Cyber threats to the banking industry - Expedient Technology Solutions

Banks are investing more in their security budgets this year due to a spike in emerging cyber
threats. 63% of the financial services sector suffered an increase in damaging cyberattacks. That
is an increase of 17% since 2021.
Brian Moynihan, CEO of Bank of America, said it spends over $1 billion annually on cybersecurity.
The financial industry already spends an average of $5.72 million for each data breach, the
second highest amount any industry spends on cyber attacks.
Some research indicates that globally, the rate of cyber attacks is one every 10 seconds.
Let’s take a look at the latest threats and how to prevent them.

What are threats in the banking industry?

Ransomware

Ransomware is still a popular attack on banks because it consistently works.
It delivers malicious software, also known as malware, into the bank’s system. This
malware may not only interrupt the bank’s normal operations, but also cause permanent loss of
confidential data.
Ransomware groups continue to broaden their assaults. They have branched out into stealing
customers’ Personally Identifiable Information which is a hot commodity on the dark web.
There is even an organization known as the Conti ransomware gang that sells ransomware to
cybercriminals as a service (RaaS) structure. Of the 74% of financial institutions in North America
and Western Europe who acknowledged one or more ransomware attacks in January 2022, 63%
paid the cybercriminals’ ransom.

Infostealers

A bank’s most precious asset is not money. It is data.
Cybercriminals can install malware to collect the Personally Identifiable Information of a financial
institution’s customers and steal it to create false identities.
A data breach that results in the theft of sensitive personal financial information can have stiff
regulatory penalties. The biggest fine for a data privacy breach so far is $80 million.

Phishing

It has been around for so long that you would think people are immune to taking the phishing
bait. This scam has evolved to make messages appear to originate from legitimate organizations.
The emphasis on an urgent and consequential messaging convinces users to click on malicious
links.
This makes phishing a leading delivery vector for malware. It is also commonly employed to steal
login credentials and other Personally Identifiable Information.
Vulnerability Exploitation
Cyber threat actors habitually scour financial institutions’ web-facing applications for weaknesses
they can exploit.
When these weaknesses are exposed, hackers may be able to implant malicious code, steal
Personally Identifiable Information, or launch a Denial of Service assault against a financial
institution’s network.

Account Takeover

The exponential increase of remote work, home/hybrid office options, and cloud-based software
systems means there are more targets for cybercriminals to aim at than ever before.
When a bank employee accesses data on a network that is outside of the complete security
control of the financial institution, the number of attacks on banks increases.
Secure remote access solutions need to be enacted across the organization. In addition,
attackers can use credentials that have been stolen to log into corporate networks and steal data
or deploy malware.

What types of risks threaten a bank’s IT systems?

Supply chain attacks

Also known as island hopping, it’s when hackers are able to access the network of a financial
institution’s third-party vendor.
Instead of direct attacks on banks, cybercriminals go after their more susceptible third-party
partner networks because they often don’t have the complete security controls that banks have.
They compromise its system, then use it to breach the financial institutions’ systems.
Statistically speaking, the financial services industry takes cybersecurity threats more seriously
than its vendors. This makes penetrating the vendor’s network much easier than the financial
institution’s network.
An added attraction to cybercriminals is that third-party vendors work for multiple financial clients.
This means one attack could net data on hundreds of banks.

Distributed Denial of Service

Hackers use multiple infected computers to send spam requests to a financial institution’s
network. The intent is to overwhelm the server with fake connection requests.
This keeps the system so busy that not only is it unable to answer legitimate inquiries, the server
is forced offline.
Distributed Denial of Service is a popular cyber threat because of its versatility. For example, it
can be used to assault a bank’s infrastructure, customers’ accounts, and payment portals, just to
name a few.
Distributed Denial of Service can be used as a distraction for a bank’s cybersecurity team while
hackers launch a second, more targeted attack somewhere else in the network, like injecting
ransomware.

Cryptominers

Cybercriminals can inject a network with malware designed to seize control of the idle processing
power of a financial institution’s network and use it to mine cryptocurrency.
The financial services industry requires a significant amount of power to process transactions,
making banks a prime target for attack, as a similar amount of processing power is required to
mine Cryptocurrency.

How are banks vulnerable to cyber attacks?

The financial sector has largely been reactive in dealing with cyber attacks.
A defensive strategy allows cybercriminals to remain at least one step ahead. This makes banks
even more vulnerable to the next assault. Some common weaknesses are:

Employee Education

Cybersecurity is thought of as a profession and not as a hard skill that every potential bank
employee should have on their resume to some degree. This mindset of leaving cybersecurity to
trained professionals allows hackers plenty of access points in a bank’s network.

Lack of cybersecurity training

Lack of up-to-date cybersecurity training and only training once a year leaves employees
uninformed of the latest tactics used by cybercriminals. To reduce a financial institution’s
vulnerability, every staff member should be appropriately trained in cybersecurity awareness,
including the mentality that cybersecurity is everyone’s responsibility.

The appropriate level of cybersecurity protection

The appropriate level of protection against cyber attacks is expensive. The financial services
industry lags behind other industries, like Information Technology, in allotting enough of their
budget to deal with cybersecurity threats.

The human element

People are a major factor in the vulnerability of the financial services sector. Employees using
weak credentials to log in to the bank’s system make it easy for hackers to guess what those
credentials are.

User convenience

Convenience is the enemy of safety. Customers want to bank on mobile devices and apps. These
are prime targets for hackers to access accounts and infiltrate banking networks.

Examples of cyber attacks on banks

Ransomware

Cybercriminals use remote access trojans (RAT) to take control of banks’ systems.
There are kits hackers can buy that can infiltrate a system, encrypt targeted files within the
system, then send the bank a ransom note requesting cryptocurrency in exchange for a key that
will unlock access to the files and decrypt them.
President Biden signed the Cyber Incident Reporting for Critical Infrastructure Act of 2022 in
March. As a result, this requires both owners and operators to report cybersecurity attacks to the United States Department of Homeland Security within 72 hours so that they can respond.

Island hopping

Wire transfer fraud used to be the ultimate goal.
Now, it is hijacking a bank’s digital transformation in order to access its data. There are
cybercrime cartels that study the interdependence of the financial services industry on their
managed service providers (MSP).
Then they go after the MSPs, penetrate their systems, and island hop into the bank.
The weakest link for cybercriminals to target is the Application Programming Interface (API). This
is the software that links the two applications to each other, allowing them to communicate.
APIs are designed to be highly accessible, which is exactly what makes them so vulnerable.
When choosing an MSP, find out what their policy is regarding security control validation. Do they
constantly monitor designs, standards, and configurations to confirm they are working
effectively?

How to prevent cyber attacks on banks

The best way for the financial service industry to deal with cyber attacks is to prevent them.
A portfolio of strategies is necessary to be nimble enough to pivot when hackers use the latest
iterations of their cyber threats. The financial service sector needs tactics that include ways to
avoid, mitigate and respond to cyber threats.

Solution 1—People

Partner with a managed service provider who can help you bridge the talent gap. Look for organizations and security partners who have a track record of consistently successful protection from cyber threats.

Cybersecurity training should be continuous. Assess current cyber security awareness training programs for relevance to the financial services industry. Make sure training is up-to-date with the current cyber threats landscape.

Invest in detection tools that enable you to be proactive in preventing attacks. Also, invest in response tools that help you quickly recover from a breach.

Educate your customers. An email consumer awareness campaign informing them now to not disclose sensitive details to cybercriminals not only protects them, it protects your bank’s cyber security.

Solution 2 – Communication

Corporate internal communication is critical in every financial services industry.
Employees need to be aware of their role in preventing financial cybersecurity incidents. It isn’t
just a courteous gesture, it is for their own protection.
Successful internal communications strategies will inform team members of their responsibilities
to safeguard data like customers’ Personally Identifiable Information.

Use compelling and engaging mediums to deliver your message. For example:

• Your cyber security team can send corporate wallpapers and screensavers to employees’ machines. Use these to update staff on the latest cyber threats.
• In addition to providing regular (more than once a year) cybersecurity training, follow up by quizzing employees between training sessions. This will not only give you feedback on how much knowledge they are retaining about cybersecurity issues but also what to include in the next round of cybersecurity training.
• Encourage your team to stay on guard by providing regularly scheduled information about emerging threats. Include instructions on cybersecurity best practices.
• Reinforce your message by using a variety of communications platforms like the employee page of the corporate website, email campaigns, and posters in the break room.

Solution 3 – Policies

The National Institute of Standards and Technology (NIST) Cybersecurity Framework is an
excellent guide for determining how well-prepared your financial institution is for a cyber attack.
It consists of standards, guidelines, and best practices for managing your financial institution’s
cybersecurity risk.
It looks at five key areas:

• Identity – Look at your employees, networks, assets, capabilities, and data. What are the cybersecurity risks to these resources?
• Protect – Do you have sufficient defenses in place to prevent, confine, and limit the effects of cyberattacks?
• Detect – Do you have the systems, procedures, and software to comprehensively both identify and alert you that a cyber attack is happening?
• Respond – Are you able to react and quarantine a cybersecurity assault in a detail-oriented and time-sensitive manner?
• Recover – Do you have appropriate redundancies engaged? When a cybersecurity attack happens, can you quickly restore your financial institution’s business systems?

Using the NIST Cybersecurity Framework, here are six steps your financial institution can take to
protect both the organization and its customers from hackers.

1. Audit – You should assess your bank’s infrastructure to find the gaps in its cybersecurity. Ask the following questions:
   • Is this enterprise infrastructure capable of not only hosting our current business requirements but also future growth?
   • Will it allow seamless upgrades both for capacity and security?
   • Is it in compliance with financial services industry best practices?
2. Define – What does security look like for your bank? Prioritize what the bank deems important. For example, the handling of Personally Identifiable Information or regulated data. Questions to answer:
   • Is each primary asset regularly reviewed?
   • What is the plan for properly handling and securing the asset against risk?
   • What employees require access to the asset?
   • Do they understand the plan?
   • Are they regularly trained in the latest techniques of cyber threat actors?\
3. Log and monitor – When the inevitable cybersecurity incident happens, you need to react quickly. Logging and monitoring lay a trail for your security staff to analyze the attack and find where the breach happened. This makes a forensic investigation much easier. A financial institution can either do this in-house or retain a managed security service provider to do it for them. If you choose the latter, ask:
   • Do you provide 24/7/365 monitoring and incident response?
   • Is your team trained to detect and assist in responding to alerts we receive in real time?
   • In the event of a catastrophic cybersecurity breach, will we have a dedicated team to work with us to immediately contain the attack and reduce the fallout?
4. Make a plan – What if the worst happens? In addition to a disaster plan for fire or weather, your bank needs a plan for what to do in the event of a cyberattack that shuts down business operations. Some things to consider:
   • Do you have adequate system redundancy to accommodate your bank’s normal workload?
   • Do you regularly encrypt backups of data? Where are they stored (the Cloud? Physical media?)
5. Encryption – Speaking of encrypting backups of your bank’s data, all your bank’s data should be encrypted. This may sound obvious, but not all encryption is equally secure. For example:
   • Do you use a secure encryption algorithm like Advanced Encryption Standard?
   • How are your decryption keys protected?
   • Are all sensitive digital assets encrypted?
   • Is encryption used for communications between your customers and your servers?
6. Multi-Factor authentication – Your customers’ accounts are at high risk for a cybersecurity attack because the login functionality of your bank’s website is publicly available. Incorporating Multi-Factor authentication to gain account access should diminish single-point security failures. Think about:
   • What secondary authentication method would your customers prefer? A one-time-password? An authenticator app? Biometrics?
   • Is Multi-Factor authentication currently in use for all user accounts?
   • What is your financial institution’s policy to ensure strong passwords?
   • What is your financial institution’s account lockout policy? Your financial institution not only holds your customers’ money, it holds their trust. If the trust is broken, you may never regain it.

Your customers need to know that you are keeping up-to-date on the latest cyber threats to the
banking industry. You know what types of cyber attacks threaten your bank’s system, you’re
aware of what types of attacks your financial institution is vulnerable to, and you have a plan to
prevent them.

If you’re interested in partnering with a cybersecurity-focused MSP, contact us today to see how
Expedient Technology Services can strengthen your security and mitigate data breaches