Systemic Cyberattacks on the financial services industry have become a millisecond occurrence, as the sector becomes more interconnected, the security risks increase for many organisations in the industry.
Senior leaders of organisations must understand that the direct monetary and legal consequences of fraud and its aftermath can be substantial; and that they must prioritise cybersecurity in their business strategy. Sam Akbari, Chief Executive Officer at Great Minds
The constant drumbeat of cybersecurity attacks has made security one of the highest priority issues for financial services with reported incidents of security breaches increasing by more than 700% since February last year, costing Australia $7.8 billion. Despite this, financial services organisations struggle to increase the level of preparedness to an acceptable level to protect their organisation from sophisticated cybercriminals.
Cyber threats are also changing, while there are many technical and social methods to steal, alter or destroy data or information systems, cybersecurity is no longer just about firewalls and off-the-shelf anti-virus software. As technically sophisticated attacks become less effective, sophisticated social engineering attacks and internal attacks are becoming more prevalent.
To help you identify key security priorities and adjust your strategy accordingly, we look at several threats that combined, can lay the groundwork for serious attacks against financial services organisations:
Data leaks and theft
Data protection is one of the most pressing security threats for financial services organisations in 2020. According to the 2018/2019 BDO and AusCERT CyberSecurity Survey, confidential information theft increased by almost 79% in 2018 compared to 2017. Interestingly enough, the cause of the breach is often due to manipulating individual users to make poor decisions.
Social engineering
The art of manipulation, and social engineering is one of the most manipulative and deliberate forms of cybersecurity attacks. As organisations and technical personnel get smarter and better at protecting an organisation, it is important to remember that your security policy is only as strong as its weakest link. While software companies are spending millions of dollars in protecting and patching vulnerabilities in their software and IT engineers and CIOs are spending most of their time protecting infrastructure, it is important to remember that one email attachment or link can be the downfall of an entire organisation’s cybersecurity threat assessment.
Social engineering attacks:
- Phishing: Use of emails, social media, instant messages, SMS and other channels to trick victims into providing information or visiting malicious links.
- Watering hole: Injecting malicious code into the public web pages that the target user visits.
- Whaling attack: Targeting a “big fish” in an organisation, typically an executive or c-Suite level with phishing emails designed to act as a critical email from a legitimate source.
- Pretexting: Creation of a fake identity, used to manipulate the victim into forwarding sensitive company information.
- Baiting and Quid Pro Quo: Quid pro quo involves a hacker requesting the exchange of critical data or login credentials in exchange for a service.
- Tailgating and Piggybacking: An unauthorised person physically follows an authorized person into a restricted corporate area or system.
Example:
Australian Catholic University recently reported the theft of sensitive personal information of staff members in a cyberattack, in the second significant security breach revealed in a month to have occurred at one of the country’s tertiary institutions. The attack comes just weeks after a huge data breach at the Australian National University in which 19 years’ worth of staff and student personal data were stolen in a “sophisticated” cyber attack.
A few tips from Great Minds
- Limit the amount of personal information that is public. This includes your social media accounts as well as personal email accounts, and cloud storage platforms such as Google Drive, OneDrive and the like.
- Be Skeptical. Always question the validity of emails and information you see, and always check the email address that you’re receiving emails from and websites that you’re entering passwords on.
- Always verify. Colleagues and friends may ask for sensitive information, always make sure that you verify the identity of the person before sending the information.
- Never share your passwords. Never share your password with anyone. No one should ever need to know your password and if they want to and have the authority to access your company information, they should be able to reset your password.
- Make unique passwords. Many of the recent attacks have been through third-party and mostly unrelated software. If your password for your favourite online store is the same as your internet banking and your corporate access, all of your accounts are vulnerable.
- Ensure C-suite and board Support without it, you will fail. As with all organisation-wide strategies, a cybersecurity strategy can only be successful with full involvement and support from the C-suite and board. While some senior leaders.