It’s obvious that criminals follow the money and make financial services firms a top target for cyberattacks. Financial services firms fall victim to cybersecurity attacks 300 times more frequently than do businesses in other industries. This equates to attacks of roughly one billion times per year, which is nearly the equivalent of 2,000 attacks per minute or more than 30 attacks per second—costing each firm approximately $18 million. Of even graver concern is the systemic risk cyberattacks bring to the entire financial services industry.
- Banks lost $16.8 billion to fraudsters in 2017.
- The average data breach cost for financial institutions rose 5 percent to $7 million per breach in 2017.
- The average cost to the financial industry per record lost or stolen during a breach was $336, more than the average cost per lost or stolen record of U.S. businesses overall, at $225.
But the warning signs and sobering stats don’t stop there.
More attacks, malicious moves
According to a 2017 report by the Identity Theft Research Center and Generali Global Assistance, the scope of the problem continues to grow. For example, financial institutions report that Distributed Denial of Service (DDoS) attacks have grown in size and frequency, the report states. This type of attack targets a system and floods it with enough incoming messages to overwhelm it, causing it to slow down or crash. Transactions grind to a halt, and the total cost to financial services hit with a DDoS attack to their online banking services was, on average, $1.8 million.
Financial institutions also saw a 56 percent increase in DDoS attacks in 2016, the authors state, and cybercriminals often couple such attacks with extortion attempts—demanding high ransoms from victim institutions. DDoS attacks can also serve as a smokescreen for further attacks, the report notes.
The authors then point to an even more insidious threat: social engineering. This threat, they write, “relies on the trusting behavior of the initial victim, in many cases employees, and makes attacks better designed to trick the victim into allowing access to data.” Such social engineering threats include spearfishing campaigns, which aim to trick employees into downloading malware that causes havoc.
“In a survey of more than 200 U.S.-based security leaders, 60 percent of respondents stated they were certain they were victimized or have reason to believe they might have been victims of social engineering attacks,” according to the report. “Additionally, of those attacks, 65 percent of the malicious activity pertained in some way to employees’ login credentials, and 17 percent involved accounts belonging to customers.”
The four ‘Es’ explained
Given this reality, financial institutions must evaluate their cybersecurity postures in order to maintain integrity with customers, employees and the industry as a whole. If you’re looking for a starting point, consider these “four Es” as proactive moves:
- Ensure you have a senior-level executive on your team dedicated to overseeing your cybersecurity program. Ideally, they should be a member of your C-suite or a chief security officer.
- Explore options for managed detection and response (MDR) partners who can monitor, detect and respond to threats, leveraging both technology and human analysis to augment your staff—thus enabling them to focus on other high priority objectives.
- Evaluate potential partners to ensure you have complete visibility into what happens behind the scenes of your security provider’s operations.
- Employ periodic penetration test assessments to stay a step ahead of the hackers, and identify whether your systems, services and data are exposed to malicious actors.
Putting it all together: No tragedy, all strategy
While threats raise grave concerns for every enterprise, the stakes become even greater for financial institutions because of the sensitive nature of the information you keep. Nowadays, security represents a complex and evolving area. While the tips outlined above make for a good start to secure your organization’s sensitive information, indeed, it’s just a start.
Consult with cybersecurity professionals to assess your current situation, address immediate threats and assemble a strategic cybersecurity program for your institution. As much as hackers can frustrate financial institutions, smart measures will turn that frustration right back at them.
Keith Sazer is a security expert at Critical Start, a provider of cybersecurity services.