“Because That’s Where the Money is”
As financial services firms embrace digital transformation, no matter where they are in their maturity models, detection tools are not able to keep pace with the growth of sensitive data that continues to attract cybercriminals across the globe. In recent years we have seen the financial services industry invest in a variety of new technologies to keep pace with current digital transformation trends including customer facing technologies such as mobile banking, automated wealth management, artificial intelligence, and blockchain as well as less obvious infrastructure technologies such as cloud computing and big data [1]. Enhancing digital capabilities and improving the customer experience is an inevitable choice for banks and financial institutions that are striving to stay competitive and meet client demands over the next decade. At the same time, this leads to an increase in the amount of data and points-of-attacks that cybercriminals can exploit. Insights, a cyber threats intelligence company, reported that 25% of all malware attacks are aimed at banks and other financial services firms, which is far greater than any other industry. Apparently cybercriminals are not too different from their bank robber predecessors who were attracted to banks for the same obvious reason – “because that’s where the money is.”
Who Left the Door Open?
The COVID-19 global pandemic has further accelerated digital transformation plans as employees left the security of their corporate offices behind. Many organizations were left scrambling to continue operations and adopted temporary solutions to maintain system access for their employees, leaving data and networks vulnerable. The massive number of remote workers has opened up new doors for cybercriminal activity. On many occasions, employees find themselves using personal devices where kids are playing games and surfing the net which ultimately means there is greater risk for malware. These devices must be appropriately protected and as the number of network access points expands, it presents a much higher risk and serves as fertile grounds for hackers. Zoom, a virtual collaboration tool, has made the news in recent weeks due to privacy issues during remote classroom learning in schools.[2] They are not alone. According to IBM, The US market has seen an increase in the use of work from home devices of 84% due to COVID-19 since February along with an astonishing 14,000% increase in attempted cyberattacks.
Tip of the Iceberg
While the remote workforce and digital transformation are top of mind challenges, there are many other reasons why the financial services industry continues to face cybersecurity threats and it begins with understanding the adversaries and their motivations. Cyber threats come from human beings, while computers and networks are simply vehicles. It is important for a security professional to know who they are dealing with and for employees to have an awareness. Adversaries include nation states, hacktivists, cyber terrorists, insiders, and E-crime groups who we are most familiar with. They are known to target the financial services sector and retail sector and are proficient at stealing personally identifiable information. With so many open doors hackers can target just about any entry point with an IP address. There are no geographic boundaries, no bank opening hours and the potential ROI is substantial. And, unlike Willie Sutton and his compatriots of the 1930’s, cybercriminals don’t need getaway cars, so the risk of getting caught is low.
To combat cyber threats effectively, firms will need to invest in education and awareness for existing staff, support programs to grow the limited pool of qualified cyber professionals, and upgrade legacy systems that often lack the latest software protections. Additionally, firms will need to consider their cyber resilience strategy as they pursue new models of doing business and seek partnerships with emerging Fintech companies. In short, digital threats have grown increasingly more complicated and the cost of protecting data has climbed. Worldwide spending on information security (a subset of the broader cybersecurity market) products and services exceeded $114 billion in 2018, an increase of 12.4 percent from 2017, according to Gartner, Inc. For 2022, they forecast the market to grow to $170.4 billion.
Information Protection is Paramount
Hacks at companies like Yahoo! and Equifax in recent years have highlighted the lasting financial and reputational damage data breaches can cause, keeping executives and their Boards up at night. Firms that fall victim to cyberattacks are also subject to regulatory fines as well as reputational damages, often followed by noticeable customer attrition rates. Although financial institutions share a long history of addressing cyber security issues, this doesn’t necessarily mean they are well prepared for the next sophisticated cyberattack.
Discussions about cyber-risk can quickly evolve into highly technical conversations that are difficult to follow for lay people. Successful organizations will include cyber-risk as a critical piece of their firm’s overall operational resiliency strategy. It is important that cyber-risk is elevated to the board level and that governance and management are in place to account for the people, processes and technologies required to maintain (or quickly restore) critical business services. Although technical knowhow is essential to successfully combat and mitigate the risk of cyberattacks, increasing the visibility and awareness of the related risks on an enterprise level represents a critical starting point. The proliferation of technology and automation in financial institutions is not expected to end any time soon, so it is every employee’s responsibility to protect non-public data by following safe practices and guidelines.
Defending Against Cyberattacks
Defending against cyberattacks begins with a comprehensive understanding of your digital estate. Organizations must manage a web of technologies from the work office, home office, phone, wearable devices, and beyond. There are a number of steps organizations can take in order to defend against cyberattacks. The National Institute of Standards and Technology (NIST) Framework, widely considered a gold standard in cyber security, lays out a 5-step approach in Exhibit 1.[3]
Identity and access management should be at the forefront of every organization’s defense plan. A person’s identity within an organization is essentially a control plane for all other connected applications and poses a significant security risk. It is critical to effectively manage user access to avoid potential internal threats to your organization’s data.
Information protection and governance policies should be established to provide structured guidance and control over data that is most sensitive to your organization. Firms must frequently and accurately identify, classify, and label data and implement policies to incorporate encryption, access restriction, record management, retention, and deletion. Once policies are in place it is important these are proactively monitored.
Continuously test your security plan and run periodic assessments to ensure that your organization is current with the latest security threats. 3rd party assessments are an affordable way to stay on top of potential vulnerabilities impacting your technology and policies and support enterprise resiliency.
Develop a response plan allowing your organization to quickly take action by restoring critical business functions to continue operation in the event of a cyberattack. This includes ensuring that the response plan is executed during and after the event occurs, managing the necessary communications with stakeholders and law enforcements, analysis to determine the full impact of the incident, execution of mitigation measures, and incorporating the lessons learned.
Finally, your organization should have a recovery plan in place to restore all business functions back to its original condition without compromising any data. This is also the time to implement improvements based on the lessons learned.
About Monticello
Monticello Consulting Group is a management consulting firm supporting the financial services industry through deep knowledge and expertise in digital transformation, change management, and financial services advisory. Our understanding of the competitive forces reshaping business models in capital markets, lending, payments, and digital banking are proven enablers that help our clients remain in compliance with regulations, innovate to be more competitive, and gain market share in new and existing businesses. By leveraging our risk management capabilities, Monticello guides its clients in the deployment of the latest digital technologies with confidence and resilience.
Get In Touch
LEARN MORE ABOUT MONTICELLO AND PURSUE OPPORTUNITIES WITH OUR TEAM