Connect with us

Finance

Why financial services should prioritise data security

Published

on

 Rick Goud, Co-Founder & CIO, Zivver

 

In recent years, a wave of cyber attacks, data breaches and leaks have pursued businesses in the financial sector. A report from the NCSC found that 39% of UK-based businesses had a cybersecurity breach or attack in the last 12 months, with the average cost of a cyber attack on a business being £13,400. For firms in the financial services sharing hyper-sensitive data, the potential fallout from a data breach or leak can be even worse.

When strategising for data loss prevention in email, the focus for IT leaders traditionally remains on incoming and malicious attacks, leaving finance organisations open to the leading cause of data incidents. According to ICO reports, these are most commonly non-cyber related issues.

The global shift to remote and hybrid working has seen businesses move en masse to cloud services, remote access tools and collaboration apps. The way we work has fundamentally changed, and our reliance on digital communications, including email, is greater than ever. However, in the rush to implement these tools, companies may have overlooked security challenges, configured their settings incorrectly or used free tools with questionable security features. Due to this, as digital communication links have rapidly developed in the last year, so too have the number of vulnerabilities that cyber criminals can exploit. To close these gaps, the financial services industry need solutions which combine secure technology with watertight email practices.

Employees have adapted to working from home; however, with our days busier than ever, it’s inevitable that, occasionally, mistakes will happen.

Did you know that most email users are sending around 30-40 emails a day? Now think about the fact that the wealth management sector in particular deals with extremely confidential, high-profile and/or high net worth proceedings. Those 30-40 emails could contain information relating to a client’s savings, investments, income, and financial commitments.

Securing outbound communications

Every financial institution needs secure methods of sending emails and transferring files to customers or other contacts, even if they rely heavily on customer portals. Whether it’s a bank sending out statements to clients, an insurance company offering online consultations, or a notary sharing documents with other parties for an estate transaction, companies everywhere are increasing their use of digital communication channels.

But built-in security of email platforms fails to deliver sufficient protection against these ‘outbound’ email-borne security breaches. Likewise, many employees do not know how to recognise emails sent with malicious intent and take action, opening new opportunities for inbound threats missed up by the platforms’ shields and filters.

High-value fraud attempts via business email compromise (BEC) continue to make it through O365’s native security solutions, leaving firms more exposed to data breaches. These organisations often hold as much personal information, corporate data, customer information and financial data as banking institutions, despite having smaller budgets or a smaller headcount on their security teams to ensure their digital perimeters are secure. In fact, research revealed only 31 percent of smaller family offices had implemented cyber security measures, versus 60 percent of larger operations.

The fact is that most of today’s security solutions focus on threat protection and are built to keep ‘inbound’ risks – malware, phishing attacks, and spam – at bay, as these are consistently viewed as the biggest risks to email security. But when it comes to misdirected emails (reported by The ICO as the number one non-cyber security incident faced by businesses in the finance, insurance, and credit sectors) it is clear that data loss via human error or more insidious insider threats are security risks that are consistently overlooked.

It’s not enough to focus solely on inbound threats and keep the attackers from coming in; businesses need to ensure they prevent sensitive data being accidentally or maliciously sent out. But why aren’t existing email security solutions doing this?

Popular email service providers may have outbound email filtering rules – but these are often too rigid to adapt to evolving ways of working, and often depend heavily on IT teams having to constantly update and configure them.

Financial institutions will always remain a prime target for cybercriminals, in part because of the massive amounts of personal identifiable information stored in their databases. At the same time, threats evolve, that’s why firms everywhere should review their data security protocols and, where necessary, invest in effective tools to ensure that sensitive information can be safeguarded at all times.

 

Business

A lack of training and email security solutions is contributing to a rise in email threats targeting the finance sector.

Published

on

By

Mike Fleck, Senior Director, Sales Engineering at Cyren

 

Email remains the most popular and successful attack vector in the digital landscape, the reason being because it is simply the most commonly used digital communication channel across the globe. On average, over 330 billion emails are sent every day. The sheer volume-and the fact that almost every employee within an organisation uses email- makes this channel a popular target for potential security threats. Finance organisations use email not only for internal communication but also for customer service interactions and marketing. A banking survey in 2021 showed that over 76.8% of users consider email as the primary channel for communicating with banks. That’s why financial institutions are at the frontline of email-driven security risks.

In order to attain more insight into the email threats targeting the financial sector and the potential remedies, we talked to Mike Fleck at Cyren, a leader in enterprise email security solutions.

  1. What do you see as the main reason for the continued increase in successful email threats targeting the financial sector?

Email threats have become much more dynamic over the years.  Although phishing continues to be the most common attack vector in the domain of email threats, the mix of breaches attributed to email attacks has expanded significantly in recent times. In our latest benchmark research, we surveyed 226 organisations that use Microsoft 365 for email. We found that compared to 2019, there was a 71% increase in ransomware-driven email attacks, 44% increase in phishing attacks, and 49% increase in credential compromise attacks. Phishing is no longer the only path for email threats, as attacks are now being driven by multiple sophisticated methods, which evidently leads to more successful threats.

Mike Fleck

The financial sector has always had a red mark on its back to threat actors, mainly because of the highly sensitive information and valuable assets managed by financial organisations. Email serves as the most vulnerable and easily compromised access point for threat actors, which is why the number of email breaches has massively increased over the years. Our research found that the number of email breaches across all organisations has almost doubled each year over the past three years.

Although most organisations are using email client plug-ins for reporting suspicious messages, only 22% of the organisations stated that they analyse all reported messages for malicious content, leaving a major gap in awareness and threat response. Our survey showed that inefficient threat response and a lack of urgency is the most concerning factor for security managers. Threat actors are consciously aware of these shortcomings, which is why they are able to frequently launch successful email attacks targeting the financial sector.

  1. Why is the email channel so appealing for fraudsters, and what are the techniques they use to target financial service organisations in this way?

Historically, email has always been the primary channel for business communication, and as businesses continue to attain cloud-based services, email has become a productive norm for file-sharing and communication. Email channels also integrate easily with any cloud application, facilitating businesses to pursue more productive interactions. There is also the fact that email is accessible to most personnel regardless of their technical ability.

This flexibility and continued dependency on email is also the reason why it is an appealing channel for threat actors. Because email channels are integrated with almost every organisation’s platform, breaching an email allows cybercriminals to backtrack into critical network infrastructure and compromise valuable assets. Most threat actors tend to target the user rather than the system, and email channels are used by almost every employee in a financial organisation regardless of their experience, role, technical awareness, or skills. Therefore, targeting emails allow threat actors to utilize a much wider attack surface.

Another major reason is breaching the email channel is far less complex than breaching secured network endpoints and access firewalls. With techniques like social engineering and phishing, threat actors often don’t have to use significant resources or complex methods to breach employee email accounts. Our research showed that phishing is still the most used technique by attackers; 69% of all email breaches were due to phishing attacks. Other frequent techniques were Microsoft 365 credential compromise (60%), malware (59%), and ransomware (51%).

The means of carrying out these attacks are also easily accessible and available to almost anyone. Threat actors can buy a ransomware kit for as low as $66, and phishing kits are available for as little as $20. So, even the most inexperienced attackers can use such tools to exploit the email accounts of users and gain access to the critical resources of financial organisations.

Simply put, email provides a direct and economical path to the weakest point of every organisation’s cybersecurity program – its people.

  1. How important is proactive security awareness training when it comes to defending against email attacks?

The previous consensus was that email threats thrive on the user’s lack of awareness. Cybersecurity leaders believed that the “last mile” problem of phishing attacks can be solved if employees are able to detect and avoid fraudulent emails. Frequent awareness training is important to help employees stay up to date on evolving email attacks and identify malicious content or messages more easily. Over 99% of organisations offer awareness training, but only one in seven organisations offer training monthly or more frequently.

The dynamics of the attack vectors and techniques change constantly with the emergence of new technologies and vulnerabilities. Without frequent training, employees won’t develop a conscious awareness of email threats. We found that organisations that offer email awareness training every 90 days or more frequently, are less likely to fall victims to phishing, business email compromise (BEC), and ransomware attempts.

Our research also showed a correlation between frequent training and email reporting frequency. Organisations that offer frequent training also experience a high rate of malicious or suspicious email reports – meaning that employees become more conscious and aware of the potential threats. That’s why frequent proactive awareness training is critical for protecting against email attacks. However, organisations need to appreciate that a higher volume of reported emails will result in a higher number of alerts that Security Operations Centre analysts must investigate.

  1. What are the steps you would recommend financial organisations take to implement effective inbox security solutions that bolster their cyber resiliency immediately?

Financial organisations need to act quickly when responding to a potential threat, as even a fractional security breach can cause unprecedented damage to its assets. Organisations are beginning to realise that employees fall victim to these scams because they are busy and distracted – not because they are apathetic or gullible. Also, relying on employees to spot and report suspicious messages is not a complete or efficient solution to the problem. Employees do not consistently report every threat, and what alerts they do generate have a false positive rate of at least 41%. In addition to constant awareness training, organisations must incorporate effective inbox security solutions to increase their cyber resiliency.

When implementing effective inbox security solutions, financial organisations must consider the response and reporting time.  They must choose solutions that can detect threats in real time and automate the response to those threats for quick remediation.

An effective approach for financial leaders is to invest in automated solutions that can detect and remove social engineering threats in real time. Automated inbox security solutions can continuously scan inbound and outbound email folders, including their contents such as URLs and web pages. Such solutions can detect and report anomalies, resulting in real-time detection. Automated threat response solutions can strengthen the built-in security capabilities of the email gateway, such as Microsoft 365 Defender. Combining automated solutions with the existing threat response framework can optimise the response process and significantly reduce the time and cost of threat investigation.

 

Continue Reading

Finance

Main Factors Accelerating API Security Risks in Financial Services

Published

on

By

By: Yaniv Balmas, VP of research at Salt Security

 

The API ecosystem is exploding and nowhere has API delivery accelerated as much or as fast as in financial services. Leveraging APIs, financial services organisations can innovate and quickly bring to market unique customer experiences and services. While more than three-fourths of software developers say API development is or will be a top business priority, the figure is even higher in financial services – topping all other industries at more than 80%.

Because successful attacks are so lucrative against financial institutions, they have always been a top target. The growth of the API economy has made the financial sector an even bigger target, which is why minimising API security risks has become the top priority.

Four factors are driving the urgent need for better API security in financial services:

  • API usage in financial services is increasing
  • API attacks threaten digital transformation initiatives
  • API security incidents hurt customer trust
  • Traditional security solutions don’t protect APIs

API Usage Will Increase Even More

In financial services, the high-growth trajectory of APIs will continue to rise. With each use case and new service, the number of APIs in a typical financial services company grows ever higher.

APIs provide the required data connection to support today’s mobile financial applications and peer-to-peer payment systems. APIs are at the center of open banking. APIs enable financial services companies to standardise how they connect and exchange data, allowing consumer financial information to be instantly shared across organizations and third-party service providers. With different partners and technology suppliers, API connections are being continuously added to the financial ecosystem.

For financial services, that means even more APIs and a continuously growing attack surface that must be adequately protected.

API Attacks Threaten Key Business Initiatives

Open banking gives consumers more choices and convenience to address their financial needs. It also increases competition across the financial services industry and generates new revenue avenues. In addition, open banking provides more traditional financial institutions the opportunity to compete with faster-moving fintech companies.

Moreover, in financial services, Covid has hastened the adoption of digital transformation, including mobile and remote banking. In a pandemic-mandated stay at home world, consumers made their needs clear. They want integrated services and the ability to connect their financial lives when and where they desire. This requires banks and other finance companies to roll out new capabilities or risk becoming obsolete and losing customers and revenue.

Digitalisation has become a critical business initiative and is increasingly important in financial services. However, without the ability to protect the data being used within these services, financial organisations lose that opportunity entirely. Financial data breaches can cost the business in lost revenue from new opportunities and cause irreparable harm to an organisation’s brand.

Just a single API attack has the potential to wipe out all the gains made from an organisation’s digital transformation.

API Security Incidents Damage Consumer Trust

In financial services, the costs of lost trust can be high. Salt Labs, the research arm of Salt Security, provides ongoing API vulnerability research. In its latest report, Salt Labs uncovered a server-side request forgery (SSRF) flaw on a large fintech platform that provides a wide range of digital banking services to hundreds of banks and millions of customers.

The vulnerability had the potential to compromise every user account and transaction data served by its customer banks. Imagine the leaking of customers’ banking details and financial transactions and users’ personal data or, worse, unauthorised funds transfers into the attackers’ bank accounts.

None of these nightmares came to be, because Salt Labs found the problem before a bad actor did, and all issues have been remediated. But this type of exploit, had it occurred, would have likely caused irreparable reputational damage – not to mention financial losses, theft, and fraud.

The nature of financial services applications is to exchange sensitive financial and customer data, making APIs a high-stakes asset requiring protection.

Traditional Solutions Don’t Deliver Adequate API Protection

Most financial services companies have sophisticated runtime security stacks with multiple layers of security tools, such as bot mitigation, WAFs, and API gateways. These traditional tools provide foundational security capabilities and protection for traditional applications; however, they lack the context needed to identify and stop attacks that target the unique logic of each API.

Attacker activity looks like normal API traffic to traditional tools, such as WAFs, API gateways and other proxy-based solutions. The architecture limits them to inspecting transactions one at a time, in isolation, and beyond rate-limiting. They also depend on signatures to detect well-known attack patterns. If the transaction does not match a known attack signature, the WAF will send it through. Since each API is unique with unique vulnerabilities, signatures cannot help prevent API attacks.

API security requires big data to capture all API traffic and artificial intelligence (AI) and machine learning (ML) to continuously analyse the large volumes of API traffic. Without continuous analysis of API traffic, you cannot understand normal behaviour for each unique API and gain the context required to pinpoint attackers.

In addition, while open banking defines standards around how APIs should be structured to enable predictable integrations and communications, open banking provides no standard to meet the majority of API security requirements. Moreover, basic controls, such as authentication, authorisation, and encryption, fall short of meeting API security challenges.

API Security at the Forefront for Financial Services

APIs have become essential for financial services to meet changing consumer expectations and innovate to remain competitive. At the same time, APIs are now the most frequent attack vector. In the past 12 months, 95% of organisations experienced an API security incident, and API attack traffic grew 681% – more than twice as fast as overall API usage traffic.

Therefore, financial services organisations must put API security at the forefront to protect this growing attack surface. To do so requires dedicated API security tooling for the entire API lifecycle that provides continuous attack surface visibility, early attack prevention, and automated insights for continuous API improvement.

Continue Reading

Magazine

Trending

News2 days ago

Wombat partners with Currencycloud to launch its new, free Instant Investment service to open up investing for a wider market.

UK-based micro-investment platform Wombat has partnered with Currencycloud, the experts in simplifying business in a multi-currency world, to launch its...

Business2 days ago

A lack of training and email security solutions is contributing to a rise in email threats targeting the finance sector.

Mike Fleck, Senior Director, Sales Engineering at Cyren   Email remains the most popular and successful attack vector in the...

Top 102 days ago

Insurance providers must be ready to tackle quote manipulation as potential fraud rises

Sam Marsh, director, product management at LexisNexis Risk Solutions Insurance As road fuel costs reach a record high[i]  and inflation...

News2 days ago

Urban Company rolls out health insurance for service professionals in partnership with ACKO Insurance

Health insurance plan to benefit 40,000+ service partners in India Service partners can avail up to 12 free-of-cost online doctor consultations in a year...

Finance2 days ago

Main Factors Accelerating API Security Risks in Financial Services

By: Yaniv Balmas, VP of research at Salt Security   The API ecosystem is exploding and nowhere has API delivery...

Business2 days ago

Automation: the future of supply chains?

By Andrew Scargill, Logistics Operations EMEA at Digital River   Caught between the chaos of coronavirus and fallout from Brexit,...

News2 days ago

Can intelligent automation ensure the survival of the insurance industry?

Eric Tyree, SVP of AI and Innovation, SS&C Blue Prism   The economic viability of the insurance industry’s current business...

Business2 days ago

Time to make your energy future more predictable

– Alistair Booth, MD, Ortus Energy   UK businesses have a real opportunity to lock-in some energy certainty as a...

Top 102 days ago

Signals: Simplifying Trading Experiences

by LegacyFX Trading signals are a way for investors to indicate that the market is moving in a specific direction....

News3 days ago

Rivery Raises $30M B Round of Venture Funding from Tiger Global

With data needs growing and data talent scarcity, there is huge demand for Rivery’s 100% SaaS solution to create an...

Banking5 days ago

Wealth Managers and the Future of Trust: Insights from CFA Institute’s 2022 Investor Trust Study

Author: Rhodri Preece, CFA, Senior Head of Research, CFA Institute   Corporate responsibility is more important than ever. Today, many...

Interviews5 days ago

Q&A with Andréa Jacquemin, founder and CEO of Beamy

Beamy is a fast-growing scale-up that focuses on pioneering a new approach to SaaS management for large companies. Founded in...

News1 week ago

How to reignite your store with streamlined operations and a distinctive customer experience

Colin Neil, MD, Adyen UK   Retailers know that prioritising customer experience is vital to success today. This, amongst the...

Business1 week ago

5 tips to ensure CSR efforts come across as genuine

By Mick Clark, Managing Director, WePack Ltd   Corporate social responsibility – or CSR – is playing an increasingly pivotal role...

Business1 week ago

How to Build Your Credit Up Safely

by Taylor McKnight, Author for Compare Credit   What Is Credit? Credit is money owed by a person that allows...

News1 week ago

PCI DSS Compliance in the Cloud – Everything you should know

Introduction PCI DSS 4.0 is the latest and updated version of PCI DSS that was introduced on March 31st, 2022....

Banking1 week ago

2022 ESG Investment Trends

Jay Mukhey, Senior Director, ESG at Finastra   Environmental, Social and Governance (ESG) themes have been front and center throughout...

Business1 week ago

PROTECT THE VALUE OF YOUR SAVINGS AND AVOID RISING INFLATION PRESSURE

Planning for the next financial year? Former Bank Manager and successful whisky investor, Roger Parfitt, tells us why cask ownership is...

Technology1 week ago

UK Organisations turn to artificial intelligence to fight sophisticated cyberattacks

New research by cybersecurity expert Mimecast finds that email attacks are becoming more frequent and sophisticated More and more companies...

Finance1 week ago

The power of diversity: The need for female role models in FinTech

By Isavella Frangou, VP of Sales and Marketing, payabl.   As our world is constantly evolving, it’s easy to believe...

Trending