Financial services companies are lucrative targets for hackers. Cybersecurity risk management expert Ertem Osmanoglu explains what data hackers are after and how companies should respond to attacks.
2016 is the year of the digital bank heist. Earlier this year a security hole allowed hackers to swipe nearly $80 million from Bangladesh’s largest bank. In April, the Qatar National Bank was hacked, resulting in the loss of thousands of sensitive documents. This summer Anonymous pounded banks in South Korea and Indonesia with a massive DDoS attack.
Your bank could be next.
Financial services companies are vulnerable to an ever-changing and opaque landscape of cybersecurity threats because banks are lucrative targets, said Ertem Osmanoglu, Cybersecurity and Risk Management Executive for professional services firm Ernst & Young. “Cyber criminals are looking for ways to turn a profit,” he said.
As data breaches become routine, banks also need to have a nimble recovery and communications plan to stave off reputational disruption. “Financial institutions must prepare accordingly while managing [internal and external] expectations,” Osmanoglu said. “100 percent security is impossible. Therefore, organizations must be capable of immediately dealing with incidents to minimize loss.”
According to Osmanoglu, Hackers targeting financial services companies typically seek out four types of information:
Access credentials and tunnels to systems to send money from home equity line of credit, money transfer systems, and the SWIFT network.
Intelligence about money movement, specifically bank and market activity, and access to customer accounts and information to target customer systems.
Specific financial data that can be altered and used for trading in financial markets
Account data like personally identifiable information, account information, credit and debit information, and sensitive transaction data.
Hacking a bank is complex, and after a successful intrusion and exfiltration hackers possess valuable knowledge about the process, Osmanoglu said. A successful raid will result in a comprehension of how the network was compromised, data stored on the network, and competitive intelligence, like access to confidential email and trading strategies.
“Each piece of information typically has a different buyer and methods for selling,” Osmanoglu said. “Many forums and dark web sites exist for this purpose. Cyber black markets allow cyber criminals to pay through bartering of other data or services or in exchange for digital currency.”
The best way to fend off and respond to an attack is to internalize cyber-resiliency and cyber-agility tactics. “Looking at their end-to-end business workflow, many banks only cover about half of what really matters,” Osmanoglu said. “[Cybersecurity] is truly a business issue that needs to be a bigger part of the end-to-end business workflow.”
Additionally, financial services companies must prioritize the value of information assets. “Allocating additional dollars towards company crown jewels is a [good] place to start.” Osmanoglu added, “Leading technologies are only as effective as the company’s cyber-risk culture. Financial institutions must be aware of evolving risks and establish a plan for continuity.”
To prepare for a hack, companies should build a response protocol that includes:
Consulting with legal counsel around the details of the breach.
Engaging a qualified, experienced breach response firm to help investigate the root cause of the breach and ensure that the problem is addressed and the attacker is contained.
Establishing an internal and external communications plan about the breach.
Learning from the breach to ensure controls are updated and processes are improved.
Osmanoglu forecasts an increase of successful cyberattacks against banks and financial institutions driven by technological diversity in the near future. Innovations like new mobile payment methods are likely to be accompanied by new types of threats.
“The traditional attack patterns banks face will continue to impact the security of intellectual property and money transfer systems,” Osmanoglu explained. “But we can expect more severe online banking and other financially motivated attacks to surface as well.”
The manipulation of financial data is has recently materialized as a meaningful threat because it undermines institutional confidence. “This type of attack not only impacts reputation and brand,” Osmanoglu said, “but also potentially the stock price. Internal cyber-controls are mainly focused on breach origins and the impact to intellectual property. The actual perpetrators’ agenda is not always considered. When money is stolen, you can detect something is missing. But when a small bit of information was changed in a system, it is not so easy to detect the downstream effects of that.”