Due to obvious financial motivations, banks have always been a primary target for cyber-criminals. But, as much as banks are huge repositories for cash, they are also now ‘data vaults.’ In today’s data driven world, financial services companies hold a huge amount of sensitive customer information making them a tempting target for cyber-criminals intent on fraud and identity theft.
In 2018 we’ve seen many regulations – such as the General Data Protection Regulation (GDPR) – come into force, aiming to ultimately protect, but also educate consumers on the value of their personal data. Banks and financial institutions, for example – some of the most regulated industries – are required to have clear compliance management systems in place to remain trusted stewards of our money and our data. However, regulatory checks and compliance statuses do not make organisations untouchable in the face of cybercrime.
In fact, highly regulated industries such as banking have a problem: the belief that a business is compliant may lead employees to believe naively that their corporate inbox is immune to threats. But is it really?
Cyber resilience gaps in UK’s financial sector
By the end of 2018, the Financial Conduct Authority (FCA) interviewed nearly 300 financial services firms to gain a better understanding of the financial industry’s cyber capabilities. The report entitled Cyber Technology Resilience essentially criticised UK banking chiefs as ‘overconfident’ and ‘oblivious’ to the risks posed by major technology projects.
The results showed that financial services firms’ IT security is in a bad state and that a lack of cyber- security knowledge (especially among managers) is putting firms, and their clients, at risk. According to the findings, a third of businesses do not perform regular cyber-security assessments despite cyber-attacks now accounting for 18 percent of all operational incidents. While businesses do have technology in place to prevent attacks and support defence, most firms rank cyber-resilience as their top concern, with responses highlighting weaknesses in three areas: people, third-party management, and protection of key assets.
These findings prove that management teams within the financial services sector are far too reliant on technology products to protect their organisations. They regard humans as the “weakest link in the security chain.” This approach needs to change, especially given that companies cannot afford to ignore the most critical element in cyber-security system – the human element.
At Cofense, we have seen how a human focus can work in practice. One example is the use of .com extensions in phishing emails that target financial services departments in the United States. The numbers of the unique samples with the .com extension that we analysed last October dropped from 134 a month to only 34 samples reported in the nine months preceding. Some might be surprised, but it was human intuition which made this possible.
Looming threats stopped early
Threat actors are more sophisticated than ever. They are using clever tricks to ensure that phishing email attempts glide swiftly past expensive perimeter defence technologies. It’s now inevitable that phishing emails will make their way into an organisation completely undetected.
The key to stopping active attacks and preventing a potential data breach is to disrupt the kill chain prior to infection. To achieve this, an organisation’s defence strategies need to combine two critical elements: behaviourally trained employees who can recognise and report suspicious emails, along with appropriate technology that works alongside operations teams to quickly analyse and block the threat.
There’s a constant battle between cyber threats and defence systems, but the key to tackling pervasive cyber-attacks is proactivity. The days of relying solely on firewalls and email gateways are behind us. In fact, the very concept of ‘silver-bullet technology’ as the primary and sole defence mechanism in a company’s IT arsenal is ineffective and old fashioned.
Phishing targets people – your employees – and with 92% of global information workers using email regularly as part of their job, it’s no surprise. To react quickly to threats, businesses must encourage employees to be a last line of defence and report suspicious threats, then empower incident response teams with both the reported phishing intelligence and key technologies to stop attacks which otherwise may have gone unnoticed.
A couple of months ago, we observed one financial services company in the United States come under a sustained phishing attack and successfully repel it in under 10 minutes. The attack was a simple notification email stating that a credit card company had noticed ‘unusual, recent activity’ in recipients’ accounts. The email instructed employees to click a link to a My Account page, where they could verify and protect their personal information. Instead, recipients were directed to a malicious landing page, which asked for a wealth of sensitive, personal data such as name, address, social security number, and email.
To stop the attack in play, the company used a complex, highly effective strategy: a combination of phishing intelligence reported by employees, sophisticated phishing response technology, and a trained in-house security operations team. This strategy allowed them to quickly analyse, respond to, and ultimately shut down the attack before a breach occurred.
In this case, attackers were after personal data, rather than company information, yet it would have been easy for the criminal to use this data to target the entire organisation. Luckily, within minutes of the email landing, the IT security team leveraged reported attack intelligence from humans, immediately block the page’s domain before any of the targeted employees entered their data, and pulled the malicious emails from inboxes, neutralising the threat.
Bridging the ever-growing gap
Over the past twelve months we have seen too many data breaches, most of them making headlines. In December last year, malicious actors delivered dozens of bomb threat ransom emails in a vast phishing scam targeting users in the United States, Canada, and New Zealand. In the light of these incidents, IT teams need to be armed with a strategy that is improving as quickly as cyber-threats evolve. To be able to achieve a risk-diverse culture within a company, email threats must be treated with insightful scrutiny and educated analysis, so they can be eradicated immediately.
Delivering anti-phishing simulation training to employees, so they can understand what a threat looks like and how to flag suspicious emails, will help security teams block active phishing attacks—before the threat actors can collect their ransom. Human intuition is key in stopping active attacks that bypass perimeter technology defences. Businesses need to recognise this, sooner rather than later.
Darrel Rendell is Principal Intelligence Analyst, Cofense