Better understand your cybersecurity situation by taking the free risk assessment below
Financial services organizations and other firms that are responsible for the security of consumer financial data must remain vigilant in their cybersecurity efforts throughout 2021. The warning comes from Security Magazine due to the high value of financial data, including Social Security numbers, banking details and more, makes it a lucrative target for cybercriminals.
In addition, the expanding adoption of cloud-based services and data storage, more companies implementing remote and hybrid work options, and the growing use of mobile devices for work are together giving cybercriminals an ever-expanding range of opportunities to exploit, explained Jonah Force Hill, executive director of the FBI’s new Cyber Investigations Advisory Board created in September to fight cyber-enabled fraud. "Every organization – providers of financial services, in particular – must remain vigilant in the face of these evolving threats.”
Types of cybersecurity risks
Outdated security functionality
While the threat landscape has evolved, most legacy IT infrastructures have not. Many contain inherent security vulnerabilities that can grow worse over time. In fact, a recent survey of federal IT leaders revealed that 85% believe not updating legacy technology will threaten their agency’s future.
The systems and applications of these outdated infrastructures may have supported cybersecurity best practices when they were developed, but now are incompatible with today’s security features, such as encryption methods and multi-factor authentication. In addition, many security solutions are not designed to support legacy mainframe environments and operating systems, which lack the ability for real-time monitoring needed to identify and resolve cybersecurity security intrusions.
A reported 90 percent of all data breaches are the result of human error. Known as social engineering, this type of hack uses psychological manipulation, such as phishing attacks, to get people to perform an action or divulge confidential information for the purpose of fraud or system access.
The world’s most famous hacker-turned-cybersecurity expert, Kevin Mitnick, explains the risk. “Companies spend millions of dollars on firewalls, encryption, and secure access devices and it's money wasted because none of these measures address the weakest link in the security chain: the people who use, administer, operate and account for computer systems that contain protected information.”
The “bring your own device” (BYOD) phenomenon continues to rise in the workplace, according to TechAdvisory.org, a blog that provides tech advice for small businesses. Whether employees are using smartphones, tablets or laptops, there are data security risks companies need to consider.
A personal device that has been infected with malware can spread the malicious software to other devices connected to the company network. Public Wi-Fi spots provide easy opportunities for cybercriminals to intercept data being transmitted over public networks. Finally, employees often bring their personal devices wherever they go. This creates a greater risk of them being lost or stolen, and the company data stored or accessed on the devices being compromised.
Diary of a cybersecurity attack
The following case studies* illustrate how companies fell victim to cybercrime and how they responded.
- Scenario: A small family-owned construction company utilized online banking and automated clearing house (ACH) transfers, with security features that included password protections and challenge questions. When the owner was notified that an ACH transfer of $10,000 was initiated by an unknown source, they contacted the bank and learned that, over the course of a week, cybercriminals had transferred $550,000 from the company’s bank accounts. The attack occurred when an employee opened an email from what they thought was a materials supplier, but was instead an email containing malware from an imposter account. Once opened, cybercriminals used the email to install malicious keylogger software that allowed them to monitor computer keystrokes, capture the company’s banking credentials (including account numbers and passwords) and then access banking and other financial services online.
- Response: The company hired a cybersecurity forensics firm to conduct a full cybersecurity review of their systems, identify the source of the incident and recommend upgrades to their security software.
- Impact: After drawing over $220,000 on the company’s line of credit to cover the fraudulent transfers, the bank was able to retrieve $200,000 of the stolen money. The company shut down its bank account and pursued legal action, eventually recovering the remaining $350,000 with interest. But, it was not able to recoup any money for their time and legal fees.
- Scenario: A health care system executive left their work-issued laptop containing over 40,000 medical records in a locked car while running an errand. The car was broken into, and the laptop was stolen. It was equipped with security tools and password protection, however the data stored on the hard drive – including sensitive, personal patient data – was not encrypted.
- Response: The theft was reported to police and the health care system’s IT department disabled the laptop’s remote access and began monitoring activity. The U.S. Department of Health and Human Services was also notified, as Personally Identifiable Information (PII) and Protected Health Information (PHI) data require rigorous reporting processes and standards. A review of internal policies exposed the need to create discipline procedures for employees who violate security standards, while a thorough review of security measures with internal IT staff and ancillary IT vendors revealed other vulnerabilities.
- Impact: The health care system spent over $200,000 in remediation, monitoring and operational improvements. Meanwhile, the data breach negatively impacted its brand and damaged trust among its constituents had to be rebuilt.
*Courtesy of the U.S. Department of Congress’ National Institute of Standards and Technology Small Business Cybersecurity Corner
Why it's important to understand your current level of risk
The events of this past year – a rapid rise in remote working and pressure to modernize IT infrastructures – have elevated the conversation about responsible cybersecurity in business.
With nearly all financial firms relying on information technology to store, process and transmit information, it is essential to protect these infrastructure from unauthorized access. And yet, firms often fail to understand their vulnerability to attack.
Security risks are not always obvious. Click on the link below to complete a questionnaire about your firm’s IT posture, including both processes and people, and receive a free cybersecurity risk assessment from Coaxis, an endorsed program of the FICPA.