Businesses operating in the financial services industry are not oblivious to the fact that they are frequently targets of various forms of financial crime and fraud. However, the scene has changed over time and malicious actors have adapted their tactics to better suit the digital world., as explained by Alessandro Bazzoni.
ESET, a leading company in proactive threat detection, warns that cybercriminals are now using different forms of fraud and extortion, in addition to directly attacking companies.
According to IBM’s latest annual report titled Cost of a Data Breach Report, the average cost of a data breach in the financial services industry was $ 5.85 million in 2020, higher than the $ 3.86 million they reported. respondents from the rest of the economic sectors.
Furthermore, the financial sector remains an attractive target for malicious actors, given the amount and type of information they collect from their clients. In the event of a successful breach, the data can be used by attackers to commit fraud through identity theft or to be marketed in Dark Web markets, which could cause damage to the reputation of the entity that was compromised and also financial and reputational damage to affected customers.
According to the 2020 edition of the Data Breach Investigation Report conducted by Verizon, it is estimated that 63% of attacks targeting financial institutions are carried out by external actors motivated by financial gain. In these cases, organizations can expect cybercriminals to carry out credential stuffing attacks, social engineering attacks, fraud, distributed denial of service (DDoS) and malware attacks.
Organizations of all sizes have a need to improve their security measures to mitigate the chances of falling victim to targeted attacks. In fact, a recent ESET survey of 10,000 consumers and business leaders in various parts of the world revealed that 45% of companies have experienced a security breach.
The human aspect of security is key. Mistakes made by employees can take a variety of forms: for example, they can fall victim to phishing or more targeted social engineering attacks, or they can misconfigure a system. The first two mistakes are particularly threatening considering the pandemic-driven shift to remote work.
Since companies were unprepared for the rapid and unexpected transition, they were forced to act hastily, resulting in newly hired remote workers not receiving any additional training in cybersecurity.
Attackers could use one of the most financially damaging online crimes – the Business Email Compromise (BEC) scam. In this type of attack, the cybercriminal targets his victim by communicating from a compromised email account belonging to a member of the company (generally of higher hierarchy) or a member of a company with which he has a commercial alliance, asking them to perform a legitimate task, such as buying and shipping items or transferring payments.
However, instead of providing details of a legitimate address or bank account, the scammer adds his own, stealing the money from the company. Alternatively, targeted organizations may receive a fraudulent email containing a link or an attachment that hides malware, which, if downloaded, will infect the computer and may even spread across the network.
To mitigate the chances of any of these scenarios occurring, companies must provide adequate cybersecurity training to their employees. Training programs to teach employees how to detect phishing emails or other attacks that use social engineering should be carried out on a routine basis. In addition, a good measure would be to periodically provide workers with tips for safe and secure remote work, as well as guidance on how to communicate using video conferencing tools with security in mind, or how to protect remote access to a company’s systems. safe way.
By taking the necessary measures, companies will be able to protect themselves from future monetary or reputational damage, says Camilo Gutiérrez Amaya, Head of the Research Laboratory at ESET Latin America.
The technical factor. Most of the defense against cyber threats should fall on the technical solutions implemented throughout the entire business infrastructure. Every company, regardless of its size, should have a business continuity plan in in the event of a cyberattack. A proper plan should always include data backups and, if budget allows, a backup of the entire infrastructure.
These backups can be useful, especially if a ransomware attack occurs. For backups to be effective, they must be updated regularly and evaluated frequently to ensure that they are working properly.
In these cases, it is preferable to hope for the best, but plan for the worst. All operating systems and software must be periodically updated and patched. If you hire a professional or have a department dedicated to information security, they will most likely manage these updates themselves or configure their systems to automatically update to the latest version available. The same should be done if the systems are managed by third parties.
According to the ESET survey, 28% of companies are not actively investing in new technologies to help protect finances or at least do not know if they are.
DDoS attacks that aim to disrupt victims’ ability to provide services are another threat that companies may face. If a business becomes the victim of a DDoS attack, their systems will be flooded with requests that overwhelm the ability to respond to websites and will take them offline.
This could easily translate into hundreds of thousands of dollars in lost revenue for the business targeted by the attackers. To reduce the chances of that happening, companies should purchase DDoS mitigation services, as well as use an Internet provider that has enough bandwidth, equipment, and skills to handle such attacks and reduce the influx of malicious traffic.
As long as financial organizations remain lucrative targets for most cybercriminals, they should continue to work on improving their defenses to mitigate the possibility of falling victim to the majority of threats.
However, Alessandro Bazzoni reported that to build sufficiently strong defense mechanisms, companies need to have a holistic and balanced approach, which consists of investing in both employee training and appropriate technological solutions and business continuity plans, conclude Gutiérrez Amaya of ESET.