Not so long ago, the biggest headache at most banks was bad credit, or, in a few cases, fear of a bank robbery. Those simple, if troublesome, days have receded deep into the background.
Today the biggest concern of banks and other players in the financial services sector is cyber attacks – and for good reason. According to Security Boulevard, the financial services industry remained among the biggest targets for hackers for the second year in a row in 2017. Banks alone lost nearly $17 billion to fraudsters last year, according to Javelin Strategy and Research, and the number of U.S. customers victimized increased more than 8% to 16.7 million.
Why are banks and other financial services companies at the forefront of cyber warfare, and not, say, other industries also with loads of money at their disposal, such as insurance or Wall Street?
Infamous bank robber Willie Sutton hit the nail on the head relatively early last century when a reporter asked him why he targeted banks. “That’s where the money is,” he succinctly responded. Nearly 100 years later, at least one key fact about banking has not changed. In aggregate, banks still hold and circulate the most money, and the recent advent of online banking has made bank theft easier than ever. Criminals no longer have to barge into banks, guns drawn, or study blueprints and other schematics to try to find a plausible way to tunnel underground into a vault.
Online Banking Especially Troublesome
In addition to being vulnerable to credential stuffing and other attacks, online banking breaches are especially expensive to resolve. A study by Kaspersky Lab on cybersecurity threats in the financial services sector found that such breaches on average cost banks nearly $1.8 million -- double the price of recovering from a malware incident, and this excludes data loss and reputational harm.
The financial services industry is also being bombarded with data exfiltration hacks and denial-of-service and ransomware attacks. Overall, financial services firms are reportedly hit by security incidents a whopping 300 times more frequently than businesses in other industries.
“The only secure network in banking is one that is powered down and shut off,” Greg Carmichael, the CEO of Fifth Third Bancorp, recently told American Banker.
Since the allure of attacking banks and other financial institutions is not lost on hackers, the financial services industry spends big on cybersecurity and the quality of its protective measures and cybersecurity staff are widely considered top-flight. It’s no coincidence that Morgan Stanley set up its cybersecurity headquarters in Baltimore, not at its New York City headquarters, putting it less than a 30-minute drive from the headquarters of the National Security Agency at Fort Meade.
Nonetheless, the rate of financial services industry breaches has tripled over the past five years, according to a report by Accenture and Ponemon Institute. This is banking’s version of a nagging dilemma that permeates all players involved in cybersecurity. While the technology keeps improving, so, too, does hacker sophistication and attack modalities, making truly better protection against cyber attacks elusive.
The Theft of Bangladesh Bank
One particularly heinous attack two years ago -- the targeting of Bangladesh Bank’s account at the New York Federal Reserve Bank -- netted unidentified hackers $81 million by placing fraudulent orders on the SWIFT global communication network, which facilitates the international exchange of payment instructions between banks, central banks, multinational corporations and major securities firms in 180 countries.
The previous year, researchers from Kaspersky Lab were called in to investigate unusual thefts from 29 Russian banks and other organizations. This led to the discovery of three new sophisticated attack campaigns. In a single night, the gang behind one of the campaigns used a malware program to steal millions of rubles from a Russian bank.
Notwithstanding their aggressive efforts, banks and other financial services companies need to do more to mitigate cyber attacks. Overall, they need to adopt a more comprehensive security mindset and become more comfortable with using state-of-the-art cybersecurity technology.
The lack of standardized, centralized procedures for cybersecurity at many banks is alarming. A study a year ago by Cisco Systems found that only 48% of financial services organizations polled even have a standardized information security policy. Too few banks still protect specific assets in different ways and view cybersecurity as a specific department, instead of something embedded throughout the entire organization.
Another problem – albeit not limited to the financial services industry -- is that security alert overload has careened out of control as the top security pain point. According to research firm Ovum, more than a third of banks receive more than 200,000 security alerts a day, a staggering signal-to-noise ratio problem. Most banks use dozens of security tools to spot and dig into problems, which seems like a good idea but leads to far too many productivity-killing false positives.
What banks need to do is more aggressively embrace automation, which combines actionable intelligence in combination with automated expert systems to enable autonomous decision-making when confronting perceived cyber attacks.
Some Good News
More positive, at least at this juncture, is that more banks have begun to incorporate umbrella-like cybersecurity programs.
Webster Bank in Waterbury, Conn., for instance, has begun embracing cybersecurity as “a team sport.” The bank’s CISO is ultimately responsible for the security of bank and customer information, but he works in partnership with the IT staff, different lines of business, vendors and customers to make sure that security risks are properly mitigated. Specific security plans are created before the start of every meaningful Webster Bank project.
This strategy needs to spread, and as mentioned, additional improvements must be made and adopted throughout the financial services industry. Banks can never stop improving their cybersecurity posture because their cyber nemesis never stops evolving.