According to the Bank for International Settlements, the financial sector is most targeted by hackers, after the healthcare sector. Finance businesses handle and manage large amounts of financial data, making them prime targets for cybercriminals. According to the Financial Stability Board, a serious cyber incident could destabilize financial systems, impacting critical infrastructure and the economy.
Cybercrimes in the financial sector related to the theft of money and the modification, corruption, or restriction of financial data, including financial algorithms, can cause a catastrophic loss of trust and severe economic disruption. Moreover, the compromise of sensitive financial information can be a significant problem for individuals and corporations alike, exposing them to social engineering and further cyber attacks,
This post looks at the motivations for attacking the financial sector, who might perform these cyber attacks and the best practices financial businesses can implement to mitigate and remediate cyber threats.
Why Do Cybercriminals Target the Financial Sector?
Monetary gain is one of the biggest reasons the financial sector is often targeted, as is with most cyber attacks throughout all sectors. Because financial data is the core of the finance sector, any attack on the system can cripple any business and cause customers to lose trust in the company. Ransomware attackers also seek out companies that are most likely to pay ransoms to get their data back and seek out companies that have the most valuable data they can sell on the dark web or black market.
Money is the number one motivation for the majority of hackers. The financial sector, which includes insurers, banks, and financial advisors, is a massive target for those primarily motivated by making money.
Hacking financial organizations can potentially allow malicious threat actors to access accounts or personal information that can help a criminal gain unauthorized access and make financial transactions or trick others into revealing more information and sending them money.
Sensitive and Personal Information
The financial sector includes banks, insurance firms, mortgage lenders, investment organizations, and other financial institutions that use data to provide better client products and services. This data, however, is frequently sensitive or personal data, such as personally identifiable information (PII), attracting the attention of cybercriminals.
Insurance companies, for example, typically collect and process large amounts of personal data to understand the needs of their clients and to provide customized products according to their lifestyles, demographics, risks, and other factors.
This kind of data can be valuable to cybercriminals, who can use it to create more accurate phishing attempts, threaten to destroy or share the data as part of a ransomware attack or sell the data on the dark web.
A supply chain attack on the financial services sector can cause massive disruption since it forms a key part of the nation’s critical infrastructure. Other attacks, such as a distributed denial of service (DDoS) attack on a major banking sector organization, can cause severe disruption, impacting logistics, manufacturing, retail, and other daily services.
Denying access to payment methods not only erodes public confidence, which can cause reputational damage, but it also affects private and government organizations by rendering them unable to operate normally.
The COVID-19 pandemic significantly accelerated digital transformation. During this voluntary and obligatory social confinement period, the demand for online financial services increased massively. This need was met by organizations adopting new processes, workflows, and technologies.
New technologies, such as blockchain and disrupters that modernized payment systems like Wise and Revolut, have led to rapid change in the industry. Rapid change frequently coincides with increases in cybersecurity issues as businesses push forward with technological solutions and do not consider IT security implications until much later.
With more people accessing their financial information online, hackers and other cybercriminals have had more people and businesses to target.
FinTech, Cryptocurrencies, and Ransomware
According to the FBI, ransomware gangs may have breached more than 870 critical infrastructure organizations in 2022. Organizations across sectors filed over 2300 complaints with the IC3, amounting to around $35 million in adjusted losses.
Furthermore, financial services businesses are among the infrastructure sectors most targeted by ransomware, behind only a few leaders of this group — tech firms, the government, critical manufacturing, and healthcare.
The FBI encourages ransomware victims not to pay the ransom because it motivates bad actors to continue their activities and attracts new cybercriminals. Moreover, there is no guarantee that victims will get their data back. And there is nothing to say that hackers will not maintain a backdoor in compromised systems.
Who is Targeting the Financial Sector?
Cybercriminals are generally motivated by financial gain, seeing the financial sector as an opportunity to part a financial business’s clients and owners from their money. They may focus on attacks, such as phishing or ransomware, to gain access credentials and use them to make unauthorized transactions.
Hacktivists are politically motivated hackers. They may target the financial sector for ideological reasons and aim to cause disruption. Their activities may involve theft, but the underlying goal is more likely to be the disruption the theft causes.
DDoS attacks, for instance, are effective at causing business disruption, especially when it’s timed to coincide with a particularly busy period, such as Black Friday.
If banking customers cannot access their money on demand, this can lead to a significant loss of trust in the financial organization, scoring a win for hacktivists wishing to undermine certain institutions or ideologies.
A hacktivist may also utilize cyber attacks to effect data breaches to leak sensitive information, damage an organization's reputation, and potentially reveal information that discredits it in the eyes of the public and its peers.
In the case of insider threat, the threat actor has privileged knowledge of how the business operates and may already have the credentials required to access sensitive data. This makes it easier for them to steal, leak, and modify confidential or mission-critical data.
Insider threat is particularly significant in the financial industry. All staff must work ethically to ensure data security when working with large sums of money and personal information. Furthermore, security controls must be in place to monitor and limit access to the most valuable data.
Nation-States and Terrorism
Attacks from nation-states are typically geopolitical and ideological. Due to their motivations and resources available, such attacks can be sophisticated, persistent, and severely damaging, not only for the individual businesses concerned but the sector as a whole or the economy.
Hacking groups sponsored by nation-states may aim to access financial networks and steal or corrupt data for financial gain but also to cause disruption, damage records irrevocably, and for espionage.
Cyberterrorism might involve targeting payment systems to cause widespread economic disruption. For example, such attacks can be particularly damaging when timed during a busy holiday season or in conjunction with physical warfare.
North Korea has been linked to the theft of billions of dollars in recent years, much of this in virtual assets and cryptocurrencies.
Best Cybersecurity Practices for Financial Services Organizations
While all organizations differ in structure, size, clientele, risk appetite, and other factors, financial service providers tend to have similar cybersecurity issues due to the commonalities of their sector and those that target them.
There are one or more solutions for vulnerability remediation and mitigation for all cyber risks. Organizations in the financial services industry can protect their data and that of their clients with the following cybersecurity best practices.
Businesses with cybersecurity engagement at the board and C-suite levels will most likely demonstrate better cybersecurity performance. They are likely to spend less recovering from data breaches than firms that do not have high-level engagement with cybersecurity issues.
When shareholders understand that they are cybersecurity stakeholders, the business's frameworks, processes, and attitudes are more likely to reflect those essential elements.
Understanding the cyber threat landscape and the security posture of a business is essential to preparing it for increasingly likely cybersecurity incidents. The financial sector has a unique balance of risks and threats. Therefore, several factors may vary for each business’s preparation and response.
A risk-based approach to cybersecurity ensures the business appreciates its inherent risks and implements the security measures required to protect sensitive and personal information.
A business can reduce its attack surface by asking for less information from clients, as there would be less personal information for hackers to steal.
This is not a solution to be used in isolation, especially considering the need for the deep information that allows businesses like investment companies and insurers to develop customized products for their clients.
However, data limitation is an important consideration that can make protecting data in the financial sector more manageable. In addition to minimizing how much data is collected, businesses might reduce how long that data is stored. Securely deleting data the moment it is no longer needed minimizes the attack surface and helps protect businesses and clients from cyber attacks.
Despite the vast range of technological solutions to cybersecurity, human error will remain a factor in data loss and breaches. Phishing attacks are increasingly persistent and persuasive thanks to cybercriminals’ cooperation and their ever-more sophisticated use of stolen data.
A business’s workforce is at risk of accidentally downloading malware, which could compromise data and give hackers access to networks.
This is a particular risk with remote workforces as such systems introduce risks, including:
- Unsecured or unvetted shared networks
- Using unknown, unvetted personal devices that may contain malware, legacy apps, or other vulnerabilities
- The use of collaborative technologies, introducing risk from the systems and practices of third-party vendors
With cybersecurity training, staff can learn the importance of data protection, understand the nature and extent of cyber risks, and develop knowledge and practices to mitigate those risks daily.
Developing a Cybersecurity Culture
The development of a cybersecurity culture goes further than cybersecurity training. It involves buy-in from the board and trickles down throughout the organization with the help of such things as cybersecurity awareness incentives, internal non-compliance penalties, and positive initiatives.
Developing the culture may be assisted by seminars and role-play simulations where staff might experience and thus prepare for attacks, such as phishing attempts, distributed denial of service (DDoS) attacks, or ransomware attacks.
In a company with a mature cybersecurity culture, cybersecurity is prioritized in regular meetings. The staff then understands that everyone is a stakeholder in cybersecurity. In turn, people are more likely to spot unusual activity and — crucially — act on it, including promptly reporting it to the right people via the appropriate channels.
While developing a cybersecurity culture takes more time than cybersecurity training during onboarding or installing a web application firewall, it is an excellent way to ensure ongoing awareness and engagement with cybersecurity that will help a business respond to emerging threats.
Cybercriminals and hackers continually seek new vulnerabilities and work out ways to launch more effective cyber attacks. A business with a mature cybersecurity culture is more able to adapt to new challenges, in addition to being able to respond to known vulnerabilities.
Since the financial services industry is so highly targeted by hackers and cybercriminals, it’s worthwhile for those businesses to protect themselves by sharing their knowledge.
The Common Vulnerabilities and Exposures (CVE) list can help financial services businesses ensure they have the latest patches and are aware of emerging threats reported by other businesses. In addition, financial services firms can benefit from cyber incident reports from their peers. This can give a business insight into new attacks against businesses like theirs.
To this end, businesses are encouraged to report cyber attacks, even if the attempts were unsuccessful, causing minimal damage or disruption. Many firms resist sharing cyber incident information unless it is a legal requirement. They may do so to protect their reputations and brand value. Sharing and collaborating, however, can help these businesses protect their data and the wider business ecosystem.
Cyber threat intelligence can also help a business avoid a data breach by remediating vulnerabilities ahead of a potential attack, responding better to ongoing threats, and helping to protect the entire, extended attack surface, which includes managing third and fourth-party risk.
All businesses across sectors must realize that they do not operate individually and that cybersecurity has common goals. Businesses rely on and work with others, so an attack on the supply chain affects multiple organizations.
With network segmentation, a hacker gaining access to a network can only move far before being stopped. Businesses can protect their most valuable IP or sensitive data by dividing a larger network into many subnetworks by limiting lateral movement across networks.
Storing sensitive and confidential data on an isolated network makes life harder for hackers. Even if they gain access to a shared network via unsecured Wi-Fi connections, an infected endpoint like a POS system, or a misconfiguration, having personal data on a separate network helps protect it from malicious threat actors.
Privileged Access Management (PAM)
Customer data is safer with firms that implement PAM because it restricts the number of people accessing sensitive data. Not every member of staff needs access to credit card information.
PAM ensures that only people needing access to confidential data have it. Furthermore, firms might use monitoring to track access and use of confidential data. This can help highlight unusual patterns and can be used by forensic teams to identify the source of a breach.
Multi-Factor Authentication (MFA)
MFA requires users to prove their identities in at least two ways. This means that a cybercriminal with a stolen password can not access the associated account or network without at least one further proof of identity.
According to Microsoft, basic measures like MFA can be effective against 98% of attacks. While MFA is not foolproof, it makes unauthorized access much more difficult, so it’s a key security measure for financial services firms.
Zero-Trust Architecture (ZTA)
Implementing zero-trust architecture is an excellent way to protect IT infrastructure from hackers, cybercriminals, and accidental data loss. Rather than establishing ID once and then allowing the user to move freely through the network, zero-trust architecture requires authentication for every transaction, making this much more secure than other systems.
Data is not always stolen using sophisticated technological methods. Sometimes hard drives and laptops are physically stolen from unlocked cars and hotel rooms during vacations. Encryption can protect data while in transit and at rest.
In addition to physical security measures like locking those doors and using CCTV, ensuring that confidential files are encrypted is an IT security measure that makes it far more difficult for cybercriminals to use a financial business’s sensitive information for their ends.
For those times when preventative measures do not successfully prevent a cyber attack, data backups can be invaluable.
Data backups allow a business to get back up and running fast if its mission-critical or sensitive data is encrypted by hackers looking to extort money from business owners. With proper backup procedures, businesses can mitigate the risk of extortion.
They must still take appropriate security measures to protect data, but a robust backup system allows businesses to get back in business fast, setting up operations in a new geographical location if necessary.
Maintaining a backup system requires care and documented information security policies. It must be determined how often to back up critical data. How much customer data or other confidential information can a financial company stand to lose? For some, it might be 24 hours of data. Others might require continuous backups.
It’s also vital to test those backups. That means running a simulation periodically to see if the backup system performs as planned in the event of a ransomware attack. After the audit of the backup system, it’s time to make the suggested improvements to the system.
Cyber Incident Response Plans
On average, businesses with a documented incident response plan spend less on remediation following a data breach. A cyber incident response plan tells anyone in the organization what to do if there is a cyber attack or cyber incident. It will outline the incident response team and detail their roles and responsibilities during a cyber incident. The plan should then have clear steps to follow for various incidents, prioritized by likelihood and potential impact according to a risk management process.