“The coronavirus pandemic has been connected to a 238% surge in cyberattacks against banks.” – Charlie Osborne, ZDNet and CNET
Banks have been and continue to be a major target to cybercriminals. Recently, due to the novel coronavirus pandemic (COVID-19), there have been a 238% surge in cyberattacks against banks as ZDNet reports.
These cyberattacks against banks experienced an uptick between February and April of this year when the virus began being prominent around the globe.
Because of this and being a prime target for hackers, banks require a high level of sophistication when it comes to their cybersecurity programs to address the unique security issues created by the nature of their business.
Now, 82% of Chief Information Officers (CIOs) contributing to the Modern Bank Heists report said that alongside a spike in attacks, techniques also appear to be improving. Cybercriminals are not only improving their social engineering skills but also using more advanced strategies to uncover weak links in the financial-cyber infrastructure.
This means that daily, banks have to be 'at the ready' to defend against the attack. For some, regulations have played the part in forcing the entire financial industry to enhance their security measures. An example being, banks and other financial institutions in the United States must comply with multiple data protection regulations, including PCI DSS and GLBA. These regulations are strict, and they will become more stringent throughout time.
For others, they discover solutions not only to secure their information, but also to make the log-in experience more convenient. The digital experience a bank provides for its customers and workforce can be the difference and competitive advantage in today's digital economy.
Overall, collection, retention, and the process and sharing of personal information must be secure, and these actions are supervised continuously.
MindInsight reported that in a recent email spoofing attack, employees of an undisclosed organization were asked to respond with their username and password. Out of the employees, 60% of them complied and sent their information.
Banks require a high level of security, but there are a list of reasons why security often fails, with human error often times at the top of that list.
Backdoors and Supply Chain Attacks
Some cyber attacks are performed through "backdoors" or applications used to obtain remote access. With backdoors, hackers gain access to the network by bypassing any detection systems. Backdoors are pieces of code that hackers implement within the system to allow easier access into protected applications.
Port binding, connection availability issues, and custom DNS lookups are examples of backdoor attacks.
A major backdoor attack was ShadowPad, one of the largest supply-chain attacks that originated in legitimate software. Mindsight reports that a cybercriminal opened a backdoor through the software and exposed hundreds of customers to serious cybersecurity threats.
Third Party Vendors
Being involved with third-party vendors may result in a data breach. Through third-party vendors, not only can hackers gain access to the bank's information, but also, they might allow direct access into the bank's systems if directly connected.
Unfortunately, companies are not in control of their third-party vendors, but they do decide whether the third-party remains a partner. In some cases, if third-party vendors do not agree to contracts protecting data, it is a much needed decision to let them go.
Third party vendors must agree to protect the bank's information and implement the proper cybersecurity controls.
However, most of the attacks that significantly affect a bank are cyber attacks from inside the company. 60% of all cyber attacks are from employees. According to IBM, financial firms and services were in the top three sectors that were targeted by internal threat actors. There are two types of employee-related cyberattacks: unintentional and intentional.
Out of the employee-related cyberattacks, 75% of them are intentional. Employees who have gone ‘rogue’ or against the company due to recently being fired or past employees whose data still works within the network are the types of employees that intentionally create cyberattacks. Employees can offer their username and password to a hacker to allow the hacker to gain access into the server, system, and data.
The other 25% of insider attacks are from human error and are unintentional. Phishing scams, employees accidentally giving away their credentials, downloading malware through email, and staying logged into the bank's network through a public computer are ways that employees can unintentionally create a vulnerability for the bank.
The Cybersecurity Threat Landscape
Banks must start to recognize that being breached is more of a "when" rather than an "if."
These firms face a long list of complex risk factors:
- Phishing attacks
- Cyber fraud as known as executive digital impersonation
- Insider risk
- Supply chain risk
The number of attacks on banks is only increasing during these times, with hackers coming up with new ways as well as old to break in. Hackers continue to use phishing attacks to gain employee credentials and social engineering to determine which employees have access to critical applications and data.
Many banks are addressing the challenges these security issues have created – by integrating a layer of biometric authentication and providing such convenience options as self-service password reset and single sign-on. Superior to passwords or swipe cards, biometrics cannot be lost or shared and is the only method that positively identifies the individual, not the device. One touch instant authentication provides security while complimenting the streamlined workflow, benefiting the bank and enhancing the customer experience. For example, as bank employees migrate from the drive-thru windows to the lobby and as supervisors bounce from computer to computer authorizing high-end transactions, biometrics becomes a “must have” to make sure you know the "who" completed the transaction.
Yesterday’s leading-edge security innovations are today’s table stakes. As many banks have ramped up multi-faceted security defenses, threat actors have pivoted to embrace new exploits, new avenues of compromise, and new ways of ensuring a financial payoff from their misdeeds.
In our newest whitepaper, we look at the dynamics of the new threat landscape and highlight new security solutions, including passwordless and biometric authentication, and practices that go beyond the capabilities of conventional solutions.
Learn more current cyberthreats financial services face and newer ones that will be bigger issues here.