Last week we explored the security vulnerabilities posed by banks using legacy systems and how MSPs can play a mitigation role. This week, we explore the steps banks and their security teams should be taking today to prevent the next cyberattack. The question on whether banks are doing enough to combat cybercrime is crucial because the cost of complacency is astronomical.
MSPs can play a leading role in helping smaller and mid-sized banks with their security needs, but you have to know the terrain. A recent report in Forbes starkly outlines the vulnerabilities of banks:
“Cyberattacks cost financial-services firms more to address than any other industry, and the rate of breaches in the industry has tripled over the past five years. With some estimates putting the total annual cost of banking cybercrimes north of $1 trillion.”
The Forbes report states that financial services firms also fall victim to cybersecurity attacks 300 times more frequently than businesses in other industries.
Smarter MSP caught up with Neira Jones, one of the United Kingdom’s top fintech and banking cybersecurity experts, to delve deeper into what banks and their security teams — whether MSP or internal — need to be doing.
Know the rules
First, adding to the confusion and chaos that cybercrime sows is the evolving regulatory landscape that bank security must navigate.
“The banking industry is an industry that has been regulated for hundreds of years. Therefore, they had to put in place the means and measures to comply with various regulations as they have evolved,” describes Jones. “Regulations are there to preserve the integrity of the ecosystem. We have seen an evolution of the regulations themselves: we have moved to an extensively digital landscape, from fraud prevention in the traditional sense, to fraud prevention in a digital world,” details Jones. These regulations are attempting to address the same issues but in a different technological landscape.
Jones cites regulations like the recently enacted 2nd Payment Services Directive (PSD2) in Europe that place a greater emphasis on security.
“Also, all the anti-money laundering laws and regulations worldwide have moved on to tackle the very same problems. This means that we have come to the realization that fraud prevention and cybersecurity are only two sides of the same coin,” explains Jones.
The advantages that bad guys have is the regulations don’t really apply to them.
“After all, criminals track and use new and emerging technologies at breakneck speed, and regulations do not constrain them,” admits Jones.
Threats from within
Bank security must include both internal and external threat analysis. Jones believes that the biggest threat to bank security comes from within the bank.
Whether these threats are unintentional, like cloud mis-configuration or clicking a phishing email, or an actual rogue employee, insiders pose the greatest risk for banks. A lot of emphasis is placed on educating employees about the dangers of phishing, but security for data at banks must go beyond that.
“The solution is not just user education,” notes Jones.
Bank security must include three components
Layered email security strategy: “Organizations must deploy a layered email security strategy, and this must include SPF, DKIM, and DMARC,” instructs Jones. These steps should sort out phishing attacks and curb BEC fraud.
Governance: There must be effective governance in place.
“When your CFO emails you asking to wire $1M immediately to some supplier account, there should be processes in place that force you to do some checks before you action any financial transaction,” warns Jones.
Education and awareness: “People learn in different ways. Tor training to be successful, it must take into account learning styles and behaviors,” notes Jones.
The training can range from concise tips, such as how to recognize email spoofing and typo-squatting, to explaining how to identify a phishing email. Also, Jones advises giving real-life examples and full-blown phishing simulation exercises.
“All of this must be done in conjunction with HR, and possibly marketing, not just something that comes out of the security department. After all, we want people to learn and change their behavior as a result, not just tick off boxes,” offers Jones.
Still, none of the steps would stop a determined rogue employee from wreaking cyber havoc. Some steps a bank IT team or MSP security can implement to stop an inside job include:
- Monitoring systems for unusual behavior (accessing files at unexpected times, copying/printing massive amounts of data, etc.). There are some interesting solutions in behavior analytics.
- Deploying privileged access management and deploying effective access management, as well as the policies and procedures that go with that (immediately remove access for leavers, etc.)
- Move away from rule-based access (RBA) to attribute-based access (ABA). Staff can only have access to what they need for a particular situation.
Though banks are generally doing a good job with security, it’s just an intense cat and mouse game that won’t end anytime soon.
“The very nature of fraud and cybercrime means that this is, and will remain, an ongoing battle. With banks being such a rich target for cybercriminals, the battles will continue,” predicts Jones. Banks need to stay vigilant to avoid attacks, and partnering with MSPs can help.
Photo: Luca Santilli / Shutterstock