It is estimated there are over 2,200 cyber-attacks every day. That’s one every 39 seconds. No company or government is shielded from cybercriminals.
Global losses from cybercrime exceeded $1 trillion in 2019, as reported from a study conducted by McAfee Corporation and the Center for Strategic and International Studies (CSIS). That number was an increase of 50% from 2018. As technology advances, the severity and frequency of attacks are escalating.
One of the more disturbing cyberattacks that happened at the onset of the COVID 19 pandemic was the hack at Solar Winds, a major US information technology firm providing software to the U.S. Government and Fortune 500 corporations. In February 2020, malicious code was added to the Orion software system used by 33,000 of their customers. It went undetected for months.
When Solar Winds sent out updates to the software during those months, the malware went along with it. This created a backdoor at these customer firms where hackers could spy and obtain information. One hack now affects multiple organizations and runs deep.
The banking sector, of course, is not immune to hacks — and is a prime target for cybercriminals. Cyber threats within the industry continue to evolve and be complex.
We recently spoke to Jeremy Burris, Principal, Technology Services Group at Snodgrass, a Certified Public Accounting and Risk Management company, and Rachael Schwartz, Business Development Director and Director of Partnership at CSI, a FinTech and RegTech firm for financial institutions. Both organizations are PACB Preferred Providers and participants in our education programs.
PACB: What are the primary concerns for security in banking right now?
Burris: “Ransomware. This is the key type of attack for all industries. You can’t stop it from happening, but you can be prepared for it when it does. You don’t want to pay the ransom to get access to your data.”
Schwartz: “Having a secure remote workforce. Banks had to move fast in 2020. Remote access provided for workers created increased vulnerability to computing systems, while at the same time provided more opportunities to those who threaten their security.”
PACB: Is there anything banks can do to prevent cyberattacks?
Burris: “You can’t always prevent an attack — hackers are good at what they do- but you can be prepared. For ransomware, the solution is to have your backup on a network of different systems. It’s still going to cost you in time and manpower to get up and running again, but you are in control of your data.”
Schwartz: “Always be reviewing your systems of prevention and protection. Remote workers require more robust security solutions. Banks who were already on cloud solutions were able to make the transition for remote access easily and quickly. Those who were managing email internally moved to hybrid cloud solutions like MS 365. They learned it was easier not to try to manage it all on their own.”
PACB: How do banks detect when they’ve been attacked?
Burris: “It’s not always immediately known. You’ve got to monitor the alerts. The Solar Winds situation could have started with an employee opening an email with malware. It’s that simple. It’s hard to stay ahead of the attackers, and it becomes very expensive to undo the damage once it’s been done.”
Schwartz: “Detection software is expensive. Attack alerts come in around the clock. You need to filter through to determine which are important. It takes a lot of manpower to manage and investigate the alerts. Many institutions that are handling this on their own drop the ball.”
PACB: How can our members minimize the effect of a cyberattack?
Both Schwartz and Burris agree that outsourcing your Security Operations Center (SOC) provides higher levels of security than trying to manage it in-house. Having security protocols in place around the clock in a 24/7 world has never been more important.
Data is being accessed by employees and clients on desktops, tablets, and phones. These devices are in offices, at home, at coffee shops, and on beaches. Customers are banking through apps and connecting third-party vendors to their accounts. The ways data can be hacked and obtained are innumerable.
Burris: “Cybersecurity is finally being taken more seriously. It is more valuable and important than the money in your vault. That is insured by the FDIC. One breach can take down your organization and not just physically online. You lose trust when people know you’ve been breached and their personal information has been obtained. A lifetime of free identity theft protection service won’t make a difference — their information is out there — and you’ve lost their trust.”
Schwartz: “Create a culture of positivity to properly report on issues — not fear. Promote positive ways of looking at security for both staff and customers. Across the board, people are afraid they did something wrong — when it isn’t their fault. Education of employees and customers is of utmost importance. The human element cannot be controlled, but they can learn their role in security for their organization and personal information.”
Attacks such as the one on Solar Winds are accelerating broad changes in the cybersecurity industry. One such change is how software providers, including Fedwire Funds Service, are protecting themselves from liability for hacks by requiring banks to sign off confirming they checked on and have specific controls in place.
Schwartz and Burris tell us that the first months of 2021 have been the busiest in IT security. With attacks increasing, requirements getting stronger, and work from home becoming the norm, IT security teams are racing to support their clients’ ever-changing security needs.
It’s never been more important to prevent, protect, and detect against cyberattacks.
The National Institute of Standards and Technology (NIST) provides guidance for security and privacy controls across all industries. A recent publication, Control Baselines for Information Systems and Organizations, is a quick-start guide to their flagship risk management tool to help organizations reduce their security and privacy risks more easily. More information can be found at nist.gov/news-events/news/2020/10/nist-offers-quick-start-guide-its-security-and-privacy-safeguards-catalog.
To help your SOC or IT staff stay on top of the latest news, industry professionals and PACB Preferred Providers like Rachael Schwartz and Jeremy Burris regularly present on topics of value to members of PACB on an ongoing basis.
Please visit web.pacb.org/events to see our full schedule of Knowledge Hours, Webinars, On-Demand programs, and educational and training services provided for members of PACB.