It’s no secret that financial institutions are in criminals’ crosshairs. This has been the story ever since people and organizations started putting their cash in the care of others. But unlike the good ol’ days of dramatic ski-masks-over-face, gun-in-hand heists, the majority of today’s banking crimes are digital, and thus, involve far less bravado and derring-do.
While cybercrime and fraud affect all financial institutions, each sector has its own specific concerns. The concerns of large institutions generally take center stage due to their high profiles and the large stakes involved, but often, concerns specific to small and medium-sized institutions go overlooked. In this article, we will examine the issues that cause the most distress to IT and security teams at small and medium-sized financial institutions.
Why Cyber Criminals Love Small and Medium-sized Financial Institutions
Small and medium-sized financial institutions are often seen by cyber criminals as low-hanging fruit — sure, they could go after JPMorgan Chase or Goldman Sachs for a huge payoff — but a heist of that nature requires boatloads of planning and effort. For an attack of that scale, an assailant must have incredibly powerful tools as well as a flawless plan, which could take months and even years to orchestrate.
Add to that the immense challenge of evading the law once the attack has been executed. High profile attacks on banks make great news fodder and criminals can expect to be hotly pursued and tried for their misdeeds.
Unfortunately, this is not typically the case with smaller targets. It doesn’t take quite as much planning or effort to hit smaller players and since these crimes are not as high profile, it may be easier for the attacker to get away with them. All in all, small and medium-sized financial institutions are a wise choice for attackers looking for a relatively easy swindle.
The Security Challenges that Keep Small and Medium-sized Financial Institutions CISOs Up at Night
There are many cyber security issues that plague small and medium-sized financial firms, ranging from structural issues to out-and-out threats. While each organization is unique, security leaders at most, if not all, small and medium-sized financial services firms must overcome these structural challenges.
Lack of Buy-in/Understanding from C-Suite/Leadership
Each financial services firm has its own business drivers, those issues that are integral to the success and advancement of the business model. While issues like customer satisfaction and regulatory compliance generally top execs’ lists, the issue of cybersecurity doesn’t always show up on their radar.
There are a few reasons that cyber security may not be the first thing on many leaders’ minds. To start with, it can be very difficult to prove the return on investment for security-centered projects. In the words of security expert Bruce Schneier, “Security is about loss prevention, not about earnings." Proving how much a company saves by preventing a breach does not produce the same tangible benchmarks as do other, more concrete investments.
Moreover, leaders may not have sufficient IT and/or security knowledge to grasp the full severity of weak or inadequate defenses. While some decision makers certainly are well versed in technology, it’s often not a part of their job requirements and they simply may not grasp the importance of investing in new solutions as they become available. Likewise, they may not understand the full legal and operational ramifications of falling prey to a breach.
Lastly, according to ChiefExecutive.net, leaders at smaller firms are often convinced that their firm is not worth the attacker’s time or effort. This leads to a dangerous stance of security complacency, an attitude that nothing further is required to protect the firm, based on their own erroneous assessment of limited risk.
As mentioned above, small and medium-sized financial institutions typically have much more limited cyber security budgets than larger institutions. A recent survey by Untangle found – shockingly! – that of 350 small and medium-sized businesses polled, 50 percent had annual security budgets of less than $5,000 US and of those, 50 percent had budgets of less than $1,000 US.
In light of these numbers, it comes as no surprise that at many smaller FinServs, there is no one specific person or team tasked with cybersecurity - it’s just another aspect of IT’s responsibilities. Moreover, their tools are nowhere near as comprehensive as those found at larger institutions. This increases the chances of breaches and extends time to detection (TTD) and time to respond (TTR) in the face of incidents.
At the same time, small and medium-sized financial firms still have conveniences like customer-facing apps and websites, which are necessary to compete with the big guys. But as with the rest of their technology stack, these applications may be less robust and secure than those developed by banks with more money to allocate to security. This makes these less secure applications prime pickings for attackers.
Dependence on Third Party Vendors
Small and medium-sized financial institutions are heavily reliant on integrations with third party suppliers. As with businesses of any size, these firms need to share information with partners and contractors to remain relevant and agile in an increasingly connected world.
But granting access to third parties can come with great risks — by making your network accessible to third parties, you allow their vulnerabilities to become your vulnerabilities, their liability to become your liability. This was clearly demonstrated in the infamous Target hack of 2013, when the behemoth saw their point of sale system breached due to an integration with an HVAC vendor whose credentials were stolen.
In the typical integration, external partners can access the company’s networks without adequate monitoring and limitations. This allows them access to far more resources than needed to do their jobs, making the organization a sitting duck. And as third-party vendors are often also small and medium-sized businesses, there is a very real chance that they may have less-than-adequate security, which compounds the risk. Further, the decision of which vendor to use is often made with little regard to vendor security practices and how those may affect the institution and its networks.
The Threats that Nightmares are Made Of
While budget limitations, support from top brass and third-party vendors are ongoing headaches for security officers, threats that commonly target financial service businesses are the night terrors that bolt them awake in a cold sweat.
The Many Flavors of Insider Threats
Insider threats take many forms and affect all businesses, from the largest enterprises to shoestring operations. And while all businesses suffer when an employee goes rogue or an ex-staffer decides to spill the company beans, small businesses experience damage from insiders more often than their larger counterparts. This is especially true in finance, where the stakes are inherently much higher than for most other businesses. In fact, according to the 2019 Verizon Data Breach Investigations Report, the threat actors in 36 percent of breaches of financial institutions were insiders.
One reason small and medium-sized financial firms fall prey to insiders is that they often lack proper protocols for revoking access after an employee has been terminated. Smaller financial firms tend to have less robust IT standard operating procedures and thus when an employee is asked to leave, it may take days or weeks before his or her access to critical resources is revoked. This leaves the ex-staffer with plenty of time to collect whatever data he or she wants, which can then be given to competing banks – or worse, such as nation state adversaries and cyber-criminal syndicates.
Similarly, smaller firms also tend to engender feelings of trust and familiarity among employees. While this is great for the general work ethic, there is risk in trusting your employees too much. Large institutions often have tiered Identity Access Management (IAM) solutions in place to prevent employees from seeing information which is beyond the scope of their requirements. Once again, due to less sophisticated IT infrastructure and because of that cozy, feel-good atmosphere, smaller institutions may not have the same precautionary measures in place, allowing employees access to data far beyond their actual data needs.
Then there is the insider who, although not necessarily malicious in intent, is simply impervious to training. This is the employee who routinely clicks suspicious links or fails to notice clues indicating that he or she is being phished or scammed. Scary but true: According to Verizon’s 2019 DBIR, three percent of people will click on any given phishing campaign. And these well-meaning employees can cause just as much damage as those with ill intentions: In a small and medium-sized bank, the means or understanding to track just which employee is “that guy” may simply not exist — thus, the risk goes unmitigated.
Business Email Compromise (BEC) Scams
According to a report by security firm IronScales, 95 percent of successful cyber-attacks include an element of social engineering. Humans are easily manipulated and attackers are adept at creating all kinds of compelling scams to help victims and their money or data part ways. According to the Verizon 2019 DBIR, financially motivated social engineering attacks target financial services institutions disproportionately vis a vis other industries.
In recent years, BEC, or Business Email Compromise, has become one of the most potent phishing methods, generating losses of $676 million US in 2017. According to HSBC, small and medium-sized businesses are harder hit than larger enterprises.
In the typical BEC scam, the scammer impersonates someone in a position of power within the organization, perhaps the CEO or a senior member of the IT team. The scammer sends an urgent email to a lower ranking employee, demanding funds to be transferred. This perfectly crafted email is almost indiscernible from an authentic one and implies that the recipient must see to it that the funds are transferred immediately - or face repercussions. If things go according to the attacker’s plan, the employee sends the request off to the organization’s bank, where an unwitting bank employee complies with the email’s instructions and transfers the funds.
BEC scams cause damage to all kinds of businesses, as well as banks. But no matter the industry, they affect banks because they are the ones through which financial transfers take place. In smaller institutions, standard operating procedure for transfers may not be clearly outlined and thus there is a greater danger that someone within the bank may authorize such fraudulent transfers.
Like all businesses, small and medium-sized financial institutions need to use the Internet for tasks such as researching loan applicants and corresponding with customers. So, every employee needs web access. But the risk that comes with open connectivity, namely, the fact that browser-borne malware can easily spread laterally throughout networks, cannot be tolerated in such a sensitive arena.
Browser-based malware is always morphing to ensure that it evades traditional security methods, but some attack elements remain the same; Cross-site scripting (XSS) and SQL injection (SQLi) attacks are some of the most common web-based attack methods and can potentially come from any website that has been infected — even those that have been deemed secure. These complex attacks can easily exfiltrate data off employee’s browsers. Moreover, browser-based threats are difficult to detect, which puts critical assets directly in harm’s way.
Many IT admins turn to whitelisting pre-approved web applications and websites to help keep out browser-based threats. But whitelisting has significant drawbacks — it leads to reduced productivity and agility as employees cannot always access the resources they need when they need them. It’s also not completely effective, as once-good sites can become infected with malware and in turn, pass that infection on to your network.
Small and Medium-sized Banks Have to Level Up to Survive
Beyond the threats themselves, small and medium-sized FinServs have to consider the costly fallout that comes along with successful cybersecurity attacks. Understandably, in the wake of an attack, customers may lose confidence and jump ship. And while larger financial institutions can absorb the costs of many, if not most, attacks, smaller ones cannot, which may lead to closures.
The keys to mitigating risk for small and medium-sized FinServs are better education regarding the threats that exist and more effective means of prevention. Once a breach has occurred, it’s generally too late to contain the damage. Incident response means searching for malware, identifying it, cleaning endpoints and networks, and shutting down services while all this takes place is an intensive and costly process.
Heading off breaches through heightened awareness and cybersecurity solutions that can thwart attacks before they can infiltrate are the critical elements you need to protect and your FinServ and defend it from threats.
So long as small and medium-sized financial institutions have lots of money and less-than robust cybersecurity architecture, they will continue to be a primary choice for cyber criminals. With the right measures, you can ensure that yours isn't in their sights.