Recent reports and surveys quantify the cyber-assault on financial services in particular and businesses in general. As may be guessed, the situation does not look good.
One positive note: Growing awareness of the ability of a developing technology, generally called artificial intelligence, to begin to change defenses from reaction to proaction. It’s too early to tell for sure about this, however.
The general and more conventional advice boils down to this:
In addition to doing all the tech-related things that have been accepted practice—passwords, encryption, firewalls, multi-factor authentication—business entities need to boost a culture of cybersecurity awareness among all staff members. This is because a surprising number of fraud incidents are caused by people working inside the organization, either intentionally or unintentionally. [See also, “You are who your mobile says you are”]
Sad popularity for banks
First, the depressing statistics.
The annual IBM X-Force threat intelligence index revealed the financial services industry was attacked more than any other industry in 2016—65% more than the average organization across all industries. (As that classic but phony quote from Willie Sutton says, “… because that’s where the money is…”)
As a result, the number of breached financial services records skyrocketed 937% in 2016, to more than 200 million. Financial institutions were forced to defend against a 29% increase in the number of attacks from 2015.
“Cybercriminals have always gone where there is money to be made. While financial services has been a highly targeted industry by cybercriminals, in previous years their main focus shifted to other more lucrative industries like healthcare or retail,” says Nick Bradley, Practice Lead, IBM X-Force Threat Research. “However, in 2016 we saw a significant resurgence to financial services as criminals decided to go directly to the source money.”
In face of this … confidence?
A recent report from Accenture paints a more nuanced, yet just as troubling, picture about how senior bank executives feel about cybersecurity vs. actual attacks.
A global survey of 275 senior security executives across the banking and capital markets sectors found that 78% were confident in their overall cybersecurity strategy.
More than half of these officials expressed high levels of comfort in their ability to identify the cause of a breach; measure the impact of a breach; and manage financial risk due to a cybersecurity event.
However, these respondents reported that:
• On average their banks had experienced 85 serious cyber breach attempts each year.
• Of these, 36% of the attempts were successful in obtaining at least some confidential information.
• It took 59% of victimized banks several months to detect breaches that occurred.
“Bank executives are clearly confident when it comes to their cybersecurity capabilities, but there is still much work to be done,” says Chris Thompson, senior managing director and head of financial services cybersecurity and resilience, Accenture Security.
Indeed, confidence appears to arise from a false premise.
“Most cybersecurity assessment programs, while well-intentioned, are highly theoretical and based on known cyberattack practices,” adds Thompson. “The reality, however, is very different. Fast-moving, dynamic threats are creating new challenges every day. Banks should focus on deploying practical testing scenarios that focus inside the perimeter to ultimately make the crooks’ job as difficult as possible.”
Another indication of rising fraud: FICO found that the number of payment cards compromised at U.S. ATMs and merchants rose 70% in 2016, and the number of hacked card readers at U.S. ATMs, restaurants, and merchants rose 30%.
On average, an ATM or point-of-sale device was compromised for 11 days in 2016, compared to 14 days in 2015, and 36 days in 2014, so that showed some improvement.
Still, as T.J. Horan, vice-president of fraud solutions at FICO says, “As the last few years have proven, skimming technology and knowhow have improved and are more accessible to the general population, so we will continue to see increases in compromises and the speed at which they occur.”
Victimhood goes beyond banks
The depressing news goes on. The Association for Financial Professionals found that nearly three quarters of corporate treasury and finance professionals said their companies were victims of payments fraud in 2016. Of these, 75% experienced check fraud, up from 71% in 2015.
Also, 74% of the respondents said their organizations were victims of business email compromise in 2016, a 10-point increase from 2015.
There is more.
Looking ahead, Juniper Research says cybercrime and data breaches will cost businesses $8 trillion over the next five years. This total would include the cumulative costs of fines, lost business, and remediation efforts.
We know the pain. What relief?
Once again the question comes up: What can be done about all this?
One avenue that security people are warming up to involves applications of artificial intelligence. For example, the Juniper Research report cites several startup companies that use machine learning—part of the AI spectrum of technologies—to monitor network and program behaviors, detecting and eliminating many anomalies automatically.
The researchers expect managed security service providers to leverage AI to provide affordable services to smaller businesses, making the best of tight security budgets.
“However, in order to succeed these new approaches must also bring simplicity and interoperability to end users, in what is a very fragmented market,” says James Moar, researcher at Juniper.
A report from the Internal Audit Foundation and Crowe Horwath notes the growing use of security operation centers and security intelligence centers.
“The creation of formal security operation centers allows for holistic, proactive approaches to cybersecurity in which all parts of the organization including the internal audit function, can support the battle against data breaches,” says IIA President and CEO Richard Chambers.
The IBM X-Force people, understandably, also recommend a high-tech approach. IBM makes this point in its report: “Apply a cognitive approach. Augment a security analyst’s ability to identify and understand sophisticated threats by tapping into unlimited amounts of unstructured data from blogs, websites, research papers and the like, and correlating it with relevant security incidents.”
But even the IBMers emphasize just as strenuously the importance of staff training, culture, and internal defenses—for good reason. The company’s survey found that the financial services industry was more affected by insider attacks (58%) than outsider attacks (42%) in 2016.
“Malicious activity inside an organization can be a result of an inadvertent act (53%) such as an employee accidentally being tricked to download a malware-laden document through a phishing email which then gives attackers access to information. Many of these attacks occur without the user being aware of it.”[Emphasis added]
Teach your people well
To that end, IBM adds these recommendations: Conduct employee awareness training, and focus on strict governance of access to sensitive data.
Similarly, CompTIA puts it this way: “Building an impenetrable defense is no longer practical and the mentality of preventing all breaches is outdated,” says Seth Robinson, senior director, technology analysis, CompTIA. “But a new, proactive approach combining technologies, procedures, and education can help find problem areas before attackers discover them.”
In particular it recommends training and certification for corporate technology professionals, and the need to develop a security-aware culture throughout a given organization.
The AFP adds this to the chorus:
“With the advancement of technology, organizations are more vulnerable to fraud attacks now than before, and business leaders need to equip their people and systems with the tools and resources needed to prevent fraud and alleviate the impact of an attack,” says Jim Kaitz, president and CEO. “Companies that offer mandatory training for all employees, particularly around cybersecurity, and that have a plan to respond to payments fraud, will fare better than those that do not.”
Sources used for this article include: