It’s clear that financial institutions are prime targets for cyberattacks. According to a recent report from Thales, 42 percent of U.S. financial service institutions have already experienced a breach (that they know of), and 12 percent have been victims of multiple data breaches. The alarming reality is that attacks continue to bypass traditional cybersecurity solutions and go unnoticed for weeks or even months, forcing a frantic scramble to mitigate the damage to customers and operations once found. Some key industry trends will continue to present challenges for financial institutions as they try to get control of their cybersecurity posture.
The rise of network connected devices and IoT
Financial institutions continue to enhance and evolve the customer experience by allowing users to access account information from anywhere, via any device. This increased use of personal digital access to sensitive data is creating new opportunities for banks to better engage with users, increase customer loyalty, and create business opportunities with new services. A plethora of network connected devices such as ATMs, surveillance systems, and banking kiosks are increasingly interconnected to improve business productivity, drive efficiencies, and reduce operational costs. These are all huge wins for financial institutions and consumers, but at what price to security?
As enterprises increasingly enable direct access to financial operations over the public internet, they in turn, have opened new vulnerabilities that make it easier for attackers to penetrate and exploit critical enterprise operations. In 2018, we predict that these entry points will be attacked more broadly, exposing all parts of the network, even those seemingly far removed from an ATM, mobile device, or customer PC. This will increase enterprise susceptibility to targeted and often undetectable attacks that can create wide-scale disruption.
New, advanced malware targeting endpoints
New and advanced threats targeting financial services organizations are emerging daily, such as file-less code, weaponized documents, memory-based attacks, and stolen signing certificates. One recent example is a phishing attack directed at organizations involved in the upcoming Winter Olympics, named ‘Operation PowerShell Olympics’ by McAfee Labs. This type of malware was brand new to the market, demonstrating how malicious code can be custom-made to hand control of the victim’s device over to the attackers.
Endpoints are especially vulnerable because conventional endpoint security solutions typically attempt to look for a pattern associated with existing malware and attack profiles. Attackers now have tools that allow them to rapidly morph malware code, ensuring it or its effects will not be seen as an anomaly discoverable by traditional security systems. Malware that resides in computer memory, not the hard drive, can be constructed in a running application on the spot with each instance varied, making it frequently impossible to defeat using endpoint detection and response (EDR), breach detection systems (BDS), anti-malware, machine-learning anti-virus, and other detection-based endpoint protection approaches.
Also, consider that any great, new cyber security technology is also available to the ‘bad’ guys. According to a report by CSO Magazine, cyber criminals steal hundreds of millions of dollars annually with near impunity. For every one that gets caught, 10,000 or more go free. With little risk for these high-value crimes, attackers will continue to devote the time and resources needed to crack firewalls, defeat detection, elude artificial intelligence, or find any other vulnerability to get to the “gold.”
Growing risk from insider threats
A survey by the Ponemon Institute found that 67 percent of respondents believe their company is more likely to fall victim to a cyberattack or data breach in 2018. Over 60 percent are more concerned about a data breach from a third party outside their operations. But insider threats — whether malicious or unintentional — can be just as damaging. One of the most high-profile examples of this is the Target breach in 2013, when cyber attackers gained access to the company’s computer gateway through legitimate credentials stolen from an authorized vendor, affecting more than 41 million of its customer payment card accounts.
Attackers are masterminds at finding the weakest penetration point into a network, such as poorly managed endpoints or the often neglected underbelly of operational technology infrastructure where partners or vendors are involved. Stronger authentication technology has often been seen as expensive, complex, and poorly tolerated by users. So, the protection of the enterprise’s most sensitive operations is often left reliant on weak authentication alternatives dependent on users’ IDs and passwords. Financial organizations continuing to rely primarily on user-based and software-defined authentication will struggle to maintain authentication effectiveness, continuing to remain exposed to potentially avoidable cyber events.
Adoption of advanced network segmentation and isolation
A common pattern has emerged at the root of nearly every major cybersecurity attack in business and government in the last few years. Attackers start at the lowest common denominator, such as a poorly managed device, and work their way to the core of operations to extract information. A financial organization’s cyber resiliency is no better than its weakest link.
The reality is that there are certain parts of a business which have no reason to be visible to the rest of the world and therefore should not be connected to even a well-defined perimeter. Compartmentalizing the network with a “zero trust architecture” approach is a recognized concept as noted by industry analyst firm, Forrester. But the rapidly evolving sophistication of cyber threats is generating a new emphasis to take network segmentation to the next level. Financial institutions are being driven to explore more comprehensive approaches and practices, such as those used in defense and intelligence agencies. This includes completely isolating operational technology (OT) that supports enterprise operations, which were never intended to be publicly accessible, from vulnerabilities inherent in an IT environment necessarily open to public access to better serve customers.
There are no silver bullets
As the debilitating effects of an enterprise breach are increasingly recognized by corporate officers and directors, we’re finally seeing cybersecurity get the organizational attention it deserves. But, there are no silver bullets that ensure protection. Thus, maintaining resilience to cyber attacks is an on-going process of asking the right questions and making proactive decisions to integrate cybersecurity as an inherent part of enterprise operations. As noted by the industrial pioneer, William Edwards Deming, quality is built-in, not inspected in. The same is true for cybersecurity.