The lion’s share of financial service institutions (FSIs) are having trouble properly securing their stored data, which could be particularly troubling given the rise in ransomware attacks.
According to a report released in December by Continuity, a data storage company, nearly seven in 10 FSIs (69%) say that an attack on their backup or stored files would have a “significant” or catastrophic effect on their business. And three out of five respondents lack confidence in their ability to recover from a ransomware attack, despite their backup efforts.
Despite the increased dependence on data backups, in light of ransomware attacks that force organizations to revert to their backed-up information, Continuity’s survey of 200 FSIs across 45 countries showed that many if not most FSIs have yet to reach a “mature” level of data storage and backup.
“FSIs are easy to mistake for being data companies… everything, including the money itself, is essentially digital. Kill the data, kill the company. Kill the backup data, kill any chance of recovery,” says David Blaszkowsky, head of product and regulatory affairs for Helios Data, a data sharing firm. “Attacking the data is like attacking the web connections of a social media company like Facebook: What do you have left after the attack except empty screens?”
Keeping up with adversaries
As Blaszkowsky points out, most FSIs do have backup and storage security programs in place, “but the attackers are so much more sophisticated and motivated. ‘Ill-prepared’ is not the right phrase, but FSIs are not positioned well to accommodate surges in attacks… in ransomware.” Indeed, Continuity’s survey found that more than half (52%) of the FSI respondents were not ‘strongly confident’ about their storage and backup security, and one-quarter (25%) noted they were significantly concerned (having little or no confidence in their data storage security).
“When organizational data is compromised, the last line of defense lies in the storage and backup environments,” according to the Continuity report. “Recent years have witnessed an alarming growth in the number and sophistication of data-centered attacks – primarily ransomware. In the financial and banking industries, digital data worth may be so high that a well-orchestrated attack on both storage and backup could wipe out a significant amount of the organization’s value, potentially affecting entire economies.”
However, there are reasons to hope for a more positive future. More than two-thirds of the Continuity survey respondents said that “securing storage and backup systems has been specifically addressed in recent external audits,” despite the fact that storage (57%) and backup systems (47%) were the two lowest focus areas of organizations’ vulnerability management. Continuously changing priorities (44%), organizational silos (42%), and lack of skilled personnel
Forty-one percent were also cited as significant challenges by FSI respondents, in their efforts to achieving effective storage and backup security.
“The fact that so many recent ransomware attacks have been successful, and the alarming percentage of organizations that have elected to pay to get their data back rather than rely on their own capabilities, illustrates the gravity of the hour,” said Doron Pinhas, CTO of Continuity, in a prepared release. “The results of this study highlighted the significant challenges facing the financial sector,” Pinhas said. “In terms of securing storage and backup systems, most organizations are several steps behind in the race against modern data-criminals, cyber-terrorists, or hostile nation-states.”
Nick Santora, CEO of Curricula, says that this is “one of the reasons why compliance regulations such as NYDFS Cybersecurity Regulation (23 NYCRR 500) exist. Credit unions, state-chartered banks and other services institutions now have to meet these requirements for covered entities because we all know that it’s now not an ‘if’ but ‘when’ a data breach occurs compromising an institution’s data.”
Hence, incident response planning is essential for risk mitigation, according to Santora. “Sooner or later, every organization will experience a security incident, especially since cyber-attacks from phishing and social engineering are only getting worse now that so many people are working from home. The key is knowing how to respond to that incident.”
A potentially flawed approach to backups
Some industry experts point out that there are foundational reasons why this might be happening given a potentially flawed approach to backups. Ron Gula, president of Gula Tech Adventures, a firm that invests in cybersecurity startups, and co-founder and former CEO of Tenable Network Security, says he generally agrees with the report’s findings. “When I was running Tenable, we often ran into customers that felt backup systems were too critical to scan or patch,” Gula says. “To this day, I encounter organizations who focus on zero trust and authentication but not the underlying security of their SaaS and on-premise applications.”
To that end, Gula proposes two potential changes to lessen cyberattacks on storage systems and their impact on FSIs. He points up the recent introduction of a new 'cyberstorage' category by Gartner, which “combines a variety of security mechanisms directly with the storage,” Gula says. While most organizations are forced to layer in different types of vendors and solutions to “have data that is truly defends itself from insiders and ransomware,” so-called cyberstorage has it all built in at a lower cost and complexity than working with multiple solution providers.
He also suggested that FSIs should use “adversary emulation platforms” in their training exercises to determine how well their blue teams can find persistent attacks in their data storage infrastructure. “They will likely find that their existing Data Leak Protection software is focused on endpoints,” Gula adds, “and is blind to bulk storage, sensitive data in motion, and sensitive data stored on SaaS platforms like Slack and Office 365.