Rising cyber threats have also influenced financial firms, third party providers, and financial institutions. Concerns moving around the financial authorities have compelled them to mull over it and induce to act upon safeguards from malicious cyber attacks, which are hard to find before their occurrence. The SIFMA (The Securities Industry and Financial Markets Association) has appealed financial firms and regulators to join the forces against cyber crime and create a strong system to share the data on cyber attacks that will help to mitigate the potential cyber attacks.
Randy Snook, Executive vice president of SIFMA also insist on working together which will open new doors to identify and understand the opportunities for better security improvements and risk factors that could direct to a weak link in the financial system.
Even US regulatory bodies have shown a sense of exigency for sufficient and suitable controls to identify and avert data breaches for financial firms.
Financial Organizations and Outlook:
Some organizations are falling short to take precautions against data protection and customer’s web security. In a research held by DTCC, there are 84% financial organizations count cyber risk as one of the top five concerns despite there are 93% organizations have experienced cyber attacks during April and May 2014. Some firms have not updated software and do not know about the process of protecting sensitive information, while others are facing insufficient password and firewall conventions. If organizations follow the right security, standards and software, there are likely chances of overcoming the weakness in the financial system.
Richard Clarke’s CHEW Acronym:
Many forms of cyber threats and attacks are moving around financial institutions to take malicious advantage of them. US Government cyber security expert, Mr. Richard Clarke has classified the whole series of cyber attacks into four types, which he acronyms it as CHEW (Criminals, Hacktivists, Espionage, and War).
Criminals: Includes a coordinated group of criminals that use malware toolkit, malicious emails, and compromised websites to initiate broad attacks for financial gain.
Hacktivists: Includes loosely organized group of hackers who use less sophisticated technique during cyber attack targeting a specific website or entity.
Espionage: Includes penetrating across every industry and sectors worldwide to make own economy strong. It also covers acquiring national security secret or economic benefit of other countries.
War: Includes a nation state’s motivation turn out to be a damage or destruction instead of theft of intellectual property. For example, a Stuxnet virus against Iran’s nuclear program and deprived of the Georgia’s computer system during Russia conflict.
Continuing Cyber Security Challenges in Finance Sector:
However, financial institutions have taken enough steps against emerging cyber threats, but the pace of technological changes and evolving sophisticated cyber threats has been a continuous challenge for banks and other financial services companies.
Rapidly Changing Developments:
Financial sectors find it difficult to keep up with the rapid changing developments along with competitor pressure to implement new technologies into their products and services. As the new product development is severe, security can fall behind. Because of rapid development, institutions lag behind in taking benefit of information sharing and analysis available within reach. Many institutions have joined FS-ISAC (Financial Services Information Sharing and Analysis Center) for sharing and analysis of the information globally. The FS-ISAC makes easy for institutions to identify, prioritize, and manage the financial services along with sharing information regarding physical and cyber threats. Many organizations remain cautious to share their security weakness; it is productive to share information about cyber threats and solutions among the departments and institutions. Even small businesses can limit financial resource with the help of such real information about threats and solutions.
Relying on Third Party Service Providers:
Industry’s reliance on third party service providers for cyber security is a growing challenge as small and medium institutions outsource their payment processing, web application and banking system to outside companies. Thus, the level of cyber security only depends on such external companies. Even Vendors do not allow to carry on penetration testing to assure the level of cyber security therefore, institutions have little information about the processes and control of third party service providers. In future, if any cyber attack happens to third party vendors, the whole banking and institutions system will be at risk. Security and data protection should be incorporated between third party provider and institutions from the beginning of the contract.
Incorporating Mobile Banking:
Finance sectors have moved to mobile banking to facilitate their customers and clients’ online transactions. However, mobile banking is not up to the mark concerning data security as attackers are targeting mobile model. Different types of threats, web based attacks targeting mobile banking system and take the advantage of system loophole, which could create risk for the payment service system. In response to this situation, the coordination of mobile manufacturing company, a mobile operating system and a network provider company could make the dependable and user trust security system. A clear communication between mobile banking software organization and vendor could ensure about the latest updated system.
Cyber Defense Recommendations:
A higher level of the cyber defense steps is essential to mitigate cyber threats in financial sectors including higher levels of mitigation services, internal network enhancements, desired IT infrastructure, APT (Advanced Persistence Threat) protection, and private communication network.
Breaches that access Sensitive data including market-making data, investor information, and trading data can make a severe impact on firms. Financial organization/firms should roll out a policy and strict procedures for the protection of data. The firms should also monitor and identify the sensitive data shared with third party; they should even give a certain type of security against cyber threats. Third party’s internal policy should be observed about data security.
The annual cost of dealing with cyber crime has reached to $20.8 million in 2014 according to Poneman Report 2014. The global cost of cyber crime has crossed $575 billion, which is more than US defense budget and amounted to 1% GDP of G20 countries.
It is essential to have a strong due diligence process assigned for selection of their vendors and any counter parties with which firms do business.
Apart from the above precautions, the cyber threat policy should be coordinated at all levels of organization for dual objects like cyber security and cyber resilience. Review of cyber security framework is necessary that should fit in your organization like The NIST framework.
Organization should look after several tasks related to password management, access control, invasion prevention system, identity management, security training, & awareness, and data loss prevention.
Most of targeted cyber invasions may be foreclosed by following these mitigation strategies:
- Use application white-listing to avert malicious software and unwanted programs from running.
- Keep updated Java, PDF viewers, Flash, web browsers, Microsoft Office applications, and operating system vulnerabilities.
- Limit administrative exclusive right to OSs and applications based on user responsibilities.
Besides the above precautions, the NSA has also highlighted some mitigation strategies to limit cyber risks, vulnerabilities, and threats. Cyber threat is an inevitable force that keeps us running behind it and compels us to think beyond the traditional strategies, whether it is financial, healthcare, government, or any other organization.