This is the first of a two part series, focusing on the unique security challenges faced by small-medium sized financial institutions. In this first post, we cover the structural challenges they experience due to limited resources.
Small-to-medium financial services firms may not have the same clout as large institutions. But when it comes to dealing with cyber risks, they share the same concerns as their bigger, more well-endowed counterparts.
Composed of independent banks, insurance providers, credit unions and money lenders among other businesses, the small to medium financial sector is a key part of an industry that saw a fivefold rise in security incidents in 2018. More so than in any other sector, finance is where the money is and smaller institutions, with less resilient infrastructure, are often viewed as an easy win for an attacker.
It’s clear that smaller institutions need to beef up their security posture, but that is no small feat. There are many barriers that stand in the way of bolstering cyber security in the banking sector, especially in light of funding and manpower limitations.
With a healthy understanding of these obstacles and how to overcome them, you can help to better secure your institution against the next fiserv cyber attack. Here we’ll look at three of the most common issues that prevent small-medium fiservs from improving their security posture and how to address them:
Lack of Buy-in/Understanding from C-Suite/Leadership
While we continue to hear reports of breaches against fiservs on almost a weekly basis, the issue of cyber security doesn’t always top the C-Suite’s list of concerns.
This may seem counterintuitive; wouldn’t the C-Suite want to do everything in their power to prevent the next big breach? But the truth is there are a bunch of reasons that the issue of cyber isn't top of mind. To start with, leaders may not realize just how attractive their organization is to attackers. Because they aren't one of the big players, they may feel pretty certain that their firm is not worth the attacker’s time or effort. This leads to dangerous security complacency.
Another issue is that return on investment, or ROI, for security-centered projects isn't easy to assess. The potential savings incurred by preventing a fairly low-probability — but likely very high-cost breach seems a lot less tangible than do other, more operational investments. Failing to understand the “dollars and cents” ramifications that an attack can have pushes this concern further down on the C-Suite’s list.
Lastly, according to CSO.com’s “The Current State of Cyber Crime” annual report, many board members still see security as a technical IT problem. Simply put, they don’t realize the overarching business risk, and are assuming that threats have limited reach.
It’s quite a challenge to get your board “on board” with improving the organization’s security posture, but the dividends it yields are worth it. Speak to your board in business-impact terms that they can relate to. Then consider staging a mini mock-attack or a tabletop exercise (with their approval, of course) to open discussion and dispel the “it could never happen to us” myth.
Limited Budgets and Resources
Small and medium-sized financial institutions often don’t have the same flexibility for cyber security spending as larger institutions. In a survey of 350 small-medium sized businesses by Untangle, 50 percent had annual security budgets of less than $5,000 US and of those, 50 percent had budgets of less than $1,000 US. Considering that amount barely covers an annual firewall subscription, it’s surely not enough to protect an organization as sensitive as a financial institution.
Thus, it’s not terribly shocking that at many smaller fiservs, there is no one specific person or team tasked with cyber security – it’s just another IT task to be done. Even worse, their tools are nowhere near as comprehensive as those found at larger institutions. The lack of proper tools and accountability increases the odds of a breach, and extends the time to detection (TTD) and time to respond (TTR).
Thankfully, there are many open source tools you can use to improve your fiserv’s security posture. Tools like Snort and Ossec don’t cost a dime and can help you detect breaches. Moreover, purchasing a cyber insurance plan may not prevent breaches, but can help cover the costs of falling prey to one. Finally, ‘detectionless’ solutions like Remote Browser Isolation (RBI) and Content Disarm and Reconstruct (CDR) help institutions with limited spending power prevent a host of costly catastrophes, like browser-based malware attacks and phishing threats, while keeping operational costs to a minimum.
Dependence on Third Party Vendors
Today, financial institutions, like most other businesses, have dependencies or integrations with third party entities. This category includes vendors, suppliers, partners, affiliates, distributors, data handlers and more, and represents the fluid, interconnected way businesses operate today.
But granting access to third party entities is risky and can increase your own vulnerability, especially if the access is not tightly defined, controlled and monitored. Think about it this way; sure, you may be doing everything you can to protect your fiserv from threats — but what about your contracted app developer? If that external firm is hacked, it provides attackers with an easy way in to your networks. These third-party vendors are often also small and medium-sized businesses themselves, so there is a very real chance that they may have less-than-adequate security measures in place, which compounds your risk.
Moreover, as a shortcoming of many integration setups, external partners are able to access the company’s networks without adequate monitoring and limitations. This allows them access to far more resources than needed to do their jobs, leaving them prey to external threats. Further, the decision of which vendor to use is often made by the C-suite, with little regard to vendor security practices and how those may affect your institution and its networks.
To secure your third party integrations, you need to gain a thorough understanding of who these businesses are and their attitude towards security. To do this, you need to check whether they conduct regular security assessments, who they have integrations with, how they encrypt data and if they have a disaster recovery plan in place.
For Fiservs, There’s no Time to Waste
Whether you’re the CISO, security analyst or the IT person at your fiserv, you clearly care about your organizational security posture. You know a breach can happen to you — and you know that when it does, it will have very real-life implications. Now is the time to take corrective action and start to improve your fiserv’s security standing.
Read more: Download our free white paper to learn how small and mid-sized financial service organizations like yours can steer clear of web and email-borne attacks without breaking the bank
Look out for the second part of our two-part series on major cyber threats faced by small to medium fiservs and how to mitigate them.