To even the casual observer, it’s been a visibly turbulent year for the financial sector. We might think back to March when Silicon Valley Bank collapsed, setting off a chain of panic about the stability of the financial system. Though widespread economic fears have calmed in recent months, the financial sector continues to face intense pressure as it attempts to transform and maintain digital relevancy, while at the same time protecting a globally interconnected web of systems that are increasingly under attack. In this blog post, we’ll briefly explore the top three cyberthreats facing the financial sector today, along with some actionable recommendations.
1. Ransomware
Ransomware might seem like old news, but attacks continue to inflict massive disruption at an unrelenting pace. One report estimates the global impact to the economy has been US$32.3 billion since 2018 as a result of downtime associated with ransomware attacks in the financial sector. Even more concerning are reports that indicate ransomware attacks against the financial sector are increasing. According to SOCRadar, the finance industry was the seventh most targeted sector for ransomware attacks during the first half of 2023.
Although the trends are unsettling for the financial sector, there are some practical steps an organization can take to improve its posture. While none of these recommendations are groundbreaking, they are foundational and frequently undervalued as organizations divert their attention toward more advanced next-gen solutions.
- Assess your risk: Perform a ransomware risk assessment to identify gaps that require further remediation. Several free tools are available online to help assess organizational readiness.
- Maintain good cyber hygiene: Keep an updated asset inventory, maintain a regular cadence of patching and continuously scan for new vulnerabilities.
- Implement strong access controls: Limit access to technology resources based on the principle of least privilege and enforce MFA at every opportunity.
- Protect your data: Prevent unobstructed movement using network segmentation, perform frequent backups that are isolated off the network and regularly test restoration procedures.
- Test your plans: Practice with table-top exercises that bring technical and business stakeholders together to test real-world scenarios and weigh decisions before an incident occurs.
2. Supply Chain
Supply chain attacks took center stage in 2020 with the massive SolarWinds hack that allegedly impacted thousands of customers who unknowingly downloaded infected software updates. The sophisticated attack was so carefully orchestrated and stealthily executed over an extended period that we may never fully know the scope of impact. Not long after the SolarWinds incident, Kaseya was impacted by a zero-day vulnerability that affected software used by a long list of managed service providers (MSPs), which in turn propagated to many of their clients.
Fast forward to 2023, and we continue to see supply chain attacks in the headlines. Most recently, hundreds of organizations have allegedly been impacted by a zero-day vulnerability in MOVEit, a popular software program used for file transfers. To date, the list of reported victims is over 400, with many said to include organizations in the financial sector. According to SC Media, there could be as many as 73,000 impacted organizations due to a complex web of relationships within the supply chain. While the scope of the MOVEit compromise continues to unravel, the banking sector appears to have been the focus of another supply chain attack that targeted at least two banks using malicious open source packages.
Supply chain attacks are revealing the frailty of software development lifecycles (SDLCs) that lack rigorous security and testing standards. To an extent, organizations are at the mercy of vendors to ensure that adequate standards are enforced to keep their development infrastructure secure and proactively identify vulnerabilities. Still, there are steps an organization can take to protect themselves and hold vendors accountable.
- Perform vendor due diligence: Assess the history, financial stability and security risks associated with the vendor and review any independent audit reports that add assurance.
- Negotiate the contract: To the extent possible, ensure the contract carries adequate provisions that hold the vendor accountable and offers some protection in the event of a breach.
- Monitor vendor performance: Periodically assess the vendor’s compliance with agreed upon standards and consider a service that continuously monitors the security posture of third parties.
- Restrict vendor access: Avoid granting vendors unfettered access to the network by using a Privileged Access Management (PAM) solution that controls and monitors their access.
3. Phishing
We know it’s coming, and yet phishing persists as one of the most prevalent and proven forms of attack, often combined with elements of social engineering. Controls will never achieve 100 percent prevention, so thwarting phishing attacks often comes down to human judgement. Unfortunately, phishing tactics work well because they are often convincing enough that they catch an unsuspecting user that’s distracted or busy multitasking. According to Verizon’s 2023 Data Breach Investigations Report, 74 percent of breaches involved the human element.
Unfortunately, the financial sector appears to be one of the most targeted sectors. According to APWG’s Phishing Activity Trends Report, 2022 was the highest year on record with 4.7 million phishing attacks, 27.7 percent of which targeted the financial sector specifically. While the volume of phishing attacks continues to increase, so does their ability to evade detection. Generative AI has given adversaries a new tool at their disposal to misuse and craft phishing emails that are absent of all the usual indicators, such as misspellings, poor grammar and so on. Besides the obvious technical controls that most organizations should already have in place, there are some steps that can help users avoid being the weakest link.
- Train, and train some more: A steady pipeline of sanctioned phishing campaigns along with tips and training will help teach most employees to slow down and spot the indicators.
- Tag external emails: Add a simple tag to external emails that makes it obvious to an end user that an email originated outside the organization.
- Watch for impersonation: Consider adding a service that proactively monitors the web for any signs of brand impersonation that could be targeting employees or customers.