Are Financial Institutions Under Attack?
By: Simon Tang
Thereʼs an old joke about a bank robber who gets caught in the act. After being taken into custody, the police ask him why he decided to rob the bank. He answers, “Because thatʼs where the money is.”
It would seem some Internet hackers have taken this old joke to heart. According to the 2006 Global Security Survey by Deloitte Touche Tohmatsu, over the past year the worldʼs largest financial institutions experienced a surge in the number of security attacks they faced – particularly from external hackers. More ominously, two of the top three most common attacks experienced by the global financial industry were deployed to extort some form of monetary gain.
Security Breaches On The Rise
How steep is the upswing? Well, in 2005, 26 per cent of survey respondents experienced an external security breach, while 35 per cent faced an internal breach. For 2006, those numbers rose to 78 per cent and 49 per cent, respectively. Respondents to this survey, now in its fourth year, include senior security officers from the worldʼs top global financial institutions.
Even more troubling is the fact that these security breaches are becoming increasingly sophisticated. “Execution and exploitation of these attacks require significant resources and co-ordination, which implies professional hackers and organized crime have entered the domain once ruled by “script kiddies” and “one-off hackers,” says Adel Melek, global leader of security and privacy services at Deloitte.
To understand how these threats are rising in virulence, one need only consider the manner in which security attacks have evolved. Not so long ago, Denial of Service attacks were among the most common external threats levelled against organizations. In these types of attacks, hackers overwhelm a companyʼs network by flooding it with useless traffic; ultimately resulting in network slow downs and crashes.
While Denial of Service attacks are still prevalent, hackers today are displaying a greater range of ingenuity and maliciousness.
Take spyware, for instance. This software system secretly attaches itself to someoneʼs computer, monitors that personʼs activity on the internet, and then transmits private information to someone else. Taken to the extreme, spyware can gather passwords and even credit card information, and secretly transmit it back to a hacker – raising serious corporate security concerns.
Phishing attacks use authentic-looking – but bogus – eMails to trick employees and other computer users into visiting authentic- looking – but equally bogus – websites. Once there, hackers can harvest confidential information for use in identity theft scams.
Pharming raises phishing to a whole new level by automatically redirecting all traffic intended for a legitimate website to another bogus website deceiving hundreds, if not thousands, of unsuspecting surfers in the process.
Then thereʼs Ransomware, a new type of attack that spreads via eMail attachment or as a link on a seemingly legitimate website. Once launched, Ransomware spreads through a computer userʼs system and encrypts common file types such as Word, Excel, and JPEG images. When they try to open a file, users are told they can only receive the decryption code by paying a ʻransomʼ to a Yahoo eMail address or PayPal account.
The ransom is typically small enough that desperate victims will consider paying it quickly so they can move on – fuelling the hackersʼ ongoing, and lucrative, scam.
How pervasive are these risks for the global financial industry? The Deloitte Touche Tohmatsu survey says phishing and pharming accounted for 51 per cent of the external attacks levelled against financial institutions, while spyware accounted for the remaining 48 per cent of external attacks.
The Costs Of Vulnerability
The costs of these security breaches extend far beyond lost productivity. A downed website can cost an organization hundreds of thousands of dollars for every hour of downtime. The costs are even higher for eCommerce organizations. For their part, 72 per cent of the global financial institutions that experienced security breaches indicated the estimated amount of damage to the organization was in the range of US$1 million.
Beyond lost revenues lies lost trust. Often, all it takes is one breach or anomalous event to drive large numbers of clients to the competition. This is particularly true for the financial services industry, where security missteps can literally cost customers their life savings.
“Organizations not only face more sophisticated and harder to track attacks, but are also challenged by increased risk and potential loss,” Melek confirms. “Financial institutions should take these factors into account in their overall security strategy.”
Financial institutions seem to be doing just that. The global financial services sector continues to take steps to fend off these ongoing threats, despite the rising number of attacks it faces.
For 2006, the top security initiatives adopted by global financial institutions include the prevention of identity theft and account fraud, improved identity and access management, and robust disaster recovery and business continuity planning.
In fact, Canadian financial institutions lead the pack, coming in second only to Japan when it comes to adopting an enterprise-wide business continuity management program. All Canadian respondents to the survey confirmed having a program to manage privacy compliance, which is headed by a designated executive. Canadian financial institutions reported having C-suite acknowledgment of security as a critical business issue, while 91 per cent reported having both commitment and funding to address regulatory requirements related to their security initiatives.
However, while the security initiatives currently under way throughout the financial services industry are critical, they may not be sufficient. Thatʼs because a true security posture is often less about antivirus software and firewalls than it is about simple human behaviour.
Think of it this way. Even if an organization adopts the most robust systems to prevent security breaches and attacks, they are bound to fall short unless employees understand the critical role security awareness plays throughout the organization. Thatʼs because many of the most prevalent attacks against financial institutions rely on the unwitting help of internal staff.
Take Ransomware or phishing, as examples. Each time employees open an eMail attachment they donʼt recognize, or innocuously click on a suspicious weblink, they are exposing their organization to the very real threat of a virus attack. Barring intentional fraud or other forms of internal security breaches, most employees would be horrified to discover they could be responsible for wreaking havoc to the corporate network or web presence.
The solution, then, is strategic in nature. Instead of looking at security as a neverending series of tactical responses to tactical threats, the forward-thinking organization must take a broader view. A secure future originates at the management level and manifests as a long-term commitment to proactively managing the security environment by educating the workforce. Simply put, to succeed over the long term, security awareness must be fully integrated into a companyʼs existing employee training efforts.
An Integrated Approach To Vulnerability Management
Although security awareness and training were top issues for global financial institutions in past years, they seem to have dropped in priority for 2006. This year, only 34 per cent of survey respondents provided their staff with information security and privacy training. Additionally, the most common type of training relied on web page alerts and eMails, rather than traditionally more effective methods such as orientation training and recognition of exemplary behaviour.
To truly counteract ongoing security threats, however, this trend will have to change. To ensure employees take a consistently security-aware approach, financial institutions – and other organizations – must integrate vulnerability best practices into all technology and process training programs and they must reinforce the priority role each employee plays in maintaining enterprise-wide security. In addition, they must expose potentially risky behaviours, along with strategies for counteracting those risks.
Driven by management, these initiatives must extend to stakeholders across the entire organization and as such, they must also be supported by ongoing funding. This is an important point to make for Canadian financial institutions, which have one of the lowest proportionate security budgets among all western mature markets.
Finally, it is important for financial institutions to recognize that vulnerability management must represent a full-time focus. As attacks and viruses continue to evolve, organizations will increasingly have to turn to outside specialists to counteract these ongoing threats. In the world of security, itʼs essential to consult specialists who understand how organizations are exposed to risk and what they must do to minimize this risk as lack of specialized skills can do more harm than good.
As corporate reliance on electronic systems continues to grow, there is little doubt that financial institutions will remain targets for enterprising hackers. There is also no doubt that financial institutions will continue to adapt and respond to – and ideally eliminate – security threats. As the 2006 survey concludes, global financial institutions are in fact attentive to the fast-paced and changing security environment and they understand the necessity of shifting their priorities and taking the necessary measures to mitigate the various security risks and challenges.
Yet, while it is only natural to focus on the most imminent threats, organizations must also strive to maintain a balanced approach to their security initiatives. By adopting an integrated vulnerability management stance, financial institutions will be better placed to assess areas of emerging risk and understand the potential costs of these risks. Working with experienced specialists, financial institutions can also begin to prioritize their responses with an aim of making their systems increasingly resilient to attacks.
Thus, employees will gain the training they need to help protect corporate assets, financial institutions will enjoy a higher level of security awareness and responsiveness, and the public will gain much-needed assurance in the reliability and integrity of their financial services providers.
Simon Tang is a partner with Deloitte Security & Privacy Services, specializing in risk assessment and evaluation of controls relating to computer systems and networks.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -