The financial sector, subject to stringent regulatory requirements, has higher average security breach costs than most other industries. As IBM points out in its 2020 Cost of a Data Breach Report, public sector organizations traditionally have the lowest costs because they are unlikely to experience a significant loss of customers as a result of the data breach. Naturally, due to the kind of data banks and other companies collect from customers, the financial sector has always had a target on its back. COVID-19 has only compounded the problem with threat actors taking full advantage of these uncertain times.
Pandemic’s Effect on Cybercrime
In the first half of 2020, according to VMware Carbon Black, financial institutions faced a 238% spike in attacks. Additionally, 27% of all attacks targeted either the healthcare or financial sectors. Early in 2021, Keeper Security found that 70% of financial services organizations reported experiencing a cyber-attack in the past year, with a majority of the respondents suggesting that COVID-related conditions contributed to the increase in severity of attacks. The spike in attacks coincided with significant COVID-19 developments, such as the World Health Organization declaring a global health emergency. Major events that can create fear or hysteria provide a useful lure for phishing scams.
Why is the Cost So High?
IBM’s report notes that the average total cost of a data breach in the financial services sector in 2020 was $5.85 million; the average cost of a data breach across all sectors was $3.86 million. There are myriad reasons, both direct and indirect, of why the cost of a beach can be so expensive to financial organizations. Upfront costs can include detection and crisis management response, such as forensics, as well as required notifications, which can become costly depending on the number of affected individuals.
One of the major long-term costs is the loss of business. Large data exposure often leads to negative media exposure, which hurts brand reputation, eventually leading to loss of trust and confidence by customers. Other factors to consider include legal fees; insurance premium increases; ransomware payments (despite the U.S. government warning against doing so); and lastly, hefty fines. In 2020, 198 fines were imposed, a 141% spike from the year prior, according to Fenergo.
Types of Cyber Attacks
Attacks facing the industry run the gamut, from Distributed Denial of Service (DDoS) to mobile banking exploitation, and it’s essential to keep up with the most frequent types of attacks to prepare your organization adequately.
Business Email Compromise (BEC)
Cybercriminals can spoof executive email addresses and request payments, making it difficult to discern if an email is legitimate. According to Kroll, BEC is a top threat for organizations in this sector, with its associated risks such as misdirected payments.
Distributed Denial-of-Service (DDoS)
DDoS attacks – which can freeze the operations of financial institution customers – spiked last year following the digital shift brought about by COVID-19. DDoS attacks can also act as a distraction to mask fraud that is taking place behind the scenes. Mobile Banking Exploitation
In June 2020, the Internet Crime Complaint Center (IC3) published a Public Service Announcement warning that mobile banking usage has surged as much as 50% – which could lead to exploitation via app-based banking trojans and fake banking apps.
In September 2020, it was reported that one in four Americans received a COVID-19-related phishing email. Phishing emails were so problematic amid the pandemic that the American Bankers Association launched the #BanksNeverAskThat campaign to provide the public with information to arm them against scams. Not long after, the Financial Crimes Enforcement Network (FinCEN) issued a notice alerting financial institutions of the potential for phishing schemes related to COVID-19 vaccines and their distribution.
FinCEN’s December notice added that, “cybercriminals, including ransomware operators, will continue to exploit the COVID-19 pandemic alongside legitimate efforts to develop, distribute, and administer vaccines.” There are, unfortunately, numerous examples of ransomware affecting banks from this past year alone.
Tips to Reduce Cyber Risk
Financial organizations can take simple steps to stave off cybercrime, and notably, human error plays a significant role in mitigating cyber threats. Simply training employees on cybersecurity awareness can make a huge difference. Employees should understand the signs of a scam, remain vigilant, and swiftly report phishing attempts. Other tips include: implement multi-factor authentication on customer-facing apps; establish a strong password policy for your organization; and proactively monitor, detect and uncover identity information found in open sources (surface, social, deep and dark web) to understand your organization’s digital footprint.
As the vaccine becomes more widely available and we transition to some sense of normalcy, we must not let our guard down when it comes to cyber safety. Cybercriminals will continue to evolve, so security operations teams must keep pace to minimize future exploitation.
Pablo Castillo is a Cyber Threat Research Analyst at Constella Intelligence – a digital risk protection company that works in partnership with some of the world’s largest organizations to safeguard what matters most and defeat digital risk.