Banks must take proactive steps to avoid cyberattacks

Banks must be proactive in preventing cyberattacks to avoid the consequences of a costly breach, according to security experts.

While the financial services industry tends to be better balanced from a security perspective than industries such as healthcare and retail, “big banking nonetheless appears to be investing in preventive front-end controls at the expense of detective, corrective and recovery ones,” said Armond Caglar, senior threat specialist at TSC Advantage, an enterprise security solutions provider in Silver Spring, Md. Banks generally are doing well in basic prevention, which includes training in and awareness of spear phishing, basic network segmentation and intrusion detection deployments, he said.

But once a bank is penetrated, “the bad actors tend to be on the network for longer periods going undetected and purloining lots of valuable data,” Calgar said. “Additionally, time and time again, we see businesses reduce the scope of the overall cyber security problem to nothing more than an IT issue.”

This inadequate and dangerous approach “ignores the host of nontechnical threat vectors causing havoc in organizations, such as the growing role of deliberate and unintentional insider threat, vendor access management and travel security,” he said.

Increasingly common

Cyberattacks are increasingly common as staying ahead of cybercriminals is almost impossible, said Anton Lavrenko, deputy regional head for Financial Institutions North America, Allianz Global Corporate & Specialty, a New York-based company that specializes in corporate insurance. Highly educated, cybercriminals often work outside of the U.S. border with sophisticated tools and processes, he said.

“These guys are often light years ahead of everything that we do,” said Joseph F. Caruso, regional head for Financial Institutions North America (AGCS). “These guys may get into a system and sit for months and months – until they get access.”

Proactive cybersecurity requires constant work. It takes vulnerability testing, and that requires significant financial resources, sophistication and the ability to realize when an exposure occurs, all of which makes smaller banks more susceptible, Caruso said.

High-profile data breaches, concern about reputational harm and regulatory scrutiny are fueling budget increases for security in 2016, according to a recent online poll of 50 bank chief information officers and senior technology executives. That poll by SourceMedia found 60% of the respondents cited “keeping up with security issues” as a top challenge with 40% predicting an increase ranging from 20% to as much as double in spending on security.

It’s not surprising that financial institutions are scrambling to secure themselves, as threats multiply and become more sophisticated, putting banks and their customers at risk, said Greg Mancusi-Ungaro, chief marketing officer for BrandProtect, a cyberthreat intelligence and brand protection firm based in Canada.

“Fraudulent phishing attacks are becoming more and more convincing,” Mancusi-Ungaro said. “They’ve moved way beyond traditional realm of email attacks, leading to spoof websites. Today’s attack is now much more likely to incorporate a combination of email, social media, social domain, Web comments, executive or celebrity impersonation and malvertising. They are as sophisticated as any of the marketing programs run by the bank.”

For banks to stay ahead of cybercriminals, multi-channel holistic monitoring, analysis and mitigation of external threats beyond the perimeter must become top priorities.

“Banks must ensure that when customers think they are engaging with a branded site, app, email, asset or social media account, it’s actually one authorized by their institution,” Mancusi-Ungaro said.

Banks are three times more likely than any other industry to be the target of an attack, and they have to protect many different kinds of data, from transaction records to customers’ personal information, said Grant Shirk, senior director, product marketing at Vera, a Palo Alto, Calif.-based firm that develops and implements mobile and cloud security solutions.

“While banks are investing billions of dollars to improve their overall security capabilities, they need to prioritize their spending and protect what matters most — the data itself,” Shirk said. “(Banks) have to find ways to protect customer and financial data even after it leaves their control. By doing protecting the data itself, no matter where it travels, banks and other financial institutions can prevent or minimize the impact of a breach.”

Cyber resilience

Banks and other financial institutions can develop cyber resilience by aligning security resources against identified weaknesses, developing a response plan, protecting against hidden risks of third-party vendors, minimizing threats from rogue employees and nurturing a security culture during periods of growth, among other measures, security experts said.

More than a bank’s reputation is at risk when digital hackers and scammers attack. Standard & Poor’s recently issued a report that said banks could face a downgraded credit rating if they have ill-prepared cybersecurity or if a major breach led to substantial loss of customers or capital.

Cybercriminals will always go where the money is, experts said.

“That simple fact means that attacks on financial institutions such as JPMorgan Chase and Scottrade will continue,” Caglar said. “Eastern European organized criminal groups in particular target financial institutions. State-sponsored attackers also prefer large U.S. financial Institutions because they are interested in the intelligence value that banks possess, such as corporate information, merger and acquisition data, and multinational investment strategy and targets.

“Mature cybersecurity starts with a philosophy that security is not just about legacy endpoint protection we all use, such as firewalls or intrusion detection systems,” he said. “Rather, security is the collection of activities that harmonizes corporate investments in people, process and technology. The problem cannot be solved by the IT department alone. It requires C-suite buy-in, from the board (of directors), and an obligation from each employee that acknowledges their role in preventing attacks.”

Freelance writer Robin Farmer contributed to the writing and research of this article.

By |2019-11-25T08:34:49-06:00April 20th, 2016|Financial Services, Oncourse Corporate|0 Comments

Leave A Comment