Top 3 Threats Facing Small-Medium Financial Institutions — and How to Combat Them
This is the second installment of a two-part series, focusing on the unique security challenges faced by small-medium sized financial institutions. In this post, we cover the most common data threats these businesses face, as well as tips for combatting those threats.
Cyber-crime affects all organizations, but hackers sure do love FiServs.
In 2018, financial services (FiServ) comprised the second most targeted industry, with obvious enough reason — regardless of shape and flavor, this is where the money (and PII) is. For an attacker, banks, credit unions, brokerages, investment funds and all the other institutions that fall under the umbrella of the financial services industry are fair game.
Though the particular financial sector may not play a large role when it comes to deciding whom to attack, size clearly does matter - according to a recent study by insurance provider Nationwide, the average size of FiServ targeted in attacks has dropped by 28 percent in the last 6 years — which means that attackers see the benefits of going after smaller, rather than larger, institutions.
Why have attackers shifted their attention to smaller outlets?
Think about it — smaller FiServs generally have less resources to put into security measures, such as implementing the right technology and hiring a capable security staff. Therefore, they have far less robust defenses in place and are simply, and sadly, easier targets.
What’s worse, without the megabucks of larger banks behind them, it is often very difficult for these smaller players to bounce back after an attack. Another point is that since smaller institutions are typically considered lower profile, the attacks perpetrated against them are also seen as low profile, and thus are easier for the attacker to get away with.
Top Threats Facing Small-Medium Financial Institutions
One of the most pressing issues for small to medium FiServs comes from the threat of malicious insiders. It’s no surprise that the stakes are sky high in the financial industry and sadly, no one should be granted trust carte blanche. Well-funded institutions often have measures in place to ensure that employees can only access the exact information they need to perform their job functions.
Problematically, in smaller organizations, this is often not the case and employees are free to view and copy large amounts of data they don't actually need. In a situation where an employee turns on his or her organization, be it due to a silent grudge or a chance to make some extra bucks from a competitor, there is little to stop that person from grabbing the data he or she wants.
Preventing Insider Threats
Preventing insider threats in small-medium financial institutions is difficult but it can be done. The first step is acknowledging that no one can be considered entirely trustworthy. In practicality, this means that no one should be granted access to resources and applications they don't need for their job functions. Additionally, when employees leave the organization, their credentials must be revoked immediately to prevent them from re-entering the system once they have been terminated.
Another all too common threat facing FiServs is that of phishing. Long gone are the days of poorly-written ploys coming from a “Nigerian prince” or “The Microsoft Lottery Commission”. Today’s phishing campaigns are well-researched and perfectly worded — and can be hard to distinguish from the real thing.
A common phishing scam plaguing FiServs at the moment is Business Email Compromise (or BEC) scams. The typical BEC scam begins with an email that appears to be sent from the account of a higher-up within the target organization. This “phishy” email, ostensibly sent by the organization’s CEO or CFO, urgently instructs the recipient to ensure that funds are transferred to a certain account.
The unwitting employee then contacts the organization’s bank to arrange that the money be transferred — and this is where FiServs become involved. If a bank doesn’t have checks and balances in place for flagging and verifying non-routine or otherwise suspicious-looking transfer requests, they are much more likely to end up erroneously transferring the funds — straight into the attacker’s account.
Preventing Phishing Scams
BEC and other phishing scams can be mitigated prevented using a combination of training and technology. Proper employee training and phishing email drills go a long way to teaching employees the tell-tale signs of most phishing emails. language that makes the reader react without thinking, suspicious looking attachments and requests for personal information.
However, employee training can only go so far in eradicating human error. An effective defense should combine employee training with anti-phishing technologies that can block BEC and other scams from even reaching your inbox or web browser.
Yet another major threat facing FiServs today is browser-borne malware, particularly ransomware. Browser-based malware attacks businesses of all stripes but small to medium FiServs can ill afford to have their customers’ information and money stolen by the latest elusive polymorphic malware variant.
While the traditional answer to this problem has been in whitelisting “safe” websites and applications, this approach has some major drawbacks. For one thing, it leads to a decrease in productivity because employees cannot access the resources they need when they need them, making it far more difficult for employees to do their jobs. Moreover, it’s not a failsafe security measure, as even whitelisted applications and websites can become infected with malware.
Preventing Browser-based Threats
To effectively prevent browser-based threats, look to remote browser isolation (RBI) technologies. Tools such as Ericom Shield prevent threats from entering via browsers by executing all web content remotely, in isolated virtual containers. A safe content stream is sent to the browser, enabling full, natural user interaction with websites. This approach allows employees to remain productive, as there is no lag time due to waiting for access to be granted to needed – yet closed-off – resources.
Meeting a World of Challenges
So, what can your financial services business do to mitigate the risk posed by these and other cyber threats?
First, understand that awareness is a huge part of the picture — the more your employees know about recognizing threats, the better they’ll become at steering clear of them.
Second, recognize that implementing the right technology for your specific needs is critical. Look for vendors and tools that are scalable and flexible enough to meet and understand the needs of small-medium businesses. You don't need (and can’t afford!) every tool out there – go for those that provide the widest security coverage while remaining cost effective.
Small to medium FiServs are prime pickings for attackers and there isn't much that can be done to turn their attention away from this alluring industry. But with the proper tools and awareness, you can make your FiServ a lot less susceptible to their unwanted attentions.
Read more: Download our free white paper to learn how small and mid-sized financial service organizations like yours can steer clear of web and email-borne attacks without breaking the bank
Click here to read the first part of this two-part series on major cyber threats faced by small to medium fiservs and how to mitigate them.