In the past two years, ransomware threats affecting the financial services industry have exploded as employees and customers alike move to digital-first access. While FSIs are beginning to accept that an attack is not a matter of “if, but when,” they are looking to mitigating the impact of these attacks.
Ransomware attacks are reportedly estimated to occur every 11 seconds, and the FBI is currently tracking more than 100 different strains of ransomware infiltrating organizations.
“The barrier to entry is so low, with ransomware as a service, and now even access to ransomware as a service,” said Ronald Banks, chief information security officer for Texas Capital Bank. “When the barrier to entry is so low... it is a constant firefight for us in security. It’s the same with banks across the board.”
Indeed, according to data from the U.S. Department of Treasury, U.S. financial service institutions reportedly paid out nearly $600 million in ransomware-related payments just in the first six months of 2021 — more than in all of 2020. Christine Herman, chief technology officer for Finance of America, pointed out that FSIs are “leveraging regulatory infractions [within] their pricing models” as a result of ransomware.
The ransomware threat has caused more FSIs to take a long-term view, understanding (as Banks noted) that these campaigns may go on for months or years, and FSIs must be prepared that.
“This is not a quick process,” Banks said. FSIs like his are looking to the perimeter and internet-facing applications, “looking to what our exposure is, not only for us but third parties and their vulnerabilities.”
“We’re starting by looking at the alligators closest to the boat,” Banks added. “This is a marathon, not a sprint... these will be around for weeks, if not months.”
Jacob Berry, director of field engineering for Cybereason, said many FSIs are looking to “alternative to patching” and potential opportunities to use these ransomware exploits to their own gain — or at least to render it useless.
After the SolarWinds attack, many critics said that FSIs were “bad at supply chain management, others said we’re bad at visibility,” Berry added. “But shifts are happening right now,” which he said he believes will effect FSIs’ security posture.
For Banks, there are five key areas he focuses on, which largely come back to the basic “blocking and tackling” of IT security:
- having a robust cybersecurity awareness program since “employees are the first and last line of defense and cannot be underrated;
- a hardened “shell” around the enterprise, from email to end point;
- effective and continuous patch management;
- cyber-incident response that includes the right team and utilizes existing playbooks that confirm how events should play out;
- having a robust backup plan, communicated to the board and senior executives.
“Compliance is not security,” Banks said. “Regulators are always focused on how you comply with [their] regulations... But laws are written to be somewhat vague.”