Yet, with DevOps teams needing to build and deploy applications faster than ever before, an epidemic of insecure applications has emerged. According to Osterman Research, 81% of developers admit to knowingly releasing vulnerable applications, while research from WhiteSource found 73% of developers are forced to cut corners and sacrifice security over speed.
With developers often not having the time, tools, skills, or motivation to write impeccably secure code, there is an evident need to provide developers with more support when it comes to building applications securely Fortunately, bug bounty programs can provide a “fact-based” financial implication of inherent security flaws within the process. This makes it possible to hold development teams and service providers accountable for creating or delivering insecure products, thus addressing inherent security gaps within the business units and helping to drive continuous improvement.
Moreover, security awareness and education of developments teams can be improved significantly for those developers that are directly involved with the management of vulnerability reports for their bug bounty programs. This is because, the mere fact of exchanging information with ethical hackers, or assimilating the thinking of a potential hacker and having proof of concepts of vulnerability exploitation on their application components, naturally accelerates consideration of security early in the development stage and provides ongoing learning.
Get more return on your investment
According to Gartner, 30% of CISOs effectiveness will be directly measured on their ability to create value for the business. When security budgets are challenged, CISOs need to demonstrate business value through initiatives designed to enhance efficiency whilst stretching the dollar.
This is where bug bounties can help tremendously. Compared to conventional penetration testing, bug bounty offers a fast, complete, and measurable return on your security investment, with businesses only paying out for successful discovery of vulnerabilities. Equally, businesses get access to hundreds of ethical hackers that can test their programs, each with their own unique skillsets as opposed to only one skilled researcher testing the network. This results-driven model ensures you pay for the vulnerabilities that pose a threat to your organisation and not for the time or effort it took to find them.
Bug bounty programs also deliver rapid vulnerability discovery across multiple attack surfaces. With this approach, organisations receive prioritised vulnerabilities and real-time remediation advice throughout the process to accelerate the discovery of, and solution to vulnerabilities.
Another appeal of bug bounties is that due to the continuous nature of testing, more vulnerabilities are found over time as opposed to pen-testing. This is key to financial institutions that require agility to keep up with the continuous roll-out and updates of applications.
The cornerstone to a successful security programme
The risk posed to financial institutions by cyber threats will only continue, as evidenced by the number of data breaches seen in recent times. The COVID-19 pandemic has only exacerbated these risks, especially with almost all FIs having needed to shift to a remote working environment – which has only widened the attack landscape.
For FIs, a bug bounty program should be considered a fundamental cornerstone of any security strategy, with it being a modern-day cybersecurity solution that is well-equipped to tackle the immediate security challenges they face. In doing so, FIs will not only prove to customers and stakeholders their commitment to data protection and security but this will also be help them to avoid the monetary damages that could be imposed by regulators if a breach was to take place.
Business
A lack of training and email security solutions is contributing to a rise in email threats targeting the finance sector.
Published
2 days agoon
May 26, 2022By
admin
Mike Fleck, Senior Director, Sales Engineering at Cyren
Email remains the most popular and successful attack vector in the digital landscape, the reason being because it is simply the most commonly used digital communication channel across the globe. On average, over 330 billion emails are sent every day. The sheer volume-and the fact that almost every employee within an organisation uses email- makes this channel a popular target for potential security threats. Finance organisations use email not only for internal communication but also for customer service interactions and marketing. A banking survey in 2021 showed that over 76.8% of users consider email as the primary channel for communicating with banks. That’s why financial institutions are at the frontline of email-driven security risks.
In order to attain more insight into the email threats targeting the financial sector and the potential remedies, we talked to Mike Fleck at Cyren, a leader in enterprise email security solutions.
- What do you see as the main reason for the continued increase in successful email threats targeting the financial sector?
Email threats have become much more dynamic over the years. Although phishing continues to be the most common attack vector in the domain of email threats, the mix of breaches attributed to email attacks has expanded significantly in recent times. In our latest benchmark research, we surveyed 226 organisations that use Microsoft 365 for email. We found that compared to 2019, there was a 71% increase in ransomware-driven email attacks, 44% increase in phishing attacks, and 49% increase in credential compromise attacks. Phishing is no longer the only path for email threats, as attacks are now being driven by multiple sophisticated methods, which evidently leads to more successful threats.

Mike Fleck
The financial sector has always had a red mark on its back to threat actors, mainly because of the highly sensitive information and valuable assets managed by financial organisations. Email serves as the most vulnerable and easily compromised access point for threat actors, which is why the number of email breaches has massively increased over the years. Our research found that the number of email breaches across all organisations has almost doubled each year over the past three years.
Although most organisations are using email client plug-ins for reporting suspicious messages, only 22% of the organisations stated that they analyse all reported messages for malicious content, leaving a major gap in awareness and threat response. Our survey showed that inefficient threat response and a lack of urgency is the most concerning factor for security managers. Threat actors are consciously aware of these shortcomings, which is why they are able to frequently launch successful email attacks targeting the financial sector.
- Why is the email channel so appealing for fraudsters, and what are the techniques they use to target financial service organisations in this way?
Historically, email has always been the primary channel for business communication, and as businesses continue to attain cloud-based services, email has become a productive norm for file-sharing and communication. Email channels also integrate easily with any cloud application, facilitating businesses to pursue more productive interactions. There is also the fact that email is accessible to most personnel regardless of their technical ability.
This flexibility and continued dependency on email is also the reason why it is an appealing channel for threat actors. Because email channels are integrated with almost every organisation’s platform, breaching an email allows cybercriminals to backtrack into critical network infrastructure and compromise valuable assets. Most threat actors tend to target the user rather than the system, and email channels are used by almost every employee in a financial organisation regardless of their experience, role, technical awareness, or skills. Therefore, targeting emails allow threat actors to utilize a much wider attack surface.
Another major reason is breaching the email channel is far less complex than breaching secured network endpoints and access firewalls. With techniques like social engineering and phishing, threat actors often don’t have to use significant resources or complex methods to breach employee email accounts. Our research showed that phishing is still the most used technique by attackers; 69% of all email breaches were due to phishing attacks. Other frequent techniques were Microsoft 365 credential compromise (60%), malware (59%), and ransomware (51%).
The means of carrying out these attacks are also easily accessible and available to almost anyone. Threat actors can buy a ransomware kit for as low as $66, and phishing kits are available for as little as $20. So, even the most inexperienced attackers can use such tools to exploit the email accounts of users and gain access to the critical resources of financial organisations.
Simply put, email provides a direct and economical path to the weakest point of every organisation’s cybersecurity program – its people.
- How important is proactive security awareness training when it comes to defending against email attacks?
The previous consensus was that email threats thrive on the user’s lack of awareness. Cybersecurity leaders believed that the “last mile” problem of phishing attacks can be solved if employees are able to detect and avoid fraudulent emails. Frequent awareness training is important to help employees stay up to date on evolving email attacks and identify malicious content or messages more easily. Over 99% of organisations offer awareness training, but only one in seven organisations offer training monthly or more frequently.
The dynamics of the attack vectors and techniques change constantly with the emergence of new technologies and vulnerabilities. Without frequent training, employees won’t develop a conscious awareness of email threats. We found that organisations that offer email awareness training every 90 days or more frequently, are less likely to fall victims to phishing, business email compromise (BEC), and ransomware attempts.
Our research also showed a correlation between frequent training and email reporting frequency. Organisations that offer frequent training also experience a high rate of malicious or suspicious email reports – meaning that employees become more conscious and aware of the potential threats. That’s why frequent proactive awareness training is critical for protecting against email attacks. However, organisations need to appreciate that a higher volume of reported emails will result in a higher number of alerts that Security Operations Centre analysts must investigate.
- What are the steps you would recommend financial organisations take to implement effective inbox security solutions that bolster their cyber resiliency immediately?
Financial organisations need to act quickly when responding to a potential threat, as even a fractional security breach can cause unprecedented damage to its assets. Organisations are beginning to realise that employees fall victim to these scams because they are busy and distracted – not because they are apathetic or gullible. Also, relying on employees to spot and report suspicious messages is not a complete or efficient solution to the problem. Employees do not consistently report every threat, and what alerts they do generate have a false positive rate of at least 41%. In addition to constant awareness training, organisations must incorporate effective inbox security solutions to increase their cyber resiliency.
When implementing effective inbox security solutions, financial organisations must consider the response and reporting time. They must choose solutions that can detect threats in real time and automate the response to those threats for quick remediation.
An effective approach for financial leaders is to invest in automated solutions that can detect and remove social engineering threats in real time. Automated inbox security solutions can continuously scan inbound and outbound email folders, including their contents such as URLs and web pages. Such solutions can detect and report anomalies, resulting in real-time detection. Automated threat response solutions can strengthen the built-in security capabilities of the email gateway, such as Microsoft 365 Defender. Combining automated solutions with the existing threat response framework can optimise the response process and significantly reduce the time and cost of threat investigation.

By Andrew Scargill, Logistics Operations EMEA at Digital River
Caught between the chaos of coronavirus and fallout from Brexit, international supply chains are under serious strain. Add into the mix a global labour shortage that shows no sign of abating, and the cross-border flow of goods is set to get even trickier.
As economies reopen post-pandemic, employers across all sectors are struggling to fill vacancies. The residual consequences of COVID-19 are a big part of this — the public health emergency has fundamentally altered how and where people want to work. Britain’s departure from the European Union is also a factor, with UK companies unable to freely draw on the continent’s vast workforce like before.
Such is the interconnected nature of global commerce, upsets in one market can be felt thousands of miles away. And so, lacking the staff to pick, pack, load, and deliver their products, businesses around the world are facing a festive season that’s far from jolly.
Keeping up with demand
As brands navigate these colossal challenges, they are also working to meet customer demand that saw unprecedented growth as the pandemic took hold and continues to rise.
Last year, as lockdowns were called and public life retreated behind closed doors, shoppers took to the internet like never before. A peripheral interest for many people prior to the pandemic, eCommerce was suddenly a necessary part of everyday life.
Shoppers have grown accustomed to rock-bottom prices and next-day delivery. This raises the obvious question: can supply chains continue to meet customer expectations amid an era of unprecedented disruption?
The answer is yes — but it’ll require some serious investment in innovative new technologies, and it could come with a cost shoppers and brands aren’t willing to pay.
Robots to the rescue?
The merits of AI and machine learning are well documented: smart systems can speed up menial tasks, reduce the risk of human error, drive higher levels of productivity, and help businesses bolster their bottom lines.
There is, however, a human cost to the advance of automation, with fewer paying positions for real people. This is particularly pronounced in key supply chain sectors, such as warehousing.
Today, storage and distribution facilities are huge providers of jobs — but tomorrow, that may not be the case. So-called ‘dark warehouses’, great fulfilment centres staffed by semi-autonomous robots, are developing fast.
Whereas human workers require power-hungry lights to operate, machines can pick and pack products perfectly well in the dark, allowing this new breed of warehouse to run twenty-four hours a day, seven days a week.
Customers’ call
Such a continuous operation would offer clear commercial benefits. But what of the warehouse’s human workforce?
That, ultimately, is a question that companies must address with guidance from their customers. While shoppers want that last minute late-night order delivered the very next day, they are increasingly concerned about company values, including how an employer treats its staff.
If customers are truly worried about robots taking workers’ jobs, they would have to commit to paying a little more or waiting a little longer for delivery from a brand committed to human employees. That is assuming shoppers are even aware of what level of automation is involved in fulfilling their order.
Customer demands are directing how companies adopt new supply chain technologies, with those that improve service and provide a better buying experience coming out on top.
To really tap into the needs and wants of their customers, businesses must leverage data in a meaningful way. This means utilising data mining tools that can help predict buying patterns, allowing brands to finesse supply chains so that the right products are in the right place at the right time. Attention to creating more efficiencies in supply chain through data and automation could lead to more jobs in engineering, design, management and repair.
Get this right, and businesses will have their customers on board as they explore new supply chain technologies and the potential of automation.
Magazine
Trending


Wombat partners with Currencycloud to launch its new, free Instant Investment service to open up investing for a wider market.
UK-based micro-investment platform Wombat has partnered with Currencycloud, the experts in simplifying business in a multi-currency world, to launch its...


A lack of training and email security solutions is contributing to a rise in email threats targeting the finance sector.
Mike Fleck, Senior Director, Sales Engineering at Cyren Email remains the most popular and successful attack vector in the...


Insurance providers must be ready to tackle quote manipulation as potential fraud rises
Sam Marsh, director, product management at LexisNexis Risk Solutions Insurance As road fuel costs reach a record high[i] and inflation...


Urban Company rolls out health insurance for service professionals in partnership with ACKO Insurance
Health insurance plan to benefit 40,000+ service partners in India Service partners can avail up to 12 free-of-cost online doctor consultations in a year...


Main Factors Accelerating API Security Risks in Financial Services
By: Yaniv Balmas, VP of research at Salt Security The API ecosystem is exploding and nowhere has API delivery...


Automation: the future of supply chains?
By Andrew Scargill, Logistics Operations EMEA at Digital River Caught between the chaos of coronavirus and fallout from Brexit,...


Can intelligent automation ensure the survival of the insurance industry?
Eric Tyree, SVP of AI and Innovation, SS&C Blue Prism The economic viability of the insurance industry’s current business...


Time to make your energy future more predictable
– Alistair Booth, MD, Ortus Energy UK businesses have a real opportunity to lock-in some energy certainty as a...


Signals: Simplifying Trading Experiences
by LegacyFX Trading signals are a way for investors to indicate that the market is moving in a specific direction....


Rivery Raises $30M B Round of Venture Funding from Tiger Global
With data needs growing and data talent scarcity, there is huge demand for Rivery’s 100% SaaS solution to create an...


Wealth Managers and the Future of Trust: Insights from CFA Institute’s 2022 Investor Trust Study
Author: Rhodri Preece, CFA, Senior Head of Research, CFA Institute Corporate responsibility is more important than ever. Today, many...


Q&A with Andréa Jacquemin, founder and CEO of Beamy
Beamy is a fast-growing scale-up that focuses on pioneering a new approach to SaaS management for large companies. Founded in...


How to reignite your store with streamlined operations and a distinctive customer experience
Colin Neil, MD, Adyen UK Retailers know that prioritising customer experience is vital to success today. This, amongst the...


5 tips to ensure CSR efforts come across as genuine
By Mick Clark, Managing Director, WePack Ltd Corporate social responsibility – or CSR – is playing an increasingly pivotal role...


How to Build Your Credit Up Safely
by Taylor McKnight, Author for Compare Credit What Is Credit? Credit is money owed by a person that allows...


PCI DSS Compliance in the Cloud – Everything you should know
Introduction PCI DSS 4.0 is the latest and updated version of PCI DSS that was introduced on March 31st, 2022....


2022 ESG Investment Trends
Jay Mukhey, Senior Director, ESG at Finastra Environmental, Social and Governance (ESG) themes have been front and center throughout...


PROTECT THE VALUE OF YOUR SAVINGS AND AVOID RISING INFLATION PRESSURE
Planning for the next financial year? Former Bank Manager and successful whisky investor, Roger Parfitt, tells us why cask ownership is...


UK Organisations turn to artificial intelligence to fight sophisticated cyberattacks
New research by cybersecurity expert Mimecast finds that email attacks are becoming more frequent and sophisticated More and more companies...


The power of diversity: The need for female role models in FinTech
By Isavella Frangou, VP of Sales and Marketing, payabl. As our world is constantly evolving, it’s easy to believe...

Wombat partners with Currencycloud to launch its new, free Instant Investment service to open up investing for a wider market.

A lack of training and email security solutions is contributing to a rise in email threats targeting the finance sector.

Insurance providers must be ready to tackle quote manipulation as potential fraud rises

Urban Company rolls out health insurance for service professionals in partnership with ACKO Insurance

Main Factors Accelerating API Security Risks in Financial Services

Automation: the future of supply chains?

RBI’s MASTER DIRECTION ON DIGITAL PAYMENTS SECURITY CONTROLS

EMV® 3-D SECURE: ENABLING STRONG CUSTOMER AUTHENTICATION

HOW TO SIMPLIFY IDENTIFICATION IN THE GLOBAL DIGITAL ECONOMY WITH THE LEI

EXEGER – CHANGING THE PERCEPTION OF POWER

FUTURE FX PROMO

FutureFX Profile
Trending
-
Top 102 days ago
Insurance providers must be ready to tackle quote manipulation as potential fraud rises
-
Business2 days ago
A lack of training and email security solutions is contributing to a rise in email threats targeting the finance sector.
-
News3 days ago
Rivery Raises $30M B Round of Venture Funding from Tiger Global
-
Finance2 days ago
Main Factors Accelerating API Security Risks in Financial Services