BY JAKE GIBSON, Chief Compliance Officer and Chief Security Officer, LightEdge Solutions
In Iowa, given the harsh and changing climate, there are only two types of concrete: cracked concrete and concrete that will crack.
It is not much different than the financial industry and cybersecurity: There are the institutions that have been targeted by attackers and there are the institutions that will be targeted by attackers.
While the security risks to financial institutions are not much different than what other industries must face, the stakes are higher. In the financial industry, more money and more data means a higher reward for the attackers. This leads to more attacks and a bigger target on the backs of financial institutions.
Of the record-breaking 1,579 reported breaches in the United States in 2017, 8.5 percent of them involved a financial institution.
The cost of an attack for a financial institution is huge, the biggest being the loss of customer trust. A 2016 study found 12.3 percent of people left their credit unions and 28 percent left their banks because of unauthorized activity on their accounts.
Mix that with the tough compliance standards financial institution adhere to, and an attack can leave devastating effects. That is all the more reason to place a large focus on cybersecurity, to stop these attacks before they happen.
Phishing is still one of the most common attacks on any industry. Yet these attacks overwhelmingly target finance institutions.
According to Kaspersky Lab, the share of financial phishing increased from 47.5 percent to almost 54 percent of all phishing detections in 2017, an all-time high by Kapersky’s records. It is only getting worse. Phishing attacks nearly doubled in just one quarter in 2017.
Usually these phishing attacks come through employee emails. Attackers can make these messages look official, like they would if they came from Amazon or PayPal, and attach files or links that are armed with malware.
Unknowingly, employees will open the link or file and infect their computer, which is likely connected the rest of the company’s system. That one click can give an attacker access to an entire system of data.
Attackers have also been able to get personalized with their phishing methods. Targeting employees with high-level authorization, attackers will do research through social media channels, public databases and other avenues to find important information to personalize a phishing message. Attackers can also mask their email to make it seem like it is coming from a chief executive officer or a child’s teacher.
This is called “spear phishing,” and it’s highly prevalent in small to midsized financial institutions.
How to prevent phishing
Phishing is generally effective, especially if employees do not know how to identify a potential attack. Having training and awareness programs will go a long way toward preventing phishing attacks from hitting your company.
To test how your company is doing in terms of awareness, there is software that can send out fake emails and see how many employees act upon it. The test will give you a good idea of how much training you actually need to implement.
Compliance and security concerns
Another gap I’m seeing in terms of prevention is communication between the technology departments and the C-suites. The technology departments should be giving regular security reports to the decision-makers and making them aware of any compliance or threat concerns coming in the future.
Decision-makers need to know some of the biggest cybersecurity concerns in their industry to make informed decisions and mitigate any potential risk.
Since cybersecurity is so closely intertwined with compliance in the finance sector, many companies have been hiring chief compliance officers (CCOs). These CCOs can have legal experience, but they are in charge of looking at the many legal issues that come with the ever-changing world of compliance.
For example, a CCO would be interested in the General Data Protection Regulation recently enacted by the European Union.
Having an understanding from the top to the bottom of the organization will help your company mitigate an attack and become aware when new avenues of attacks become more prominent.