Headlines about financial sector data breaches and cyberattacks have made one fact painfully clear: cybercriminals know where the money is.
Last year, cybersecurity investigators revealed that roughly $300 million had been stolen from as many as 100 banks in Russia, Japan, and the U.S. over the course of two years. The criminals introduced malware using emails sent to bank employees and then used that malware to snoop on bank activities. The hackers reportedly transferred funds electronically and directed ATMs to dispense cold, hard cash whenever they wanted.
A report from IBM found that thefts against the financial sector using malware or other nefarious means have increased by 80% in 2015 compared to the previous year [Tweet this]. Attacks like these represented 38% of reported incidents in 2015. Up from 23% in 2014.
As if losing money to cybercriminals wasn’t bad enough, financial institutions who fail to protect client data are then subject to hefty fines and legal scrutiny. Earlier in June, the SEC announced Morgan Stanley agreed to pay $1 million in fines for failing to protect information from 730,000 customer accounts. A then-Morgan-Stanley employee had improperly downloaded this customer information to his personal server, which was then hacked.
The Most Costly of Breaches
The direct and indirect costs of cyber incidents like these is a major reason data breaches cost the financial sector $221 per record, the third-highest per-record cost among major industry segments, according to the 2016 Ponemon Institute cost of data breach report. Only healthcare and education ranked higher.
“Regulated agencies, such as healthcare and financial services, have the most costly data breaches because of fines and the higher than average rate of lost business and customers,” the Ponemon researchers say.
JPMorgan Chase, for one, experienced the business impacts of a breach first hand. In 2014, hackers compromised the names, addresses, phone numbers, and other personal information for 83 million clients after stealing login credentials from a bank employee. Not long after this news broke, JPMorgan Chase’s share prices fell a full percentage point.
Letting the Wrong One In
A common thread emerges in these three example (and many more we could name): the human element had something to do with each cyber incident.
In the JPMorgan breach for example, investigators revealed that the hackers breached a server using credentials stolen from a bank employee (the server also lacked two-factor authentication). Though the source of the credential theft was not made public, logins and passwords are a common target of employee-focused phishing scams. In attacks like these, cybercriminals prey upon a lack of employee security awareness to make their work easier.
IBM’s report on security trends for the financial sector found that malicious attachments or links in email were the most common attack vector for the financial industry in 2015 [Tweet this]. This means that the top attack vector relies almost completely on the human to click or open a compromised URL or document. We were about to use this a reason to reiterate the importance of employee education, but the report writers did it for us:
“Because social engineering via spear phishing and other scams is often an attacker’s first step in a successful compromise of this type, education is key to thwarting these types of attack attempts.,” the authors write.
Data from the oft-cited Verizon Data Breach Investigations Report also bears this point out. Web app attacks made up nearly half of all security incidents among financial institutions in 2016, according to the report. In these attacks, cybercriminals use stolen or compromised credentials to exploit vulnerabilities in web applications, such as content management systems or e-commerce platforms. This may not seem like a fault of the human, but deeper look at the DBIR data suggests otherwise.
Of the 879 breaches in the report caused by a web app attack, 92% (817) were the result of phishing attacks. That is, breaches resulting from users turning over their username/email address and password because of a cleverly devised social engineering attack. Though the report does not break down how web app attacks were launched for the financial sector specifically, it’s not hard to imagine this ratio of socially engineered methods translating over.
Not Just Phishing
As the Morgan Stanley breach showed, however, phishing is far from the only human-related cyber threat facing the financial sector. Financial employees have access to reams of sensitive information that, if released, will have dire consequences for clients. Employees need to know how to keep this data secure, and be well-versed in the myriad ways it can be compromised (either by malicious actors or accidentally).
Additionally, succumbing to a phishing attack may be a sign of larger problem. Susceptibility to phishing can represent a fundamental misunderstanding of security best practices at an organization-wide level.
Technical safeguards against phishing attempts are important, but they cannot take up the slack left by a fundamental lack of security awareness in an employee base. If an employee falls for a phishy email, chances are security best practices are not top of mind. Chances are a more holistic approach is needed; one that involves a comprehensive employee awareness program touching on multiple cybersecurity topics and that includes regular, targeted training reinforcement.
There Is Help
Fortunately, agencies that oversee the financial sector have begun to realize how big a target these institutions are. The Federal Financial Institutions Examinations Council (FFIEC), for one, has taken steps to help financial institutions scrutinize their cybersecurity efforts with their Cybersecurity Assessment.
In a nutshell, the assessment is meant to measure the strength or “maturity” of an organization’s cybersecurity posture. The assessment takes into account multiple factors, mostly focusing on what technology-based risks an organization may face. It does, however, devote a section to cybersecurity awareness training and culture.
The assessment doesn’t offer specific guidelines for improving security posture, only a standardized way for organizations to determine their cybersecurity maturity. The assessment defines the highest tier “innovative” security awareness initiatives as those that, among other factors, use continuous assessments to improve training offerings and can thus adapt to emerging risks.
As employee awareness experts, we would have liked to see more of a focus placed on the human element in the assessment. So, we produced a white paper filled with advice on building a full-fledged, comprehensive employee awareness program aligned with the highest standards of the FFIEC’s Cybersecurity Assessment.