Long considered an information security stalwart compared to other industries, the financial services sector has new reason to be on guard against cyberattacks.
In July, Treasury Secretary Jack Lew told a conference of investment executives in New York that "far too many hedge funds, asset managers, insurance providers, financial market utilities and banks could be doing more." He explained that a successful attack on one of these entities could have grave consequences for the financial system at large.
These companies have it tough. They are in the cross-hairs of a range of attackers, from state-sponsored adversaries bent on stealing trade secrets and intellectual property, to financially motivated crooks after an easy buck, to disruption-seeking hacktivists.
There are two big reasons that financial firms - much like organizations across all industries - could be under distress. For one, malware is becoming more sophisticated, yet easier to disseminate than ever. Second, emerging technologies are creating new vulnerabilities and a widening attack surface. As this 2014 report (PDF) from the New York State Department of Financial Services explains, many banks are pushing out IT projects far before they are ready - a serious security shortfall that Trustwave also noted in our 2014 Security Pressures Report.
From the New York State study:
"While [financial] institutions are aware that the threat landscape is constantly evolving, they may find it difficult to keep up with the latest developments amid competitive pressure to integrate new technologies into their product offerings (e.g., remote deposit capture). Experts have noted that when competition surrounding new product development is fierce, security can lag behind."
So how can financial services organizations fight back? Here are five steps they can take to, in Treasury Secretary Lew's words, do more:
Value security over compliance: According to multiple surveys, compliance remains the top driver for security spending within the financial services industry. But this type of appropriation model often leads to a lowest-common-denominator effect on one's ability to detect and respond to modern-day attacks. Instead of enlisting technologies to solely help you pass an audit, consider advanced measures like web security gateways that defend against malware in real time, network access control to monitor connecting endpoints and SIEM to manage threats. These can also be delivered as managed services for companies lacking the skills, budget or resources to handle security in house.
Test your apps: Organizations must test throughout the build lifecycle, from development through production and launch. Testing can run the gamut across cloud, web and mobile properties (nearly all banks have developed mobile apps) - and range from automated and scalable testing for large volumes of apps to in-person penetration testing of your most critical assets to a hybrid approach.
Get better at response: According to the New York State report, most financial services organizations it surveyed experienced intrusions or attempted intrusions into their IT systems. Breaches are inevitable - and the quicker a compromise victim can respond, the less damage and fallout that will occur.
Share information and be open: Targeted or compromised companies must not be shy or embarrassed. Hiding an incident will do nobody any good. Disclose breaches and share threat intelligence with industry organizations, such as FS-ISAC. Transparency will enable others to stay protected because, chances are, the criminals are using similar tools and techniques against multiple entities.
Train your staff: Malware often gets invited in through an unsuspecting user. Ensure your employees - and anyone with access to the network - is trained to be on the lookout for social engineering ploys and is mindful of company policies, such as password complexity that will stand up to cracking tools.
To be fair, financial firms like banks aren't entirely at fault. In many cases, attacks start by targeting the computers of banking customers to steal their account credentials - a type of attack known as corporate account takeover. This, in turn, leads to hackers being able to siphon out money from accounts.
Dan Kaplan is manager of online content at Trustwave and a former IT security reporter and editor.
