Security breaches have become one of the biggest threats to financial institutions.
Remote working, cloud computing and the current geopolitical climate have all played a part, but older forms of infiltration also continue. For example, recent years have seen a sixfold increase in malicious emails designed to trick people into giving away login credentials, a type of attack known as “social engineering.”
Banks should be the safest place for people’s money. Indeed, they have a fiduciary responsibility to proactively mitigate and manage risk for account holders. Unfortunately, bank and credit union executives often don’t understand how severe the problem is. Data at risk leads to identity theft and funds stolen electronically. Ultimately, reputations erode.
Outlined here are some of the top threats that lie ahead and what approaches we’re seeing to address this.
How Cybercrime Is Hitting Banking Today
We believe financial institutions will place a heavy emphasis on implementing “passwordless” solutions with a requirement of multi-factor authentication (MFA). A 2021 Forrester survey noted that 67% of corporate leaders were in the process of adopting passwordless authentication for their employees and partners, a trend we think will — and should — continue in banking.
With the adoption of cloud computing and hybrid environments, we will see an urgent need to implement Secure Access Service Edge (SASE) solutions.
Tech Improvement Breeds Exposure:
Because most companies started with on-premise equipment and have moved apps, workloads and storage to the cloud, the attack surface has increased exponentially.
This in turn has created less visibility into the internet environment, eliminating the “secure perimeter,” creating more complexity, and requiring the purchase and configuration of additional forms of protection.
The more complex an environment, the more human error we see. Put simply, SASE methods push security onto the cloud.
In coming years, artificial intelligence and machine learning will continue to be major factors in cybersecurity for the financial services industry. We’ve started to see this already in some cutting-edge security products that are coming to market — “good bots” pitted against “bad bots,” for example.
Automation is another big factor — both as risk and benefit — as banks and credit unions move to automate everything they can. We will start to see more low-code and codeless platforms which aim to make financial institutions more efficient while cutting down on human error.
Where Cyberthreats to Banks and Credit Unions Arise
How can financial institutions do more to prevent cybercrime? First, they need to be aware that this is a long-haul process — and must plan for it. Improving cybersecurity is a journey, not a sprint. An in-depth, multiyear strategic plan is called for, not a short-term, quarter-to-quarter focus that leads only to reactive, merely tactical solutions.
Budget Cutbacks Undermine Cybersecurity:
Even when strategic plans are developed, they are often undercut by midyear budget cuts and executive churn that stymie progress.
Firms need to understand and assess the range of risks they face, starting with internal threats. Errors and mistakes that compromise security happen frequently, and steps need to be taken to better safeguard against them. Whether they take place in the office or remotely, malicious acts by employees and contractors are also a significant risk.
External threats come from a mix of technology and people. Human hackers and automated bots alike constantly probe systems looking for vulnerabilities. Customers represent the riskiest component in the entire threat ecosystem because their lack of care and precaution introduces significant vulnerabilities. Examples include doing things like logging on through open internet connections, using predictable passwords, and failing to update their security credentials.
“Social engineering” continues to represent a significant security threat. Cybercriminals rely increasingly on psychological manipulation, rather than technology, and they target both employees and customers.
Phishing emails, which employ psychological manipulation techniques to fool the recipient of the email to open a link or attachment that contains malicious software. Some prey on people’s fears, anxieties or emotions, causing them to lower their defenses and let a hacker into their system. Others invoke a sense of scarcity or urgency to goad a victim into acting quickly without thinking.
A Broad Plan of Attack on Cyberthreats
Financial services organizations need to improve their processes, engineering and technology to protect against these risks. Systems reliability engineering needs to be improved, because— despite the many concerns about hackers and other nefarious actors — only 6% of all failures at major banks are caused by external forces. Most system availability problems occur because of bad change processes, poor software, deployment issues, incorrect specifications, and other issues.
Security can be improved through several means, but multiple layers of protection are called for. Passwordless logins that use biometrics and tokenization provide login protection that is more secure than passwords.
Behavioral analysis and pattern recognition are also powerful tools to improve cybersecurity — building customer profiles makes aberrant or fraudulent behavior easier to detect so that, for example, credit card charges that are outside the cardholder’s usual activity can be declined.