Introduction

In most cases, there are two most sought-after targets by the Cyber attacker: The passwords and the financial information of the intended victim. In most cases, the two go hand in hand, meaning, if the Cyber attacker has the password, then he or she can then gain access to the bank account and credit card information of the victim.

But, the trend appears to be these days is that the Cyber attacker is going straight for the proverbial gusto: The online financial accounts of the victim. No matter how much the victim may change their login credentials, the Cyber attacker still seems to find a way to those accounts without leaving a trail behind.

But, it is not the just the online financial accounts that the Cyber attacker is going after, they are also targeting the entire financial industry as a whole. In this regard, the victims become the major banks and the brokerage firms. When these prized targets fall victim, the damage that can be done is far greater than that of simply stealing a bank account or credit card number.

Very often, the Cyber attacker can gain access to other confidential and private information about a particular individual, and from there, launch Identity Theft attacks which can happen at a much more subsequent point in time.

The Needs for Security Awareness

Obviously, just about every industry and market segment imaginable needs to have some sort of level of Security Awareness that goes along with it. But in terms of the financial sector, consider some of these qualitative reasons to have Security Awareness:

  • The Cyber attacker of today are constantly finding sophisticated means in which to penetrate financial and banking networks. Thus, a breached network can lead to online fraud identity theft and corporate bank account takeovers. Fraud committed against company bank accounts is a growing threat and cybercriminals can drain funds from a company’s bank account in minutes.
  • Over the last 10 years, financial hacking has evolved from rogue individuals trying to showcase their abilities to organized cybercrime groups with covert access to large amounts of funding and resources at their disposal. As a result of this, financial institutions must go far beyond the requirements as set forth by the Gramm-Leach-Bliley-Act. It is also important to keep in mind that employee’s banks or brokerage firms can also pose the largest threat to a financial institution’s Cyber security.
  • The Federal Bureau of Investigation (FBI) estimated that more than 500 million financial records were hacked into over the past 12 months. Major publicized incidents reveal that financial institutions, particularly those in the United States, are a highly sought-after target by Cyber attackers seeking to obtain financial rewards.

Now, consider these quantitative reasons to have Security Awareness:

  • In terms of the major financial institutions these are the number of financial accounts which have been breached:
    • JP Morgan Chase (83 Million accounts)
    • Heartland Payment Systems (1.34 Million accounts)
    • Global Payment Systems, Inc. (1.5 Million accounts)
    • Citigroup (360,000 accounts)
  • The use of Trojan Horse viruses to infect computers used in the financial sector hit an astonishing 4.1 million computers. Out of this total, 1,467 financial institutions were intentionally targeted worldwide.
  • The Depository Trust Clearing Corporation (aka DTCC) reported an increase of 183% in terms of Domain Name Server attacks upon the various financial institutions.
  • According to a recent research study, it was discovered that many financial institutions remain over confident in their Security Awareness programs, but when they are implemented fail to deliver the expected results. For example:
    • 74% of those financial institutions surveyed are confident in the Security Awareness programs they currently have in place, BUT only 30% of their third-party vendors are actually in compliance to undergo any Security Awareness training, and only 47% of actual employees have undergone any kind of formal training program.
  • Consider some of these other alarming statistics:
    • On average, banks experience about 85 attempted Cyber-attacks each year;
    • From the perspective of the CEO:
      • Only 13% would invest in a Cyber security training program
      • Only 28% would implement safeguards and controls to prevent future Cyber-attacks;
      • Only 43% would invest in extra Security technology in order to ensure    the safety of their customer’s private information and data.
  • Finally, it has been deemed that the employees themselves constitute about 70% of a financial institution’s overall Cyber security risk.

What Should Be Included in a Security Awareness Training Program

Now that the need to have some sort of Security Awareness in the financial industry has been justified from both a qualitative and quantitative approach, just what should be included in such a program?

It is important to keep in mind that the term “financial industry” is a very broad one, and can include just about any kind of entity ranging from the mom and pop bank down the street corner to the largest of the brokerage firms on Wall Street.

Therefore, a Security Awareness program will have to be tailored and crafted to the exacting requirements of each entity. But as a guideline, the following should be included:

  1. The advanced detection of any specific Cyber-attack of which the financial industry has been alerted to.
  2. Create some sort of Cyber threat index which prioritizes which potential attack can cause the most damage not just in terms of dollars but brand reputation as well.
  3. Implementing a proactive Security mindset amongst the employees (and since they are the weakest link in the Security chain, perhaps consider conducting random background checks and/or even polygraph tests to suspected employees).
  4. Create and implement a Cyber threat vector board which consists of the following information:
    • Any data about any immediate known threats and risks;
    • Keeping track of historic data (such as IP addresses, server and domain data, etc.) from any previous Cyber attacks in order to build profiles as to what future Cyber-attacks could look like.
  5. Make use of what is known as a “Managed Response” team-these are groups of individuals that literally train day in and day out to help businesses and corporations to mitigate any kind of Cyber threat. Thus, they are also known “As A Service” offering as well. Because of their level of sophistication and expertise, these teams are often much better equipped to help a financial institution recover from a Cyber-attack then the internal response teams themselves.
  6. Implement a “Hardened” approach to your IT Infrastructure. This simply means give    network based access to your employees to the minimum extent that they need to   perform their daily job functions – and no more without higher up managerial approval.
  7. Completely vet out third parties as you use them. In other words, the financial institutions of today, in an effort to trim down costs, are often relying upon third parties to conduct everyday job functions. It is important that they are given just as much scrutiny (if not more) as the regular employees.
  8. Create partnerships in order to better fortify Security Awareness the and the lines of defense. For example, if a major financial institution is hit by a Cyber-attack, there is a very high probability that other entities will experience the same kind of Cyber-attack is well. Therefore, it is very important for the financial institutions to share what they know, in other to increase the overall Security Awareness level. In this regard, two   valuable resources for the financial industry are the Financial Services Information Sharing and Analysis Center and the Financial Services Sector Coordinating Council.

Security Awareness

Conclusions

Overall, this article has examined the need for Security Awareness in the financial industry from both a qualitative and quantitative approach. Cyber based threats and attacks are becoming very stealthy and covert today, and it is important to keep in mind that it is not just individual financial accounts that the Cyber attacker is going after.

Rather, he or she is penetrating the major financial institutions in order to garner as much information and data as possible and create the most amount of damage as possible in one fell swoop. The general components of a Security Awareness program were reviewed, and the next article will examine the specifics in crafting and implementing such a program.

Sources

https://www.symantec.com/content/en/us/enterprise/white_papers/cybersecurity-whitepaper-financial-wp-21352892.pdf

https://www.globalsciencejournals.com/content/pdf/10.7603%2Fs40601-013-0019-8.pdf

https://www.securable.io/blog/banks-overconfident-in-their-cyber-security-strategies/security-training

https://www.isdecisions.com/financial-services/security-awareness-procedure.htm

www.enisa.europa.eu/publications/archive/is-in-financial-organisations-09/at_download/fullReport

Be Safe

Section Guide

Ravi
Das (writer/revisions editor)

View more articles from Ravi

You'll leave InfoSec Institute's Computer Forensics course with 3 industry certifications!

Section Guide

Ravi
Das (writer/revisions editor)

View more articles from Ravi
[Free Guide]
[Free Guide]