How to shore up cyber-defences of financial institutions for the future
Cybersecurity has always had a long-haul aim of staying one step ahead of adversaries. Mitigation and prevention is the name of the game — but the emergence of a worldwide pandemic has taken the rulebook and thrown it out the window.
New technologies emerged, online behaviour shifted, working environments were replaced. New threats have emerged, and security vendors are now on the back foot.
Financial services organisations were among the hardest hit last year, and this trend continues as we near the middle of 2021. They are particularly vulnerable to the advance of quantum computing, for example, which poses a threat to the controls the financial system uses to protect data.
Many more threats to these organisations exist. So what are they, and what can be done about them? Accenture's latest research defined four key risks: Supply chain attacks, cyber-fraud, insider threats and extortion and ransomware.
1. Supply chain attacks
Supply chain attacks are gaining steam for their effectiveness in accessing cross-sector critical infrastructure, leading to a loss in integrity in systems. This was showcased to the world with the SolarWinds hack, where malware infected unrelated software from developers whose build platforms hosted SolarWinds software.
The targeting of technical and security service providers, like SolarWinds, is concerning because such providers serve as gateways to financial services organisations, whether
wholesale and retail payments processors, major banks and financial market infrastructures, or regulators.
Once these organisations have been breached, sensitive documents can be viewed, intellectual property stolen, and communication channels hijacked — which in turn can lead to phishing and other business email compromise (BEC).
What can be done?
Enterprises should consider engaging in talks with software suppliers to encourage them to vet vulnerable software before launch. The privileges and access levels of externally developed software should be reexamined, and entirely new tools should be commissioned to secure software. For example, Accenture has patented a new technique where blockchain could secure software supply chains with self-referencing software bills of materials (SBOMs).
The pandemic presented an excellent opportunity for cyber-attackers to engage in fraud and BEC. Fears of COVID-19 infection and rampant misinformation provided ample fuel for attackers to exploit, and flames were fanned with malicious and misleading campaigns taking advantage of these fears.
Relief funds were exploited, for example, by hijacking dormant corporate accounts to request government-funded aid and loans. Identities were stolen, fraudulent insurance claims filed. All the while, cyber-attackers streamlined their strategies.
Fraud-as-a-service operations emerged — with features such as cloud credentials, stolen application programming interface (API) keys, and techniques to bypass multi-factor authentication (MFA).
These new capabilities have made it easier than ever for cyber-criminals to monetise stolen credentials. This can open organisations up to serious fraud, which often results in disruption to company operations, decreased profits, loss of tax revenue, job losses and reputational damage.
What can be done?
User awareness training can mitigate fraud risks like phishing, and a focus should be placed on high-risk groups such as customer service staff and employees with access to payment systems and other high-risk data.
Remote desktop protocols should be avoided where possible, and two-factor authentication should be implemented.
3. Insider threats
The great shift to remote working has brought with it many benefits — but in the realm of IT, it can be defined by the introduction of several cybersecurity risks. Insider threats is one of the bigger ones.
Working from home opens the door to a spike in such threats, whether malicious or unwitting. While malicious intentions account for only 23% of insider-related incidents, they did by far the most harm, often by actively exploiting lax oversight.
Recent disinformation trends may also play a role in encouraging irresponsible employee behaviour and creating insider threats. Employees deceived by disinformation and conspiracy theories have made unsound decisions that could harm an employer's reputation, and insider threats can potentially harm an organisation's brand, revenue and competitive edge.
What can be done?
Zero trust security principles should be applied across the business to avoid insider threats. This means enforcing least privilege for user accounts, creating one-time use passwords for sensitive data access and immediately revoking access from former employees.
Security teams should also screen for high-risk employees by monitoring dark net sources.
4. Ransomware and extortion
It's no secret that ransomware has ramped up in the last 18 months. As it increased in scope, different approaches have been taken by different groups.
One of the most prevalent trends lately has been pseudo-ransomware — whereby ransomware groups destroy data despite promising to return it to organisations after payment. This ‘empty promises' style of ransomware is becoming more common, and could potentially influence another trend: the increasing likelihood of non-payment by organisations.
According to Coveware, by the end of 2020, victims increasingly refused to pay a ransom. The median paid amount fell 55%, from US$110,532 in the July to September period of 2020 to US$49,450 in the October to December period.
Indeed, this trend seems to be seeping into regulation too: The United States Treasury Department has warned that financial services entities could also face penalties for paying a ransom to a US-sanctioned group or facilitating payments to terrorists or Weapons of Mass Destruction developers.
What can be done?
To prevent ransomware, organisations should implement defences against common malware like Trickbot and Emotet by applying security patches and ensuring employees are trained to notice telltale signs.
If a breach does occur, Accenture recommends organisations to assume the worst: that data will be leaked. This allows teams to measure potential impact and to enact crisis management procedures accordingly.
The havoc wreaked on IT services in 2020 and 2021 has taught CISOs a great deal — and many lessons have been learned the hard way.
New technologies, strategies and approaches have been used by cyber-attackers to exploit vulnerabilities that arose during COVID-19 lockdown procedures, and financial institutions — the bedrock of global economies — were not left unscathed.
Vulnerabilities remain high, but at the same time, much has been learned — it's now time for financial institutions and their security apparatus to take the steps necessary to improve
security in the long term.