The financial sector is one of the hardest hit by cybercrime: not only are banks among the most frequent targets of attack, the Cost of a Data Breach Report 2020 suggests that recovery costs for financial institutions are consistently in the top two or three for industries globally. This should come as no surprise, as cybercriminals are eager to target the financial assets and wealth of sensitive personal information held by highly regulated banks and other FIs.
With these formidable assets at risk, banks have done much to secure their websites, mobile apps, and ATMs from cyberattack. With the border walls comparatively secure, insider threats have emerged as today’s biggest risk to financial institutions worldwide.
Insider threats can be posed by unintentional acts: from a user falling for a carefully crafted spear phishing attack to an employee carelessly clicking on a link on a spoofed website. And malicious attacks by insiders can be even more dangerous. Rogue workers can be motivated by financial desperation or outside influences. Disgruntled employees can pose threats ranging from the theft of digital assets to willfully damaging systems as a show of rebellion or to damage the reputation of the bank. The common thread in all of these threats is the unauthorized use of credentials, either unwittingly or deliberately.
Insiders can leverage their knowledge of internal systems and processes to hide their illegal acts. Internal system and security personnel have access to the controls that could betray their actions, and can turn them off, “explain away” anomalies, or operate just within the bounds of audit scrutiny. Software developers can build backdoors into systems to allow them to access accounts for direct benefit, or to harvest personal client information for resale on the dark web. And insiders can lurk on systems, slowly draining resources or systematically exfiltrating data for weeks or months. IBM says the time-to-discovery of a threat is 148 days, and the time from identification to containment is an average of 233 days. Just think of how much damage a cybercriminal could do, operating undetected for months in a financial institution.
How are banks addressing these threats?
These are some of the strategies that banks need to use in order to build the “defense in depth” layers of cybersecurity that are critical to help defend against these real and present dangers.
Employee engagement: While many banks already have mature remote access facilities, the COVID-19 pandemic has forced many more personnel to work from home. This presents a challenge to managers, who have lost the immediacy of seeing staff on a day-to-day basis. This disengagement can prevent supervisors from picking up on potential warning signs of employee disenfranchisement. Working unsupervised can present an opportunity for staff to engage in cybercrime activities, or inadvertently leave access open to others. Performance monitoring solutions and user behaviour analysis (UBA) techniques are available to track staff activity. These tools can flag when a user’s actions are outside the norm of a usual day’s activity for the employee, or if online behaviours diverge sharply from those of a “typical” employee in that role. Abuse of these tools may smack of a “Big Brother” approach, but judicious and appropriate analysis can protect the bank, its customers, and staff from cybercrime. HR and legal will need to be involved.
Employee Training: Due to the constant threat of attack, banks must take a leadership role in staff cybersecurity awareness and training. Managed training programs that measure awareness and understanding have become more and more sophisticated, providing automated “ethical phishing” attacks against staff to test their vigilance. Maintaining a constant state of readiness and awareness is essential for bank employees. Not only will they maintain stronger defenses themselves, but they will be on the alert for suspicious activities by fellow staff.
Penetration Testing and Audit: Because the stakes are so high, it’s critical for banks to execute thorough penetration testing and audit from the outside in and the inside out. Internally developed systems can be scanned and tested by application pen testing. Complimenting the employee training and phishing awareness, sophisticated penetration testers can attempt to move laterally through systems with admin credentials, exposing vulnerabilities before they can be exploited.
Policies, Procedures, and Audit: Banks can have huge staff complements, featuring staff moving from one department to another, supported by contractors and third parties coming in and out of the picture. Formal policies addressing identity management, asset access, permission management, and audit are vital. System permissions cannot be permitted to “stack” as staff change assignments or responsibilities. Separation of duties, compartmentalizing functions, and established “paired responsibility” processes are recommended: having multiple eyes on a transaction means that are additional opportunities for audit and scrutiny of suspicious activities. The safest way to handle access control is to take a “least privilege” approach – starting with no access to systems, then visibility granted on an as-needed basis. Read-only permissions should be offered unless there is a specific need to update information. And in all cases, audit logging and activity tracking of every move needs to happen as an organic part of the system design. And all financial institutions must conduct pre-screening and background checks before hiring new staff; it’s not just prudent, it’s also essential from a compliance and regulatory perspective. Finally, when employees leave the bank, formal (and immediate) access revocation procedures must be followed to ensure that credentials cannot be misused.
Security Incident and Event Management (SIEM): SIEM solutions are one of the most powerful ways of detecting insider threats. With the volume of activity in a modern bank, it is impractical to track and assess every system log on every system. And that’s on an individual basis – it’s impossible to correlate anomalous simultaneous activities across systems. But those are the alerts that could be essential in identifying an attack, and mitigating its impact. SIEM solutions can pick up on activities outside the norm – an admin login at an unexpected time, a system access while the employee is on vacation, a burst of unsuccessful access attempts – and sound the alarm much faster than a human possibly can. Managed SIEM solutions are “on” 24x7x365 – just like the hackers are.
Incident Response Planning: While your IRP processes won’t directly prevent cyber breaches, the analysis and testing that goes on in a formal IR program will help unearth potential vulnerabilities in your security processes, allowing you to plug holes before they are exploited. And IR helps foster the kind of “cyber aware” culture that is vital for the bank and its customers. Responsible and rapid incident response can mitigate the damage and costs of cybercrime as well.
Remote Access Security: Many banks have a head start on securing distributed workforces. But with a spike in remote workers, and a “return to normal” still expected to be months away, banks must maintain their vigilance. Secure VPN access, and multi-factor authentication/zero-trust security approaches will help protect day-to-day business operations. Email monitoring, DLP solutions, USB device restrictions and remote printing controls will all help to ensure that sensitive data doesn’t stray outside the enterprise. And provisioning secure single-use work devices is preferred, rather than allowing staff to use their own shared, and potentially unpatched, equipment for remote access.
ISA is well-positioned to assist with many of these preventative measures. As Canada’s largest cybersecurity company and decades of experience, we work with banks to protect Canadians’ finances from cyberthreats. Contact us to learn more.