The Financial Industry: An Executive Perspective on Cyber Risk
Welcome to the second installment of our series of cybersecurity executive views across several industries. We will take a deep-dive into the financial industry this week.
While organizations within the financial industry have made great strides to improve their cybersecurity posture in technological advancements, they still face major security challenges. Many of the largest breaches in history have occurred within the financial industry. In fact, the financial industry is the second most costly industry in the United States in terms of cybersecurity breaches. IBM Security reported that more than 200 million service records were breached by the end of 2016 and there was a 937% year-over-year rise in breaches that same year. According to Ponemon Institute’s 2017 Study, the financial industry has an average cost of $12M per data breach, roughly the same cost per breach in comparison to the healthcare industry. Business leaders within financial services should know having a cyber risk plan in place is not only proactive, it’s critical.
KEY STATISTICS ABOUT FINANCIAL BREACHES
- 24% of breaches in 2016 directly impacted financial organizations.
- 73% of all breaches in 2016 were financially motivated.
- $336 is the mean value per lost financial record to U.S. companies, well above the overall average which is $225.
- 155 days “dwell time” (time spent on an organization’s network) on average to detect an incident; an additional 34 days on average to contain it.
WHY ATTACK A FINANCIAL ORGANIZATION?
The financial industry faces a large amount of attacks. Many threat actors are focused on one thing: financial gain. Financial organizations are the perfect targets because credit cards and Personally Identifiable Information (PII) packages sell for approximately $30 each on the dark web. High balance credit cards can still sell for up to $25.78 (21€) each on the dark web.
In addition to financial gain, espionage is another reason why attackers target financial organizations. Attackers can go after intellectual property (IP) and intellectual capital (IC) to gain inside information on trading algorithms, market data, or other organizationally sensitive data.
Furthermore, approximately 34% of cyber attacks within the financial sector are categorized as denial of service (DoS) attacks. These attacks are not focused on the theft of data, rather they focus on shutting down critical systems. Since there is a growing demand for customers to have greater access, issues involving an increase in the numbers of vulnerabilities arises.
Financial organizations are facing key challenges when it comes to protecting their network.
WHAT ARE THE KEY CHALLENGES?
Denial of service attacks can have significant implications for financial services. Here, attackers intend to compromise the availability of networks and systems including both network and application attacks by overwhelming systems, resulting in low performance levels or an interruption of service.
Following a DoS attack, web application attacks serve as another key challenge financial organizations face. Hackers use web applications as the vector of an attack to include exploits of code-level vulnerabilities in the application as well as thwarting authentication mechanism.
Lastly, payment card skimming is an another pervasive issue within the financial industry. Attackers use skimming devices and physically implant them on an asset that reads magnetic stripe data from a payment card such as a convenience store ATM. This ultimately is used for financial gain.
The key challenges above represent 88% of all security incidents within the financial industry based on the Verizon Data Breach Incident Report of 2017. However, it isn’t enough for a financial industry board member of executive to know what the challenges are but rather under the risk these challenges represent to the organization.
NOTABLE INCIDENTS & BREACHES
In February of 2016, attackers, potentially working with an insider, targeted SWIFT (Society for Worldwide Interbank Financial Telecommunication) and obtained valid credentials that allowed them to create and approve fraudulent SWIFT messages and direct money transfers from bank-to-bank. A series of attacks using the SWIFT global messaging network occurred that stole $101 million from the Bangladesh central bank. An Ecuadorian bank, Banco del Austro, had $12 million fraudulently transferred via Wells Fargo and another $1.8 million via Citibank.
A little over a year later, in July of 2017, the attack against Equifax occurred. Personal information of 143 million consumers was stolen, including Social Security Numbers, dates of birth, addresses, and drivers license information. If that wasn’t bad enough, 209,000 Equifax customers also had their credit card data exposed as well. This was one of the largest data breaches ever. There was a vulnerability on one of Equifax’s websites that led to a data breach that was discovered in July, but may have started as early as in mid-May.
TAKING ACTION: TOP 3 MUST-DOS
So what should a board member or senior executive be thinking about? First and foremost, understand how the organization is monitoring the network for potential insider threats. This can help financial organization be on top of their game and recognize an attack before it even occurs. If SWIFT would have had better network monitoring, they wouldn’t have been an easy target for hackers.
Secondly, executives should ensure their organizations make two-factor authentication mandatory for all accounts. This adds an extra layer of protection designed to ensure that only the account holder can access the account, even if someone knows the password. This is a best practice not only for customers, but also employees and network/system administrators.
Lastly, financial organizations should implement security awareness programs. It’s no surprise that many vulnerabilities with the industry occur from human error. It’s important that executives and employees alike are trained to be aware of potential threats. This is a key way the organization can decrease the risk of a data breach.
Is your financial organization prepared? Do you, as a financial senior leader, understand cyber risk as an enterprise risk? We can help. Check out our Cyber Resolve seminars, tabletop exercises, and other executive cybersecurity training programs for your team.