Barry O’Connell, General Manager EMEA at Trustwave
The modern-day robbery is no longer about criminals storming a bank wearing ski masks, brandishing firearms and filling bags with stolen cash. Instead, criminals now rely on more clandestine yet equally effective methods of stealing from financial institutions.
Figures from Trustwave’s 2019 Global Security Report (GSR) reveal that during 2018, the financial industry was the second most targeted by cybercriminals accounting for 11 percent of security incidents investigated by Trustwave; just seven percent lower than the retail sector which came in at number one. Supporting this finding, data from the Financial Conduct Authority (FCA) revealed under a Freedom of Information request by law firm RPC shows that reports of cyberattacks against institutions dramatically increased by a factor of five between 2017 and 2018.
Why the finance sector is heavily targeted
Cybercriminals follow the quickest and easiest route to money, so it is no secret financial institutions make prime targets. While the financial industry in general has leading-edge security deterrents and technologies in place, the potential windfall is undoubtedly worth the time and efforts.
Financial institutions also rely heavily on data for day-to-day operations – verifying users, processing transactions, making investments and so on. This data residing inside databases is considered as another form of currency that can be sold and traded on the dark market. And once successfully inside, the sheer volume of data traversing across the financial networks creates noise providing good cover for threat actors to partake in other illicit activities such as installing keyloggers or implanting malware with little chance of immediate detection. It is quite common for cybercriminals to stay hidden for several months or even years before discovery.
Favoured attack methods
Our GSR research shows that the most common method for gaining an initial foothold into organisations is through social engineering accounting for an astounding 46 percent of breach incidents. This is followed by weak passwords (14 percent) and exploiting applications’ vulnerabilities (13 percent).
The financial sector was the only environment compromised exclusively through corporate or internal networks as opposed to other vectors like website or third-party partners. This is not surprising as locking down access from the outside is typically a primary concern and usually well executed.
Social engineering comes in many forms, but email phishing is highly favoured because it can be leveraged in a variety of ways. This includes attached malware, or a malicious link embedded within the body of a document. Criminals also try to steal a user’s credentials through deception – for instance, masquerading as a member of IT requesting a username and password to resolve some fictitious problem.
Application vulnerabilities are being leveraged more frequently as potential doorways into institutions. Worryingly, 100 percent of applications tested for the GSR had at least one vulnerability. Most were considered lower risk however nine percent were considered high or critical risk, a significant amount to exploit. We only need to look back at EtnernalBlue, a vulnerability in Microsoft Windows that led to the devastating WannaCry ransomware outbreak of 2017 locking up thousands of machines and systems across the globe.
If our research demonstrates anything, it is the necessity for an organisation to assess where its most valuable data is kept and its risk tolerance in order to plan security measures accordingly.
One of the first actions that should be taken is ensuring all operating systems and applications are running the latest versions, as out of date software is likely to contain exploitable vulnerabilities. Software risk assessment should happen in parallel with reviewing password strength, user authentication and expiration policies. Although we frequently read about ingenious hacks in the headlines, most breaches can be prevented by regular patching and strong password management.
Security education to spot phishing emails and other social engineering attempts is also crucial. The most advanced security technologies won’t prevent compromise if employees are blindly clicking on links in suspect emails. The chief executive down through the entire organisation should partake in regular training on how to spot social engineering and new techniques criminals are employing.
If attackers do successfully penetrate an organisation, it is imperative they are detected and contained as quickly as possible. An incident response plan that is understood, practiced and frequently reviewed by key stakeholders will go a long way if such an event occurs. Much like natural disaster drills, understanding roles and what is expected during a real situation will limit impact significantly.
Those who house hard currency or data of any value will always be a target for cybercriminals. As the threat landscape continues to evolve, financial institutions need to continually explore ways to improve their cybersecurity posture. Organisations that place equal focus on technology, people and processes, and the governance structures that tie those investments to key business risks, will have the best chance of keeping one step ahead.