5 Cybersecurity Weaknesses in Banking and Finance
In 2018, the finance industry experienced 19% of all cyberattacks and incidents, making it the most targeted industry in the world.
The Personally Identifiable Information (PII) and financial data that organisations in the banking and finance sector hold make them obvious targets. Cybercriminals can monetise this type of information quickly – through selling it on the dark web or transferring funds from hacked accounts into their own.
So, it’s no surprise that the industry is subject to compliance regulations which aim to strengthen cyber resilience and protect consumers’ data and money.
Despite the risk and strong regulations, the banking and finance industry is still experiencing cybersecurity weaknesses as hacks increase in frequency.
We take a look at 5 of the most pressing issues, and the ways to overcome them.
1. Unintentional insider vulnerabilities
One cybersecurity weakness of the banking and finance sector comes from insider vulnerabilities. This is where staff within a banking or financial organization inadvertently leave the company open to attack.
According to IBM’s 2019 X-Force Intelligence Index, almost two-thirds (29%) of attacks analysed involved insiders falling for phishing emails.
Of those, 45% involved business email compromise scams, also known as whaling attacks. These attacks see hackers target the email accounts of senior members, such as CEOs, and defraud the company into sharing sensitive information.
Other common causes can be the improper configuration of systems and servers.
How the industry can improve: Training culture and software solutions
To overcome this, cybersecurity should be made a concern beyond just the IT department. Staff with access to the network at all levels – from administrative to managerial – should be properly educated and trained in their responsibility for keeping it secure from cyberattacks.
Poor updates or configuration of servers can also mean the network is more vulnerable to malicious attacks aimed at defrauding insiders.
Software solutions such as anti-phishing web browsing software can help prevent phishing emails getting into employees’ inboxes in the first place. Plus, IT can implement email and link filtering with black and white lists to block known offenders.
Additionally, organisations should clearly define how staff are expected to interact with the network. Implementing policy for location and the devices staff can log-in from, as well as the type of access they’re allowed, will help minimise threat.
2. Supply chain risk
Often, financial institutions will have sophisticated security in place but rely on third-party vendors, such as cloud service providers, to manage the cost of compliance.
However, a breach on a third party can weaken the defences of the finance organisation as data is shared between the two. Any attack on the network – wider or other – can damage reputations and leave organisations subject to fines.
How the industry can improve: Thorough checks and segmentation
When bringing on any third-party vendor, it’s crucial to consider the cybersecurity implications. Ask for details on what data will be shared, where it will be stored, how they protect it, and who is responsible should a breach occur.
With the repercussions of failing to comply being so high, it pays to vet any third parties you’re considering doing business with.
Some practical ways to ensure your data and network remain secure include implementing multi-factor authentication between suppliers. Considering the use of jump hosts or perimeter security at network and software level can help to isolate sections of the supply chain and contain a breach within it should one occur.
3. Failure to hire talent
Cybersecurity is highly complex and, as with any industry, banking and finance are struggling to find the talent needed to improve cyber-resilience.
By some estimates, by 2021 the number of unfilled cybersecurity positions could reach 3.5-million. Therefore, competition to attract the best candidates will only get tougher.
Many organisations are looking to hire experts in the field with years of experience and the skills to hit the ground running. Although in the current threat climate, this approach could see industries fall behind cybercriminals’ tactics.
How the industry can improve: Automated solutions and outsourcing
Organisations in the banking and finance industry could utilise automated solutions to combat the lack of employees in the IT sector. With machine learning and AI developing at speed, we’re seeing more tools entering the market that can automate cybersecurity and cyber-compliance. These have now been developed to the point where they can be seriously considered as an alternative to some IT roles.
Additionally, the gap in knowledge left by a lack of talent can be filled by outsourcing to contractors and partners like security VARS and vendors. These third parties can help to configure security appliances and consistently test those technologies to help fulfil your regulatory compliance obligations.
4. Large user population
The talent gap problem is made worse by the large and complex population accessing banking and finance networks. From staff-side users to customers accessing NetBanking, organisations having to deal with a variety of touchpoints and having little control over how those users interact.
What is more, is these increased touchpoints give cybercriminals more opportunity to attack. For example, users’ personal devices could present an easy in for hackers looking to breach financial networks, especially if users forgo security features such as passcodes.
Regulations such as PSD2 should see touchpoints like these become more secure, but the responsibility falls back on banking and finance organisations to implement them.
How the industry can improve: MFA
We previously mentioned the importance of implementing policies for staff-side network users and this can go some way to make internal touchpoints more secure. Technologies such as multi-factor authentication could help ensure user interaction is consistent by putting additional steps in place for access. Plus, it can form a part of your organisations’ identity management plan to classify users and give them the appropriate access rights.
On top of this, features such as Risk Based Authentication (RBA) can apply the right level of authentication depending on the user’s circumstances – for example, if they are accessing the network locally or remotely.
Secure technology is only effective if all network users use it, so it’s important to find a solution which integrates with your current systems and applications and is easy to use.
5. Gaps in technology
Finally, banking and finance websites and applications pose a weakness in the larger network architecture.
When tested, researchers found banking and finance websites to be the most vulnerable to hacking. The data revealed 80% of those tested were vulnerable to cross-site scripting (XSS) attacks where cybercriminals can run malicious code on a website or app. The malicious script can then access the user’s cookies and other sensitive information, as well as rewrite the content of the webpage.
These vulnerabilities cause distrust among users so, to be competitive, organisations should look at what they can implement to secure websites and applications.
How the industry can improve: Refined testing and firewalls
PSD2 regulations state that payment service providers are required to have measurements in place to prevent app cloning.
In the app-building stages, developers could test and learn from the source code before it goes live to assess whether it could be vulnerable to attacks.
Once live, implementing web application firewalls – whether they’re software only, dedicated appliances or modular hardware firewalls – will help to prevent unauthorised access to administrative areas of banking and finance websites or apps. It’s crucial to build a firewall that meets the required level of security.
Despite these weaknesses, the industry has plenty of opportunity to improve. A common theme among the solutions though, is finding the right technology and software to support your business.
From technical fixes, to finding the right partners and third parties, it’s crucial to find solutions which support your business, secure your network, and complement your aims for regulatory compliance.