The financial services sector has always been an attractive one for criminals looking to commit fraud and other crimes. However, what has changed is the sophisticated methods now being used by criminals to target financial services.
The frequency of these attempts is always growing, owing to the digital environment that they currently operate in. Cyber security for financial services is crucial because the consequences of breaches for these businesses can be severe.
Research by the Boston Consulting Group estimates that financial services firms are around 300 times more likely to be the victims of a cyber attack than companies in other sectors.
Table of contents
The challenges of cyber security for financial services
A 2020 investigation into data breaches by Verizon revealed that 63% of cyber attacks carried out on financial institutions are at the hands of criminals who are motivated by financial gain.
Cyber crime has been able to increase both the speed of these threats as well as the consequences for financial services organizations.
According to a 2020 IBM report, data breaches in the financial services sector cost an average of $5.85 million compared with $3.86 million in other sectors.
There are also regulatory issues at play as well. Depending on the requirements of the jurisdiction you operate in, there can be major penalties for failing to secure customers’ private data. Likewise, the industry increasingly has to ensure that it is compliant with anti-money laundering regulations.
There can also be other legal ramifications if the institution fails to provide services to those it is contracted with.
And at the end of the day, major security breaches in the financial services sector can be devastating for corporate reputation. Customers need to be able to trust that their finances and other details are secure after all.
Vulnerabilities in financial services cyber security
Criminals targeting the financial services sector will typically carry out attacks that include social engineering, DDoS attacks, malware, and fraud. But there are other vulnerabilities and cyber security threats to the financial sector as well, including from employees.
Leaders in the financial services sector can take proactive steps to mitigate these risks, not just by having the technical systems in place but by also ensuring the way they deliver services and educate their team members and clients reflects this too.
1. The evolution of cyber crime
Cybercrime continues to evolve and become more sophisticated in its delivery, keeping pace with technological change. The same cyber threats are still there, such as phishing and ransomware, but the way they are delivered is always changing. Emails may purport to be from a trusted member of the company or ask for payment for an invoice that looks legitimate. Or scammers may call on the phone to persuade the target to take actions like downloading information or sending money.
What to do: Regularly communicate about cyber threats and cyber security
With so many information security threats emerging in this space, it is necessary to carry out an ongoing internal communications campaign reminding employees of different types of threats and what steps they need to take in order to keep company and customer data safe.
You can display tips about emerging threats prominently on screensavers and corporate lock screens or on desktop tickers where you can be guaranteed your employees will see them.
2. Ransomware continues to rise
Ransomware is malicious software that finds its way onto a company’s systems and will restrict access until the company pays criminals a sum of money to get the access back. However, even paying this ransom doesn’t guarantee that the systems will be returned to working order, so the information security risk is enormous.
An Accenture report found that financial services companies affected by ransomware can expect to take 33.8 days to resolve the problem, on average, which is a lot of down time for any company – let alone a financial services company whose customers expect them to be available 24/7.
What to do: Have business continuity processes in place
Being prepared to lose access to systems can help your company navigate its way through if it finds itself mired in a ransomware attack. Having a plan in place is the first step, but it is also important that you take other measures such as ensuring routine back ups to data.
Educate your employees on ransomware and how it can find its way onto the system. Quiz them to ensure that they understand the education material you have sent them.
3. Changed working arrangements because of COVID-19
With the shift to remote working for many employees during the COVID-19 pandemic, a new set of information security challenges has emerged for companies around the world. The move was so sudden for many that there wasn’t an appropriate time to ensure that proper cybersecurity mechanisms were put in place, including updating cybersecurity policies.
And this risk is front-of-mind for many leaders in the financial services sector.
A recent survey by global cybersecurity company ESET found that 87% of leaders in the banking and finance industries thought they could be affected by a COVID-19 related cybersecurity incident.
What to do: Review your systems and update them to ensure they reflect the current environment
Companies need to take steps to bolster their cybersecurity measures to ensure that employees working remotely are able to work securely with information security a priority. This also includes updating any relevant policies, procedures and protocols for accessing information online (for example, not using public Wifi, what to do if a corporate device is lost or stolen).
Good employee communication is key once more. Send hints and tips, and reminders via pop-up notifications to reinforce the importance of cybersecurity and inform about the cyber security risks during the pandemic.
4. DDoS attacks are increasing cyber security threat
Distributed denial of service (DDoS) attacks are designed to cripple an intended target’s ability to provide online services. This happens when its online systems are flooded with requests, which overwhelms them and takes them offline. This forced downtime can translate to huge financial losses for the company that’s been targeted.
Cyber security company Imperva found a 30% increase in DDoS attacks on financial services companies during 2020.
An additional threat, the Ransom DoS (where criminals attempt to extort a company by promising they will cripple its servers if they do not pay a ransom) is also on the rise.
The Financial Services Information Sharing and Analysis Center (FS-ISAC) estimates that this has targeted more than 100 financial services companies since 2020, including banks, payment companies, exchanges, credit card issuers, payroll firms, insurance companies and more.
What to do: Be prepared for when, not if, a DDoS could happen
Ensure that the internet service provider your company uses has the appropriate bandwidth to handle large volumes of traffic. It should also be able to throttle an influx of bad traffic quickly. Many companies mistakenly believe that by moving to cloud hosting, there are minimized dangers to information security. The reality is, the dangers are still there – they’re just shifted to a new location. There are specialized DDoS mitigation services you can enlist to ensure that your systems are compliant.
5. Social engineering scams
Criminals attempting to gain sensitive information from people by purporting to be someone, or something, that they aren’t is nothing new. Phishing, for example, has been around for a long time – where emails are sent that contain links to fake websites to gain password credentials.
Despite people being more aware of these scams than ever, the phishers aren’t going away.
Statista data shows that in the fourth quarter of 2020, financial institutions accounted for 22.5% of phishing attempts worldwide, and this sector was the second most targeted overall.
Other forms of social engineering such as “whaling” – where scammers will pretend to be a trusted figure from within a company to trick junior employees into providing money or credentials are also rising.
What to do: Educate your customers as well as your staff
These types of scams usually affect financial services companies because they are sent to customers from scammers pretending to be the company itself. Education campaigns aimed at your customers can help them to identify suspicious emails and provide them information on what to immediately do if they believe they have been compromised.
When new threats emerge, you should send information to your customers and use your website and social media channels to alert them to these threats.
For your employees, you should also send them alerts for your employees when there are new threats targeting the company and running ongoing education campaigns about social engineering and how to stay safe.
6. Internal fraud monitoring challenges
One of the greatest risks for financial institutions can come from the inside: internal fraud perpetrated by employees.
A 2020 report from the Association of Certified Fraud Examiners estimated that financial services companies make up the largest share of internal fraud in the world at 15.4%.
Detecting internal fraud can be challenging. Financial services firms often look at things like unusual work patterns to determine if an employee could be engaged in fraudulent activity. With the rise of remote work and flexible working arrangements during the pandemic, this can be even more difficult to detect.
What to do: Monitor employees but encourage a culture of compliance
To mitigate internal fraud risks, you must have to put systems in place to monitor employee activities. This can also include profiling employees and carrying out surprise audits.
However, one of the best ways to be alert to unusual employee behavior is through their colleagues on the ground who work alongside them and may observe suspicious or changed behavior up close.
Create a corporate culture where people feel safe to speak up if they suspect something wrong, protected from reprisals. Education campaigns encouraging employees to speak up can help to reinforce this, such as by using digital signage or intranet content reinforcing this messaging.
7. Poor cyber security hygiene
Insider threats aren’t always a deliberate, orchestrated attempt to commit fraud.
Analysis from the Ponemon Institute found that 62% of insider threats in 2020 happened as a result of either employee or contractor negligence.
There are many ways this can happen, but at the end of the day, it means that something has happened that has resulted in data, finances, or both being compromised.
What to do: Build a culture of security
It isn’t enough to just have an annual cyber security training refresher that you put your employees through; there needs to be ongoing awareness about cyber security risks and what the consequences are for the organization.
Cyber security isn’t just the IT team’s problem: it’s everyone in the organization’s responsibility. Ongoing education about cyber security is necessary. Whether it's sending hints and tips regularly in newsletters or through screensavers, corporate lock screens or scrolling tickers: find creative ways to keep cyber security front-of-mind.
Effective employee communication is key to improving cyber security for financial services
Working proactively with your employees about information security is one of the best defenses you have against cyber threats. Not only will this help your company to mitigate against business losses, but for the employees themselves, you can also help them to be vigilant about threats that exist not only at work but elsewhere in their lives.
Here are 11 different steps you can take to improve cybersecurity awareness through communication:
- Share daily security tips via corporate screensavers and wallpapers or lock screens so they’re the first thing that people see on their screens each day. For example, show password tips on the login screen.
- Offer your employees security training both offline and online that is tailored to the specific threats faced by the financial services sector.
- Regularly offer quizzes on cyber security to determine how knowledgeable your workforce is.
- Encourage your employees to speak up if they feel something is wrong. After all, they are your eyes and ears on the ground.
- Communicate any emerging threats in a timely manner. Send pop-ups to employees’ screens instantly when an emerging issue is detected.
- Send information to employees about known issues and outages when they happen so that you can prevent your IT helpdesk from being overwhelmed. Give estimated system restoration times and update when necessary.
- When you know you in advance systems will be down for maintenance or upgrades, communicate this to employees ahead of time so they can be prepared and adjust their workflows.
- Develop video training resources that highlight different scenarios that financial services employees may be confronted with.
- Overhaul your remote working policies and protocols to ensure it includes information about cyber security. Communicate this widely with employees. You can even send a pop-up notification requiring them to acknowledge that they accept and understand the directives.
- Use visual imagery wherever you can, such as photos, graphics or video. Visual communications and video alerts often have more cut-through and retention than text.
- If you have had a cybersecurity incident, communication doesn’t stop when the incident is over. Let your employees know exactly what happened and what the consequences were and how this can be prevented from happening again in the future.
Benefits of communicating with employees about cyber security in financial services
When you enhance security measures and communicate with your employees about the importance of security, there are many benefits, including:
- Protecting valuable data such as intellectual property and customer details from cyber criminals
- Enhancing financial services compliance in line with regulatory requirements
- Building your employees’ information security skill-sets
- Extending the capabilities of the IT and cyber security teams
- Reducing the time it takes to respond to threats
- Creating vigilant employees with the company’s security front-of-mind
- Reducing the risk of costly litigation or financial penalties
- Reducing the risk of reputational damage
Cyber security is one of the most critical issues facing financial sector institutions today. Keeping your employees informed and continuously developing their knowledge and skills in this space is one of the most important things you can do to keep ahead of emerging cyber security threats to the financial sector in order to protect your data and save your organization from a lot of potential pain.