Clearswift: From customer to competitor: Mitigating the financial sector’s chief threats
Recent reports show that cyber-attacks o...
CTO at Clearswift, Dr. Guy Bunker, discusses his views on the top threats to finance and how to mitigate them.
Recent reports show that cyber-attacks on financial services sector rose fivefold in 2018 and in April 2018, seven of the UK's biggest banks suffered major cyber-attacks that forced them to reduce operations or even shut down systems. The cyber threatscape is ever-evolving and financial institutions are being targeted by cyber-criminals in new ways due to the increasingly significant value of financial data. It is therefore vital that financial institutions are not only aware of the rising threats from malicious cyber-criminals but should also go above and beyond to secure their critical data.
Today’s cyber-criminal is unlikely to be an individual, but is more likely to be part of a gang of highly trained people who will buy and sell the information they collect on the dark web, as well as information on vulnerabilities they find in the networks they are attacking. The software they use will typically be multi-purpose and ‘commercialised’ by other cyber-gangs. This is no longer the era of a ‘hacker’ in the back-bedroom trying to make a name for themselves, cyber-crime is big business and unfortunately growing.
Email is a gateway to data theft
One of the most significant risks to financial sector organisations is loss of customer data. Cyber-criminals target financial institutions in the hope of stealing customer data such as account details with credit / debit card details, including CVV numbers, social security numbers and other private financial details. While there are multiple ways in which this information can be maliciously obtained, the most prominent today are phishing emails or links in both corporate or personal email. Cyber-criminals use seemingly innocent emails and links to hide malicious code that, once activated, can compromise the individual and then use their credentials to gain access to entire databases of critical data. In depth access to transactional financial information gives cyber-attackers a wealth of opportunities to either make money by stealing from customers themselves (if they gain access to card details) or by holding the information to ransom. In the case of ransomware, then whole systems and network drives can be held to ransom as the data is encrypted.
When it comes to data breaches, there are a multitude of different financial legislations which can be used to impose fine, including the ever present GDPR with its huge fines of up to €20 million, or 4% of global turnover, that can be levied against firms who breach the regulations. While the maximum fine has yet to be imposed, the values are rising, so it is only a matter of time.
New innovations bring new threats
New assets being introduced into the financial space – such as bonds, bitcoins and other forms of crypto-currency – are also targeted by cybercriminals and with less traceability with these new technologies, are becoming increasingly popular targets. Anonymity is one of the primary reasons bitcoin became so popular with users, however that is also why its popular with cyber-criminals. It is the payment option of choice for ransomware but is also a target in and of itself. Bitcoin lets customers store their currencies remotely in offline wallets and initially appear to be more secure because cyber-criminals can’t easily attack the decentralised network. However, they are finding new ways to get around this to attack the source, including installing keylogger malware on devices in order to find the access codes. There have been a number of instances where financial institutions using bitcoin have been attacked by cybercriminals looking to gain access to codes to wallets – and succeeded, including Zaif, Mt. Gox and Coincheck. Needless to say, this doesn’t just put the customer and their funds at risk, it also jeopardizes the financial organisation's reputation and its whole asset base. The crossover and interorganizational complexity of transactions across new and old financial institutions in the future will continue to create opportunity for cyber-criminals if they are not addressed upfront and continuously monitored.
Cyber-criminals are going under the radar
However, it is not just ‘obvious’ account data which is of value, other information can also be sold to competitors or on the dark web for other cyber-gangs or hacktivists to use. Corporate espionage is nothing new, but the Internet has opened the door for attacks from anywhere. Spear-phishing where cyber-criminals target individual employees through any and all the information they can find online to build trust is commonplace. They will also target personal email, with a view that the individual will open it while on a corporate device on the corporate network. Imagine an innocuous weaponised document entitled “Job offer”, wouldn’t you open it?
Business Email Compromise (BEC) is also growing, where cyber-criminals pose as the CEO of a company, spoofing their email address, and sending emails with criminal intent. For example, asking for fake invoices to be paid, or requesting information on exchange rates from bank tellers in a certain region. In the case of the latter, the information can be sold on to competitors in order to gain commercial advantage. It’s not just the CEO, all the executive team can be targeted for impersonation, for example the Head of HR could request information on employees. A list of all employees and their salaries puts the entire organization at risk, and not just fines from a data breach. Staff poaching and reputational damage will also be a major issue.
Preparation is key
So how can financial institutions protect themselves against this plethora of threats? Firstly, education is vital. From the bank tellers to the security team, everyone needs to understand the current cyber security threats, what they look like and how to best protect against them. Data breaches can come from anywhere, even simple tasks such as opening emails, clicking a link or downloading a file can result in a breach and can therefore be directly or indirectly caused by any member of staff, no matter what their role. Every employee in a financial organisation needs ongoing training and education to teach them about the latest threats and what to do should they think they have been targeted or fallen for one.
It has recently been reported that financial institutions are 300 times more likely to be subject to a cyber-attack than other industries. Detailed processes need to be in place for all employees to follow if there has been an incident, and the correct protocol followed. Don’t shoot the messenger. The organization needs to encourage employees to report incidents no matter how small they think it might be. We are all human and if a mistake has been made, its better to know about it sooner rather than later. If there has been a data breach, then timely communication, including to customers, is essential as part of the process to resolve the incident. Ignorance is not bliss.
With the average cyber-attack costing $1 million, it is vital to have cost effective preventative measures in place. Financial organisations cannot stop working with data because of the cyber risk attached, so technology needs to be in place to underpin security. Today’s email and web solutions can provide extra layers of threat detection and prevention against the new generation of information borne threats with functionality such as document sanitization. While automatic redaction based on both content and context will help prevent exfiltration of data into unauthorised hands, whether it is sending the wrong information to the right person or sending any information to an unauthorised recipient. The latest security solutions create a seamless safety net to protect data and employees on a day-to-day basis.
Although cyber threats are undoubtedly growing, financial institutions need to be aware of the new threats and that there are solutions which can protect against them. Deploying the latest security technologies will mitigate the risks, keeping the organization, its information, staff and ultimately customers safe
Stripe backs Step - the digital bank for teens
The Series C round raised US$100m in capital from a number of backers, including Coatue, TikTok star Charli D’Amelio, actor Jared Leto, and Will Smith’s Dreamers VC, for the enterprise.
Step provides a free FDIC-insured bank account and Visa card to teenagers. The accounts are backed by Evolve Bank and there is no subscription charge for its usage. Users don’t pay for their accounts and there are also no overdraft fees.
The mobile banking app enables parents to set controls and limits on spending and encourage responsible finances. According to data released by the company, 88% of the platform’s users say this is their first bank account.
To date, Step has seen great success in the marketplace. The company has raised more than $175m from investors and now has 1.5m users.
Stripe, which was founded by Irish brothers Patrick and John Collison, previously led Step’s $22.5m Series A round in 2019.
Step's Series B funding round also brought in $50m, and has a distinctly celeb-tinged reputation with investors including Justin Timberlake and the pop duo The Chainsmokers.
Users get access to a free, FDIC-backed bank account, a spending card and P2P payments platform to send and receive money instantly.
CJ MacDonald, chief executive of Step, said the company is aiming to improve the financial futures of the next generation. “Step is the only banking platform that enables teens to start building a positive credit history before they turn 18 and does not charge fees of any kind.
He has previously spoken about the importance of financial literacy for young people. “Money is just one of those things where I think the more educated and equipped you are early, the better decisions you can make down the road,” he told . “And you can also prevent yourself from making costly mistakes. I mean, the average American doesn't have $400 in emergency savings and pays $350 a year in banking fees. If we can help this next generation just ultimately be smarter and more educated as it pertains to money, I think we'll all be better off.”
Kyle Doherty, managing director at General Catalyst and Step board member, explained, “Gen Z is flocking to modern financial solutions that can be easily embedded within their digital lives and Step has a unique model for how to do this right.”
The news follows on from Stripe’s recent announcement that it plans to acquire TaxJar. The fintech, which builds software for online businesses that automates the reporting and filing of sales taxes, will most likely be integrated with Stripe’s billing services.
Currently, No terms have been disclosed but the Boston start-up had raised more than $60m from investors including Insight Partners.
Stripe chief financial officer Dhivya Suryadevara said of the move, “With TaxJar, we will help millions of internet businesses running on Stripe with their sales tax and make it easier for them to sell internationally.”