The battle against cybercrime
Steps to improve cyber resiliency
By Bob Barker
“Hackers hit Texas bank for millions!”
That fictional headline represents every bank president’s worst nightmare. Cyberattacks are now the No. 1 existential threat to business in general. Investopedia surveys of bank executives and banking experts consistently identify cybercrime as the leading risk to banks.
Bank auditors demand robust cyber risk management as well as strong financial management. Balancing investment in cyber risk mitigation versus investing in growing assets is a tension continually faced by bank managers. However, that tension is often resolved in favor of spending on growing the bottom line rather than on mitigating cyber risk.
What types of threats should banks be concerned with?
How can they best mitigate the risk that cyberattacks represent?
What are a few critical steps they should take?
And finally, how can they move from focusing on audits to actively managing cyber risk and resilience?
Leading cyber threats
Hackers who stole $100 million from Bangladesh’s Central Bank in early 2016 used the SWIFT (Society for Worldwide Interbank Financial Telecommunication) network to fool the Federal Reserve Bank of New York into moving the funds into an account they controlled. Later that year, $31 million was stolen from Russia’s Central Bank. Both events establish that hackers will steal directly from banks if they can. The Capital One and Equifax breaches underscored the massive cyber risk faced by all financial services institutions.
Continuing demands for a variety of online banking services, driven chiefly by younger consumers, exacerbate this risk. As the American Bankers Association recently pointed out, “Criminals are constantly searching for creative new ways to obtain money from banks and customers through fraud and cybersecurity vulnerabilities. And as consumers and businesses rely more on electronic devices, such as computers, tablets and smartphones to bank and shop online, vulnerabilities increase.”
Banks can experience several forms of attacks, each inflicting different types of damage:
- Password attacks use several techniques to identify passwords and gain entry into critical systems, including recording keystrokes and sending data to hackers. Multiple credentials are often captured and recorded for later use in stealing funds and data.
- Distributed Denial of Service (DDoS) attacks can shut down bank operations. Rogue software takes over thousands of applications around the internet, and they start pinging the bank’s site with massive amounts of fake traffic that keeps customers from accessing their accounts. While direct financial losses may not be incurred, the loss of consumer confidence and, as a result lost customer business, can be substantial.
- Social engineering (e.g. phishing) results in malware inserted into systems that extracts and sends customer data (names, SSNs, phone numbers, email addresses) to bad actors who sell them on the dark net or use them to gain access to user accounts. In the 2013-2015 timeframe, a cybercrime group called Carbanak stole $1 billion from 100 banks worldwide through a phishing campaign. Their attack on Chase alone affected 83 million customers when a single Chase server lacking two-factor authentication enabled a breach, despite Chase having spent $250 million per year on cybersecurity.
- Ransomware attacks are used by modern bank robbers to encrypt data and make a demand for payment to unlock the data. As reported in American Banker, “Banks remain a top target for ransomware and malware in general, as cyberthieves simply follow the money. Verizon reported that 76% of all data breaches last year were financially motivated.”
Verizon statistics reveal that email delivers 92% of ransomware attacks, with unsuspecting recipients clicking on a link that embeds malware. For example, Adams Bank & Trust of Ogallala, Nebraska, has suffered several malware attacks over the past few years, and recovery has consumed hours of work to recover files and reenter data.
A few basic steps can greatly improve a bank’s cyber resilience:
- Inventorying all devices and software in the network is a basic step that banks may not keep up to date, yet it’s critical to an effective cyber resilience program. Without it, security updates and modifications may be missed, and a single missed device or a single application can allow a bad actor to access critical data.
- Keeping software patches up to date is another basic way to close gaps in protection, yet many organizations don’t have the right processes in place to ensure that it’s done regularly. The massive Equifax breach wasn’t caused by a technology failure; the company had inadequate controls in place to ensure that patches were installed regularly and in a timely way.
Adopting two-factor authentication broadly is a simple and effective method to protect assets. A temporary code is sent to the customer’s cell phone before they can log onto the network. It is even more effective when combined with a challenge/response test (e.g., CAPTCHA) to determine whether or not the user is human in order to block automated attempts to gain entry.
- Implement a thorough incident response plan to limit damage after a breach. Establishing an incident response playbook and protocols and training key stakeholders on them closes the window of time when hackers can damage the institution.
Critical steps in managing cyber risk
Cyber breaches have become a full-fledged enterprise risk. Everyone, starting with the board of directors, needs a basic understanding of how cyberattacks work and their responsibilities for overseeing cyber risk. Financial institutions with successful cyber risk management programs take a holistic approach to the policies, processes and people required.
Two key federal frameworks provide a comprehensive approach to managing cyber risk. In 2014, the National Institute of Standards & Technology (NIST) released version 1 of its Cybersecurity Framework (CSF) in response to a presidential mandate. NIST had engaged 3,000 cyber experts from business, government and academia in developing what has now become a widely used de facto standard for measuring and managing risk.
A year later, the Federal Financial Institutions Examination Council (FFIEC) took NIST CSF as its inspiration to create its Cybersecurity Assessment Tool (CAT), a more detailed assessment narrowly targeted at financial institutions. More than 500 items are evaluated to determine a bank’s inherent risk level and its cybersecurity maturity.
The FFIEC CAT is now a key part of any bank’s audit, and banks with a cyber-conscious culture treat those audits as an opportunity to improve. Proactive banks actively manage cyber risk as a component of everyday operations. Banks pursuing a cyber conscious culture are using both frameworks, an approach that FFIEC encourages.