By Kevin Lupowitz, CIO, Tassat
Banks have always represented lucrative targets for cybercriminals – after all, as famed pre cyber era bank robber Willie Sutton said, “that’s where the money is.” A 2019 report from the Federal Reserve Bank of New York found that financial firms experience as many as 300 times more cyber-attacks than other companies, and the threat has only grown over the years. When a bank falls victim to a cyber-attack, the impact extends beyond potential financial damages; it can also significantly impact customer loyalty, result in regulatory penalties and damage the organization’s reputation. Banks also host a tremendous amount of personal customer data, itself valuable even without the theft of funds, and that data must be protected as well.
Ransomware, DDoS and botnet – the real cost of cybercrime
Devastating ransomware attacks have become a routine part of mainstream news. These attacks, which result in the encryption of data and extortion, have recently become a “double barrelled” threat, as threat actors have added threats of exposure of confidential data to their business plan. Victims of ransomware must deal with major disruptions of their business operations, the threat of major data breach, and the time and costs of recovery. In many cases, organizations feel that they have no choice other than to pay the ransom demanded to avoid the costs of recovery and breach response. However, they may find that there is no honor amongst thieves and may face these costs despite payment should the attackers not provide decryption keys or leak/sell the data gathered later on.
Other threats like DDoS (Distributed Denial of Service) attacks can potentially create reputational and financial risk for banks. DDoS attacks can impact the bank’s websites or mobile apps, with criminals focused on denying customers the ability to use bank services. These kinds of attacks can cause embarrassment for the bank and can erode customer confidence, leading to lost customers and corresponding financial damages for the bank.
While the threats may be overwhelming, the best defense is always prevention. But what can banks do today to safeguard their systems and customers?
Understand social engineering and phishing attacks
It is imperative that banks ensure they continuously educate employees and promote security awareness internally, in addition to investing in technology. A strong employee education program should include online training, scenario testing, controlled phishing campaigns, security awareness messaging, lunch and learns and more. It should be viewed as ongoing program.
Review (and ransom proof) your backups
The key to recovering from a ransomware attack is having backups that are complete, current, and protected from the attackers. Backups are a prime target for ransomware criminals – they know that if they can delete or encrypt them, their chances of a payday are greatly increased. Many backup solutions now have built in protections specifically for ransomware, but you may need to enable them in advance. And when was the last time you tried restoring from a backup? Regular testing ensures backups are ready when you need them the most.
Change employee habits to protect the bank
Smart, security aware people are the foundation of every security program. Banks should consider three key aspects when constructing an employee cybersecurity training program.
- First, ensure your training is engaging, and dare we say, even fun. The training should be tailored to include scenarios that could happen to employees at any point in the day.
- Second, conduct the training in an environment in which employees are encouraged to ask questions and make mistakes. Truly impactful training relies on fostering a general culture of collaboration and trust within the organization.
- Third – repeat, repeat, repeat. Repetition is the key to learning, and that couldn’t be truer than when it comes to security awareness training. The best time for human error and mistakes is during training – so employees can learn from their mistakes. And then repeat.
Remember the technology side of the coin
Regardless of the type of technology investments a bank has made, even the most costly and sophisticated security policies, procedures and solutions can be defeated by human error. Human error accounts for many weaknesses in the security structure of banks. Banks need to do their own due diligence before investing in technology, create and adhere to strict cybersecurity guidelines, and collaborate with fintechs and other service providers to create the most robust cyber program possible.
As more and more technology vendors enter the market, it can be hard for a bank to discern which are credible and able to meet its needs. A good place to start is by requesting their ISO 27001 certificates and SOC2 reports, a formal report conducted by a third-party that tells the banks whether the vendor they are evaluating has a properly functioning controls environment. Another suggestion is to add an audit clause in any new vendor contract that will allow the bank to check in on the vendor processes and security. Before investing in any technology, banks should check for any publicly disclosed security issues and examine the vendor’s financial health, corporate structure and any possible mergers/acquisitions.
A few final words to avoid nightmare cybersecurity scenarios
Proactivity is key when it comes to cybersecurity. Don’t wait for there to be a problem; start now and ensure your bank has a robust cybersecurity program and meticulous data backup program that incorporates operational resilience, disaster recovery and a culture of cybersecurity awareness. Prevention and resilience are key to countering the evolving threat landscape. Think about ‘snapshotting,’ an excellent way to protect against ransomware induced data encryption. Snapshotting allows banks to capture all data every 15 or 30 minutes – so even if a ransomware attack is successful and the bank’s data is encrypted, all functions can continue operating with data that is only a quarter hour old.
In the end, it all boils down to balance. Trust your technology vendors – but test and verify their protection regularly. Trust your employees – but run continuous training exercises and ensure they learn from their mistakes. Investing equally on both the technology and human fronts will offer the best protection against criminals – and the best way to protect your bank in the new era of cyberattacks.