Clearswift: From customer to competitor: Mitigating the financial sector’s chief threats
Recent reports show that cyber-attacks o...
CTO at Clearswift, Dr. Guy Bunker, discusses his views on the top threats to finance and how to mitigate them.
Recent reports show that cyber-attacks on financial services sector rose fivefold in 2018 and in April 2018, seven of the UK's biggest banks suffered major cyber-attacks that forced them to reduce operations or even shut down systems. The cyber threatscape is ever-evolving and financial institutions are being targeted by cyber-criminals in new ways due to the increasingly significant value of financial data. It is therefore vital that financial institutions are not only aware of the rising threats from malicious cyber-criminals but should also go above and beyond to secure their critical data.
Today’s cyber-criminal is unlikely to be an individual, but is more likely to be part of a gang of highly trained people who will buy and sell the information they collect on the dark web, as well as information on vulnerabilities they find in the networks they are attacking. The software they use will typically be multi-purpose and ‘commercialised’ by other cyber-gangs. This is no longer the era of a ‘hacker’ in the back-bedroom trying to make a name for themselves, cyber-crime is big business and unfortunately growing.
Email is a gateway to data theft
One of the most significant risks to financial sector organisations is loss of customer data. Cyber-criminals target financial institutions in the hope of stealing customer data such as account details with credit / debit card details, including CVV numbers, social security numbers and other private financial details. While there are multiple ways in which this information can be maliciously obtained, the most prominent today are phishing emails or links in both corporate or personal email. Cyber-criminals use seemingly innocent emails and links to hide malicious code that, once activated, can compromise the individual and then use their credentials to gain access to entire databases of critical data. In depth access to transactional financial information gives cyber-attackers a wealth of opportunities to either make money by stealing from customers themselves (if they gain access to card details) or by holding the information to ransom. In the case of ransomware, then whole systems and network drives can be held to ransom as the data is encrypted.
When it comes to data breaches, there are a multitude of different financial legislations which can be used to impose fine, including the ever present GDPR with its huge fines of up to €20 million, or 4% of global turnover, that can be levied against firms who breach the regulations. While the maximum fine has yet to be imposed, the values are rising, so it is only a matter of time.
New innovations bring new threats
New assets being introduced into the financial space – such as bonds, bitcoins and other forms of crypto-currency – are also targeted by cybercriminals and with less traceability with these new technologies, are becoming increasingly popular targets. Anonymity is one of the primary reasons bitcoin became so popular with users, however that is also why its popular with cyber-criminals. It is the payment option of choice for ransomware but is also a target in and of itself. Bitcoin lets customers store their currencies remotely in offline wallets and initially appear to be more secure because cyber-criminals can’t easily attack the decentralised network. However, they are finding new ways to get around this to attack the source, including installing keylogger malware on devices in order to find the access codes. There have been a number of instances where financial institutions using bitcoin have been attacked by cybercriminals looking to gain access to codes to wallets – and succeeded, including Zaif, Mt. Gox and Coincheck. Needless to say, this doesn’t just put the customer and their funds at risk, it also jeopardizes the financial organisation's reputation and its whole asset base. The crossover and interorganizational complexity of transactions across new and old financial institutions in the future will continue to create opportunity for cyber-criminals if they are not addressed upfront and continuously monitored.
Cyber-criminals are going under the radar
However, it is not just ‘obvious’ account data which is of value, other information can also be sold to competitors or on the dark web for other cyber-gangs or hacktivists to use. Corporate espionage is nothing new, but the Internet has opened the door for attacks from anywhere. Spear-phishing where cyber-criminals target individual employees through any and all the information they can find online to build trust is commonplace. They will also target personal email, with a view that the individual will open it while on a corporate device on the corporate network. Imagine an innocuous weaponised document entitled “Job offer”, wouldn’t you open it?
Business Email Compromise (BEC) is also growing, where cyber-criminals pose as the CEO of a company, spoofing their email address, and sending emails with criminal intent. For example, asking for fake invoices to be paid, or requesting information on exchange rates from bank tellers in a certain region. In the case of the latter, the information can be sold on to competitors in order to gain commercial advantage. It’s not just the CEO, all the executive team can be targeted for impersonation, for example the Head of HR could request information on employees. A list of all employees and their salaries puts the entire organization at risk, and not just fines from a data breach. Staff poaching and reputational damage will also be a major issue.
Preparation is key
So how can financial institutions protect themselves against this plethora of threats? Firstly, education is vital. From the bank tellers to the security team, everyone needs to understand the current cyber security threats, what they look like and how to best protect against them. Data breaches can come from anywhere, even simple tasks such as opening emails, clicking a link or downloading a file can result in a breach and can therefore be directly or indirectly caused by any member of staff, no matter what their role. Every employee in a financial organisation needs ongoing training and education to teach them about the latest threats and what to do should they think they have been targeted or fallen for one.
It has recently been reported that financial institutions are 300 times more likely to be subject to a cyber-attack than other industries. Detailed processes need to be in place for all employees to follow if there has been an incident, and the correct protocol followed. Don’t shoot the messenger. The organization needs to encourage employees to report incidents no matter how small they think it might be. We are all human and if a mistake has been made, its better to know about it sooner rather than later. If there has been a data breach, then timely communication, including to customers, is essential as part of the process to resolve the incident. Ignorance is not bliss.
With the average cyber-attack costing $1 million, it is vital to have cost effective preventative measures in place. Financial organisations cannot stop working with data because of the cyber risk attached, so technology needs to be in place to underpin security. Today’s email and web solutions can provide extra layers of threat detection and prevention against the new generation of information borne threats with functionality such as document sanitization. While automatic redaction based on both content and context will help prevent exfiltration of data into unauthorised hands, whether it is sending the wrong information to the right person or sending any information to an unauthorised recipient. The latest security solutions create a seamless safety net to protect data and employees on a day-to-day basis.
Although cyber threats are undoubtedly growing, financial institutions need to be aware of the new threats and that there are solutions which can protect against them. Deploying the latest security technologies will mitigate the risks, keeping the organization, its information, staff and ultimately customers safe
Robinhood faces $35mn fine from New York DFS
The company’s crypto division was issued with a wrist slap in 2020, following the red flagging of several “matters requiring attention”. Robinhood revealed it had reached a settlement with the New York State Department of Financial Services regarding the issues, which related to “alleged violations” of cybersecurity and anti-money laundering rules.
The news follows on from the announcement earlier this week that the trading platform favoured by armchair investors, which almost broke Wall Street earlier this year, has an expected valuation of $35bn following its IPO.
Critics of the platform say Robinhood encourages “risky behaviour” among inexperienced (armchair) investors. The app has also been criticised for not informing customers that much of its profits are generated by routing their trades to Wall Street firms taking the other side, or so-called "payment for order flow."
Robinhood said last month they expected the DFS fine to be at the $15mn mark, adding it would be “the bottom of the range for our probable loss in this matter”. The $35mn penalty is on top of the record $70mn Robinhood incurred from US financial regulator FINRA in June, for “lax vetting and outages.”
However, the settlement indicates the company’s IPO will go ahead as planned, despite initial concerns the investigation could see the float delayed until later this year.
Robinhood floats imminent
Despite the regulatory hiccups, Robinhood priced its IPO between US$38-US$42 per share, giving the platform the US$35bn valuation and analysts predict the firm’s debut on the Nasdaq could occur as early as next week.
Robinhood democratising investment
Launched in 2013 by Tenev and Bhatt, who were Stanford University roommates, Robinhood’s founders will retain most of the voting rights after the IPO. Bhatt reportedly holds 39% of the voting power of outstanding stock, while Tenev holds 26.2%.
The online brokerage, which came under fire for its handling of the GameStop trading debacle, which saw the platform limit stocks to investors, states its mission is to “democratise” investing and is one of the most highly anticipated IPOs of the year.
Robinhood was valued at $11.7bn in autumn 2020 following a private equity funding drive. The new valuation will mean represent a three-fold increase in the company’s market value in less than 12 months.