Biggest Cybersecurity Risks for Financial Firms

October 29, 2019

October marks Cybersecurity Awareness month, and with seventy percent of financial companies having suffered a cybersecurity incident in the past 12 months, according to a recent report by Carbon Black, it’s crucial for firms to not only know their biggest cyber risks but how to prevent them. This article will talk about the biggest risks facing financial firms and best practices for prevention.

If your firm is in the thirty percent that did not suffer from a cybersecurity incident, then stay vigilant. The unfortunate reality is that most firms do not know about a breach until months later. Not experiencing a cybersecurity incident is not a trustworthy indicator of the ability of your security program to prevent and detect incidents. You could be lucky, you may not be the target, or you could be doing a great job!

We can divide cyber incidents into two general buckets: random and targeted. Protecting against random attacks is the first step. Attacks in this bucket do not necessarily care who they impact. The goal is to compromise someone or something in hopes of obtaining something valuable. The value can be credentials or merely machines to add to a botnet. Protecting against random attacks comes down to good security hygiene.

The Center for Internet Security provides a list of 20 controls to follow for a good baseline of security. Firms should apply these controls and extend them to devices that travel outside the firm’s network perimeter (BYOD). Cybersecurity awareness training should extend beyond “things to follow to protect the firm” to include “things to follow to protect yourself.” A targeted attack has a better chance of success if training is focused on just protecting the firm. The target of the attack needs to understand that they are the target because it is easier to compromise them than the firm directly.

It is easy to forget the digital devices and mechanisms that are in place all around us. As technology improves, it seems to vanish into the background. It is important to step back and think about the technology that we use and more importantly the relationships between them. Integration between devices and accounts can increase our attack surface and create more opportunities for weak links. Most attackers are looking for the easiest way in, and the easiest way in is usually a device or account that we forget about. Once connected to the Internet, the dusty tablet or laptop that was in the drawer is more attractive to the attacker than your always-on workstation with auto updated antivirus and security patches. A forgotten account with a weak password and no two-factor authentication (2FA) could be easily compromised and could give an attacker a foothold into a more secure account.

Think about your email account which is used to recover passwords for other accounts. You probably have 2FA on your bank account, but what about your email account that is used to recover your bank account? The point is that we need to look at all the technology we use collectively and not in a vacuum. We need to configure privacy settings comparably across our devices and accounts, keep all of them up to date, use unique passwords for accounts and enable multi-factor authentication.

Using technology is unavoidable at this point, but we can limit it in some circumstances. Think about paring down the number of devices that you use to make managing their security less burdensome. Think about your technology needs over wants. Do you really need an Internet connected fridge or stove? Do you need a smart assistance which listens “only” for key words to activate? Maybe you do, but then you need to know how to secure them and protect yourself.

Firms need to also look for opportunities to decrease their attack surface. Each piece of technology adds its own level of risk. All the technology combined presents a different level of risk. Firms need to inventory its technology, decide what is necessary to keep, remove unnecessary technology debt and identify the remaining risks. Some risks cannot be remediated by applying a patch or upgrading to a new version, firms need to figure out a mitigating control to address these residual risks. When it comes to data, the best way to secure data is to not have it in the first place. Decide on what data is required for the business, and only collect and protect that data.

The National Cybersecurity Awareness Month 2019’s main theme is “OWN IT. SECURE IT. PROTECT IT.” Adding the initial step of reducing a firm’s technology needs will go a long way to remain in the thirty percent of unaffected firms.

John Carbo is the Director of Information Security at Abacus Group, an IT service provider for alternative investment firms. John has spent his entire career in the financial services industry, working previously for large banks where he gained experience in security and system integration. He’s currently a Cybersecurity Fellow at NYU, in partnership with the NSA Center of Excellence in Information Assurance, Research and Cyber Operations. John holds various information security and privacy certifications, including CISSP, CSSP, CSAE, CIPP/E and CIPM.

With the advent of Internet of Things (IoT) technology and Industrial Internet of Things (IIoT), the cyber security practices are increasingly getting integrated with the physical security practices.

We will provide insight on NDAA Section 889 and how the act has evolved and impacted business, so that organizations can better mitigate risk and stay compliant.