The Current State of Cyber Security for Financial Services (Spoiler: It’s Still Not Great)
Do you remember the problems that plagued cyber security for financial services in 2014? The high volume of attacks on globally-recognized financial institutions led the industry to be named the world’s most vulnerable to cyber attacks that year.
The industry-wide vulnerability to cyber attacks led many of the world’s largest banks to make drastic cybersecurity changes. JP Morgan Chase, for example, is expected to spend $500 million on cybersecurity in 2016—more than twice what it spent in 2014 when it experienced a data breach. Similarly, Bank of America, Citibank, and Wells Fargo are all increasing their cybersecurity spending dramatically, creating a nearly $1.5 billion market with these four banks alone.
In 2016, the financial services industry is just the third-most vulnerable industry to cyber attacks (behind healthcare and manufacturing). This might lead you to believe that increased spending on cyber security for financial services is mitigating threats in the industry, but don’t be fooled.
Despite dropping down in the rankings of most vulnerable companies to cyber attacks, the financial services industry still faces very serious threats. Let’s dive deeper into the current state of cybersecurity in the financial services industry in 2016.
Putting the Threats to Cyber Security for Financial Services in Perspective
SecurityScorecard recently released its 2016 Financial Industry Cybersecurity Report. Cyber crime is such a wide-reaching and universal challenge today that you likely don’t need more statistics to tell you that the financial services industry is vulnerable. However, some of the key findings from SecurityScorecard’s report can help put the current state of financial cybersecurity in perspective.
SecurityScorecard’s 2016 findings included:
- 75% of the Top 20 U.S. commercial banks are infected by malware (and some are infected by multiple different malware families)
- 95% of the Top 20 U.S. commercial banks were graded “C” or worse for network security
- Almost 20% of financial institutions use an email service provider that has known security vulnerabilities
There’s no denying that the financial services industry faces a severe cybersecurity problem—especially when you look at some of the most recent attacks on the industry.
3 Cybersecurity Incidents from 2016
There have already been a number of troubling examples of cyber attacks on financial institutions in 2016, and we still have an entire quarter to go. However, security professionals in the industry should be looking at these attacks and trying to get a better understanding of how attackers approach financial firms.
Three major cybersecurity incidents from the first 8 months of 2016 include the Central Bank of Bangladesh heist, the HSBC DDoS attack, and the breach of Bitfinex.
Understanding SWIFT and the Central Bank of Bangladesh Heist
In February 2016, a cyber bank heist involving the Central Bank of Bangladesh was discovered. While the attackers made off with $81 million, reports say that if it weren’t for a typo on the part of the hackers, the value could have reached $1 billion.
The attackers compromised the Central Bank of Bangladesh and used their foothold to compromise their Society for Worldwide Interbank Financial Telecommunication (SWIFT) account. The SWIFT network processes 25 million financial communications per day, making it a prime target for attackers looking to turn a profit.
Unfortunately, the Central Bank of Bangladesh is not the only bank that gave attackers an opening to compromise the SWIFT network (though it was certainly the prime example). This attack has proven that vulnerabilities in the cyber security for financial services threatens more than just a bank’s reputation—they can compromise an entire global trading network.
The HSBC Attacks Showcases the Dangers of DDoS Attacks
Cyber attacks don’t always have to involve breached customer records or stolen money to prove dangerous. While HSBC, the U.K.’s largest financial lender, says that it successfully defended itself against attackers in January 2016, a DDoS attack still took its systems down for nearly 24 hours.
Incapsula research from 2014 indicates that DDoS attacks can cost companies an average of $40,000 per hour of downtime—and that figure has likely grown over the last 2 years as online and mobile banking has grown.
While HSBC has the financial stability to survive such an attack (twice), many smaller financial services companies would be forced to shut down should they experience this kind of incident.
The Bitfinix Breach Highlights the Vulnerability of Digital Financial Services
Bitfinix is one of the world’s largest Bitcoin exchange companies; and in August 2016, the company was attacked and lost approximately $70 million worth of bitcoins. As digital banking and financial services becomes increasingly prevalent, this attack sets a dangerous example.
Details are scarce at this time, but researchers believe that the Bitfinix vulnerability stemmed from their blockchain approach to digital wallets. In conjunction with BitGo, the company has created multi-signature Bitcoin wallets where users have separate sets of keys on the platform—a 2-of-3 key arrangement where Bitfinix has 2 keys and BitGo co-signs transactions with the third.
Blockchain is an emerging technology that is meant to make digital financial services more secure, but attackers seem to have compromised Bitfinix’s architecture. As the digital revolutions takes shape, the financial services industry must step up its cybersecurity game.
Changing the Narrative when It Comes to Cyber Attacks on Financial Institutions
Moving forward, it’s clear that more need to change than just increased cybersecurity spending. We need more efficient cybersecurity spending to meet the many vulnerabilities that the financial services industry has to attacks, including:
- Assessing vulnerabilities as third-party vendor integration intensifies
- Securing the new world of mobile and digital payments (especially with non-traditional finance companies like Apple and Google)
- A growing landscape of organized cyber crime rings and nation-state attacks targeting large financial institutions
It might be tempting to key in on specific malware and trying to harden your systems against it. For example, GozNym is currently wreaking havoc on millions of U.S. bank account holders. However, the reality is that so many attacks still originate with just one compromised endpoint and then attackers escalate from there.
If you’re ready to start securing your endpoints for the increasingly digital future, download our free white paper, Next Generation Endpoint Protection Buyer’s Guide.