Threat actors have stepped up their attacks against financial institutions in recent years. According to CIO Dive, a 2019 report found that digital attackers targeted organizations in the financial services sector 300 times more often than they did entities in other industries. The security community witnessed something similar in the wake of the pandemic, with ZDNet disclosing a connection between COVID-19 and a 238% surge of digital attacks against banks.
Those successful operations weren’t cheap. In its Cost of a Data Breach Report 2021, for instance, IBM found that financial services were the second-highest industry in terms of average data breach costs for the year at $5.72 million. That price tag is less than it was in 2020 at $5.85 million, but it’s still greater than the $4.24 million average data breach cost across all other sectors. No wonder that digital attackers brought a total of $100 billion in losses to financial institutions, per Cybersecurity Insiders.
What’s Driving These Attacks and Their Associated Costs?
The attacks alluded to above originated from different types of threat actors and leveraged different entry vectors. But some varieties were more common than others. For example, Verizon Enterprise observed in its Data Breach Investigations Report (DBIR) 2021 that 44% of data breaches in the sector originated from Internal actors, thereby perpetuating an increase first begun in 2017. Many of those individuals’ actions occurred by accident. One such action, sending emails to the incorrect recipient, constituted more than half (55%) of all Error-based breaches for the industry and 13% of all breaches for the year.
By contrast, External actors focused on Credential attacks, Phishing campaigns, and Ransomware infections as their top attack varieties. Those attackers primarily succeeded in compromising Personal data in the process, though they also obtained Credentials and Bank data in some cases—all types of information that they could have easily monetized on the dark web. This allows other digital attacks to take over victims’ accounts and withdraw all their funds. They can also use victims’ stolen banking information to commit payment card fraud or open new accounts that help to facilitate money laundering schemes.
Smaller Banks and Credit Unions Are Struggling to Protect Themselves
Financial institutions of all shapes and sizes are struggling to mitigate these different threats, but smaller banks and credit unions are having a particularly difficult time due to the ongoing cybersecurity skills gap. Credit unions and smaller banks don’t always have the budget to build out robust teams of talented security personnel. In response, they sometimes call on IT personnel and individuals in similar positions to do double duty without giving them the necessary solutions to drive their work. This can sideline security as an afterthought that requires disproportionate amounts of manual work.
Consequently, credit unions and small banks might lack the ability to defend against some of the relevant threats facing them. They might not have the ability to protect their critical systems against ransomware on an ongoing basis, noted Security Boulevard. They also might lack the ability to map all their network-connected devices including Internet of Things (IoT) products as well as to review their vendors and partners for potential software security threats.
How Can Organizations Respond to These Challenges?
Credit unions, small banks, and financial institutions more generally aren’t powerless to defend against the security threats identified above. For instance, they can protect against ransomware by conducting regular vulnerability assessments and analyses to address system weaknesses and emerging attack vectors. They can also turn to asset inventories as a way of detecting and mapping their IoT devices, all while vetting their vendors based on their security practices. They just need the right partner to work with them and help them overcome a lack of skilled personnel and available security budget.
That’s where ITEGRITI comes in. The company uses penetration testing, security assessments, and site walk-downs to help to defend its customers against data destruction events such as ransomware. Simultaneously, it can help customers to design a security training and awareness program that educates employees on how they can protect their employer against ransomware infections and other threats.
ITEGRITI also takes a full-fledged approach to asset security. It comes with the ability to inventory business-critical assets and to protect information that’s stored on them. What’s more, it uses secure configuration to hold IoT devices and other assets to a known secure baseline.
Finally, ITEGRITI blends network security best practices with supply chain management and vulnerability management. This helps security teams to assess their suppliers and to take care of known security flaws while designing their customers’ networks in such a way that will help to mitigate the impact of a potential data breach.
Learn more about how ITEGRITI can strengthen your financial institution’s digital security.