The year 2020 will be known for a great many things. One of them is innovation. Forbes Magazine said it best, Digital Transformation finally has a sense of urgency. A recent study estimates that COVID has accelerated digital transformation by 5.3 years. Unfortunately, when things move that fast, it opens the door for vulnerability and ill prepared security strategies. Large-scale data breaches increased 273% in the first quarter of this year, compared to the same time last year. This translates into 16 billion exposed records for this year. As companies have migrated to remote work and online strategies as quickly as possible, hackers and cybercriminals have followed the money right along with them. By accelerating their migration to ecommerce and digital transactions they have created rich value targets for hackers. Now throw in remote work strategies and the stress and disruption of a pandemic, and you have a perfect storm that hackers can easily take advantage of. All this has led to a year in which everything is up: ransomware attacks, destructive attacks, phishing attacks, and island hopping attacks.
The Pandemic of Cyberattacks on the Financial Industry
Increased cyberattacks are proving to be damaging as well—especially in the financial industry.
- 80 percent of surveyed financial institutions reported an increase in cyberattacks over the past 12 months, a 13 percent increase over 2019
- 64 percent reported increased attempts of wire fraud transfer over the past 12 months, a 17 percent increase over 2019
- 82% of reported an increase in cyberattacks over the past 12 months, a 13% increase over 2019
Cyberattacks on Financial Institutions is Nothing New
While the escalation of attacks is concerning, banks have always been a high value target for cybercriminals. An alarming 62 percent of exposed data in 2019 came from the financial services industry. The average cost of a breached record in the financial industry was $210 that year, which exceeds the cost per-breached-record of all industries other than healthcare. As the much-publicized breach involving Capital One in 2019 showed, banks are not excluded from these types of attacks. In 2017 for instance, banks represented 47 percent of financial data breaches.
Regulatory Agencies are Taking Actions
The frequency in which data breaches are occurring, and exposing the personal data of private citizens, has not gone unnoticed by the public or politicians. We have witnessed the implementation of new compliance regulations in the past year. We have also witnessed increased legal action as well. On July 21, 2020, the New York State Department of Financial Services (NYDFS) issued a statement of charges and hearing notice against First American Title Insurance Company concerning violations of the Department’s Cybersecurity Requirements for Financial Services Companies, 23 N.Y.C.R.R. Part 500. First American is a Fortune 500 real estate title insurance company. The allegations involve hundreds of millions of documents related to mortgage deals, many of the files involving wire transactions that include account numbers and other sensitive information. Just last month, Capital One agreed to pay $80 million dollars to the OCC concerning the bank’s 2019 data breach that exposed the personal information of more than 100 million Americans.
Vulnerability Assessments and Pen Testing are Essential in 2020
It is obvious that change creates opportunities for cybercriminals. Even those companies that took great care in securing their networks last year have undoubtedly increased their attack surfaces and areas of vulnerability. Unfortunately, banks have been behind other industries when it comes to cybersecurity. In 2017, 65 percent of U.S. Banks failed an Online Security Test by the OTA. Less than half of the top 100 banks in the U.S. even scored an acceptable rating of 80 percent. Due to the recent transformative changes to their infrastructures, it is more imperative than ever that banks and financial institutions implement third party testing to discover newly created vulnerabilities. An experienced Pen Tester acts as an attacker in a safe and secure way. Professional testers are well versed in the latest methodologies and strategies that cybercriminals use. It is a painless way to find out just how vulnerable your resources are without the threat of financial costs and regulatory punishments.
Vulnerability Testing to Avoid Island Hopping
There are many ways to penetrate your enterprise. Even for those institutions that implement proven security strategies, hackers now utilize island hopping attacks to gain access to your network. While this strategy is not new, it is becoming a primary methodology for attacks. Island hopping refers to the practice of using connected third parties such as remote employees, contractors, suppliers, business partners, and corporate customers in order to get in through a back door. In today’s connected world, it is not just about you, it’s about everyone connected to you as well. Having a security consultant to advise you on the practice of vetting your associated third parties is important.
Take a Closer Look
While 2020 is certainly a time of great transition for banks and financial institutions, it doesn’t have to be a period of uncertainty when it comes to cybersecurity. If you want to achieve reasonable security for your organization, ensure you have:
- Comprehensive penetration testing not only to satisfy regulatory requirements, but to also assess your changing security profile. Organizations with a new remote workforce, an upgraded system or application, or changes in equipment should re-assess their safeguards. Consider a Recurring Penetration Testing program to assess your safeguards throughout the year for a proactive security approach.
- Assess your vendors’ and partners’ cyber security profile.
- Review foreseeable threats for your industry.
If you would like to review your industry threat profile or explore your penetration testing options, let’s talk and review the HALOCK Industry Threat (HIT) Index for your business and/or security testing needs.
HALOCK Breach Bulletins
Recent data breaches to understand common threats and attacks that may impact you – featuring description, indicators of compromise (IoC), containment, and prevention.