The banking industry has famously been the target of many malicious hackers, leading to cybersecurity in banking becoming a major investment for many organizations. Bank of America spends upwards of $1B just on cybersecurity, and for good reason.
A research report from the New York Federal Reserve notes that financial firms experience 300 times more cyber attacks than firms in other industries. Financial companies make for extremely attractive targets for a number of reasons.
In this post-COVID world, the banking industry is facing new novel challenges they need to address in order to stave off a rising threat. Here’s a list of key cybersecurity challenges the banking industry is facing and what we recommend to do.
We’ve mentioned it multiple times but it’s worth repeating. Ransomware has risen dramatically during the pandemic, incidents continue to rise well-past 2021 and the banking/finance industry has been hit especially hard
While all organizations in all industries have experienced a dramatic rise in ransomware attacks, the banking industry has been especially hit hard. One report showed that in 2021, there was a 1000%+ increase in ransomware attacks against the banking industry.
Due to the nature of ransomware attacks, they usually prevent an organization from carrying out their business function. While this can be manageable for a few companies who can afford to shut down for several hours or even a few days, many banking institutions can’t, making them very attractive targets. Ransoms are much likely to be paid, and the costs continue to rise.
The rise of RaaS is also contributing to the increase in ransomware. Ransomware hacker groups are licensing their ransomware and services, making it harder for companies to fight against new ransomware variants. As more criminal hacker organizations work together, we’re seeing ransomware skip the traditional phishing and pray-and-spray method of attacks and are instead deploying ransomware post-infiltration, significantly increasing the chances of success.
Over the past decade, the banking industry has been forced to adapt to a digital-first world for both businesses and consumers. Fewer and fewer consumers are using cash and instead opting for digital and contactless payments, encouraging companies and businesses to develop and support electronic banking services.
The emergence of Fintech companies like Plaid and Stripe, powering digital bank integrations for major financial institutions, and digital-forward consumer banking companies like Venmo, Stripe, and PayPal, are pressuring large traditional banking to offer digital services like having digital portals to access accounts, faster digital transactions, apps, and more integrations across banks and other companies.
While this has provided a lot of benefits to consumers and companies alike, this has also significantly increased the attack surfaces of these banks. An increased third-party vendor ecosystem raises the risk of a hacker getting into a bank’s network via a third-party.
The use of apps and other digital services not only provides more vectors for an attacker to exploit, but also raises the risk that a misconfiguration or improper form of storing data can lead to a major data leak/exposure. We’ve already seen how this risk can play out in the real world. Capital One’s massive hack in 2019 was the result of an Amazon employee hacking into Capital One’s AWS server.
Despite banks investing a huge amount in cybersecurity, employees continue to be a risk vector, especially as new threats and risks emerge. Banking institutions have hundreds or thousands of employees — if they’re not properly trained or if previous training hasn’t addressed new risks or threats that are more current and common, it can lead to a compromise.
Attacks like phishing, ransomware, BEC, and social engineering still use employees as the first point of compromise or entry. If your staff isn’t equipped to handle these threats, there’s a huge blind spot that will inevitably be exploited.
This risk has compounded since the pandemic — as employees work remotely and on their own devices, it’s much more difficult to ensure and apply security given the distributed and disconnected network.
Cybersecurity departments have always been short-staffed, due to budgets but also availability. There just aren’t enough cybersecurity experts with the training and knowledge for the companies who need them. Given the increased attack surface, new risks, and threats, cybersecurity in banking is incredibly important but the demand for cybersecurity talent continues to outweigh the supply.
This is largely because cybersecurity departments never have enough budget or approved headcount, making the environment for staff extremely stressful, increasing turnover and decreasing retention rates. Talented cybersecurity staff often move to cybersecurity-focused organizations who offer a better working environment and training as part of career development. This is part of the reason why the cybersecurity industry has a zero percent unemployment rate.
This problem is only compounded by the fact that new skills, training, and development is needed as new products, solutions, tools, processes, threats, risks, and environments change in cybersecurity, making it more difficult to find qualified employees with the most up to date training and education. As banks fall behind in staffing, they risks exposing themselves even more.
Banks don’t have it easy - but it doesn’t mean they’re helpless. Security leaders in financial institutions should develop a comprehensive roadmap directly addressing the most critical of these issues and setting goals for the cybersecurity state they want their organization to reach.
Regarding specific actions you can take, here’s a list of our recommendations.
These are a few major steps towards boosting your organization’s security posture and aren’t the kinds of actions you can take overnight. Plan ahead, balance your goals, objectives, and expectations, and identify what you’ll build and maintain in-house and what you’ll rely on a partner for. It will help you understand what kind of partner you might need and give you a strong starting point when you initiate conversations with a vendor.
Learn more about the top security challenges facing the banking industry.
tags
Josue Ledesma is a writer, filmmaker, and content marketer living in New York City. He covers cyber security, tech and finance, consumer privacy, and B2B digital marketing.
View all postsDon’t miss out on exclusive content and exciting announcements!