In our last blog, we shared some of the top security concerns for financial institutions we uncover during our engagements. In case you missed it, you can read it here.
As we mentioned in part 1, the finance industry is a popular target for cyberattacks. In part 2, we continue to examine key security concerns experienced by organisations operating in this sector.
Insider threats and staff training
Even the most highly reputable and careful organisations can have insiders with an axe to grind, and their actions can have significantly malicious intent.
With this in mind, financial institutions need to limit the profiles and level of system and information accessibility for users based on actual business need, and keep an audit log of activities as a forensic measure in case an individual acts maliciously or outside of approved policies and procedures.
It may not be possible to discipline or prosecute malicious internal actors unless there is solid evidence to substantiate the wrongdoing.
Some insiders are simply negligent in their actions. This is often due to bad habits formed through how employees use their personal devices or poorly designed systems. This negligence typically increases when they haven’t been personally affected by a security breach.
Common ‘poor habits’ include opening arbitrary email attachments, clicking links in emails or instant messaging platforms, failing to lock their computer when leaving their desk, and not using current anti-virus software. These insecure habits, born of unprofessional or ‘don’t care” attitudes are dangerous and negligent when the personal and financial information of customers is involved.
Negligent and careless actions are almost indistinguishable from mistakes arising from distractions, time pressures, personal stressors and competing priorities, so some common protective principles apply.
Training staff on the security measures they can take in their day to day work, coupled with simple to understand policies and security tools that complement the needs of the workplace are essential underpinnings to reduce the impact of careless or negligent behaviour.
A well-trained workforce is the first line of defence against phishing, ransomware, and social engineering attacks - the most common threats faced in today’s digital workplace.
For some institutions, their staff may number in the hundreds to tens of thousands. With the sensitive and financially valuable (to a criminal) information they manage, they become high-payoff targets for hackers and organised cyber-criminal gangs.
With many staff now connecting their own personal devices to the corporate network, there is an increasing number of endpoints for hackers to exploit. No amount of IT security budget can protect a company against negligent employees.
Employee training is a critical cyber security control in today’s well-defended financial institution. Leveraging increased staff skills is a key component in building a company’s resilience against cyberattacks.
Training in how to use company computers securely coupled with safe and secure work processes, and consistent guidelines for exposing sensitive information to external parties are essential for all roles in the modern financial institution.
Along with employee training, financial institutions should create and capture visibility into all activity in their IT environments, such as user behaviour analytics, which can be captured with behavioural tracking software.
This will help organisations better understand their vulnerabilities, identify potentially flawed processes, and detect suspicious or anomalous activity by building connections between seemingly unrelated events that may threaten cyber security.
Obtaining a detailed understanding of what's going on across priority systems so financial institutions can detect anomalies and suspicious activity, maintain full control over the IT infrastructure and focus on those current and real risks in order to quickly resolve issues. This also serves to not wasting their limited security budget on unnecessary spending.
Ransomware of Things
With the growth of internet of things (IoT), sensitive data is either accessible everywhere or present in a wide variety of locations.
Consequently, financial institutions should be aware of RoT (ransomware of things) threats, where hackers may hijack a connected device and demand payment for access to be restored to the user.
One valuable measure is implementing cloud-based continuous monitoring systems that enable financial institutions to identify their vulnerabilities in real-time to catch and block these threats before they can infiltrate systems and infrastructure to hold data hostage.
With the ubiquity of mobile phones today, security of the handsets and the applications is another area to consider. Mobile banking apps themselves are bringing significant changes to the banking industry.
For financial institutions with banking or mobile apps, there are all sorts of ways that malware can target these devices. While most apps in vendor-operated “app stores” are benign, ongoing campaigns by organised criminals have meant that fake or look-alike versions of a mobile banking app continue to be found in app stores.
There is no doubt the combination of IoT, mobile and cloud make cyber security an even greater challenge. To reduce the risk, financial institutions should use virtual private network (VPN) technologies to provide assurance that the end-points of mobile banking service are genuine and trusted. This is a recommended way to secure the connection and encrypt all passwords, credentials and data transferred between a mobile app and the bank.
Financial institutions can also defend against attacks by ensuring all of the devices accessing their internal network and critical systems have up-to-date firmware and implement network security technologies, such as firewalls.
By using VPN capabilities, endpoint devices can communicate through a secure encrypted connection, which makes it more difficult for an attacker to access an IoT device, breach a financial network, steal customer information or steal staff credentials for future attacks.
Weak identity management
Data breaches can also occur through weak management of identity, credentials and access privileges. To prevent abuse of these key facets of authentication, credentials and cryptographic keys must not be embedded in source code or distributed in public facing repositories, as there is 100% probability that this sensitive information will be discovered by, and misused by a hacker or organised criminal teams.
Cryptographic keys need to be appropriately secured throughout their lifecycle. A well-secured and designed public key infrastructure (PKI) can ensure key-management activities are carried out securely and cost effectively.
Any centralised storage device that contains secret, sensitive or monetizable data, such as passwords and personal details, is a gold mine for attackers so encrypting data at rest is an additional layer of protection. As with any significant organisational asset, the monitoring and protection of identity and key management systems should be a high priority.
Financial institutions should offer a robust suite of identity services that includes multi-factor authentication for access to any customer data, a comprehensive access management program for employees and contractors with access to key customer or company data.
Conclusion
In summary, we have discussed the concerns, threats and vulnerabilities that Loop encounters amongst our customers and industry contacts. These include supply chain complexity, delivery chain dependencies, “insider risks”, visibility into real-time activities on company systems, and managing authenticated identity for customers, staff and business partners.
While many readers will have some or all of these threats under control, should these topics raise any issues applying to your organisation, Loop is always ready to assist – please feel free to reach out for a chat or coffee to explore how we can help you.
Struggling with your cybersecurity strategy? Learn from the industry leaders on how to build a cyber resilient enterprise with our latest whitepaper
