Universally, consumers and small and large businesses alike, are increasingly aware of the well-established fact that cybercrime is on the rise. Last year, 4iQ discovered nearly 15 billion identity records that had been stolen from companies and were circulating the deep and dark web, including 3.6 billion new and verified records. There were also over 12,000 identity breaches, more than four times as many as the previous year. While high-profile data breaches such as Facebook and Equifax may be stealing headlines on the basis of endangering consumer privacy, the untold story is that the businesses that employ those consumers also suffer huge expansions in their risk profiles after such events. And arguably, the industry that truly faces the most danger is the financial services industry.
It’s no secret that over 25 percent of all malware attacks target the banking and financial services sector, more than any other industry. The number of compromised credit cards increased 212 percent in 2019 compared with the prior year, while credential leaks rose 129 percent and instances of malicious apps increased 102 percent – staggering numbers for a single year. Cyber criminals target financial services companies by using trojans to steal banking information and download data, and also use ATM malware to steal credit and debit card information. Recently, in Mexico, ransomware was used to devastating effect on their major financial institutions. In February, a UK-based bank became the first public victim of SMS verification code interception. Cybercriminals exploited flaws in the SS7 telecommunications protocol to intercept messages authorizing payments from accounts. And criminals also can still leverage older methods such as DDoS attacks and phishing against the least prepared companies.
The data breach that hit Equifax is estimated to cost the company over $600 million. Companies are spending more on cyber and digital protection than ever before. Estimates are that it costs companies within the financial services industry, on average, about $2,300 per employee, while some firms pay as much as $3,000 per employee. Considering the number of individuals employed by some of the larger banks, this works out to roughly $750 million for the likes of JPMorgan Chase or HSBC. These numbers have tripled within the last three to four years.
But although companies may now be paying more to secure infrastructures, protect critical business data and assure customer privacy, criminals remain highly motivated by high-value targets in the digital realm and have responded to more sophisticated protections by rapidly evolving their method of attacks.
They do the same thing in response to the measures required by regulation. There is an inherent lag time with respect to regulatory creation and implementation – it can take up to 24 months just to understand and identify weaknesses within existing regulatory guidelines, and the timeline for compliance often requires between 12 to 18 months. What’s more, companies whose security strategies are dictated by compliance are in effect providing “access blueprints” to malicious actors. Cyber criminals immediately shift tactics to target the weaknesses not covered in regulation.
The increasing digitization of financial services, via cashless payments with cards (card not present) and mobile apps, has led to greater overall digital capital flow. As more capital circulates on the digital marketplace, companies become increasingly vulnerable to malicious cyber-attacks. In addition, automation of cybercrime has become more common. Crawlers are able to continuously and automatically sift through vast amounts of data and search for vulnerabilities and exposed networks, sometimes even without user input. These technologies help malicious actors more rapidly acquire their targets, and the ease with which it is done lowers the threshold of expertise required for operation, widening the opportunities to include bad actors with less technical expertise.
Although financial services companies are alive to the risk of their own breaches and are responding by beefing up cybersecurity protection of their infrastructures, very few consider and respond to the cumulative effects of other companies’ breaches which have already happened. Yet an employee’s or partner’s personal information exfiltrated in one breach is often used subsequently to gain unauthorized access to another infrastructure, whether through password re-use or social engineering attacks.
And increasingly, criminals don’t need to be master hackers to utilize much of this data. But they are exchanging it on the Deep Dark Web, aggregating it and weaponizing it, in order to pursue enterprise-level targets. The criminals use previously stolen identity data to copy new valuable company IP, steal inside information about mergers and acquisitions, or even execute actual account takeovers. And while most leader companies execute financial and criminal background checks for their employees, too few know to do so when it comes to the hygiene of employees’ digital footprints.
Financial services companies are among the group of risk averse organizations responding by turning toward identity intelligence capabilities. Identity intelligence comprises tools and practices that scour the Deep Dark Web for known exfiltration of identity-related data, from usernames and passwords to social security numbers and even addresses. Identity intelligence providers are helping large banks, credit card issuers and insurers understand and limit the “employee attack surface” created by prior breaches. This next layer of situational awareness enables companies to head-off problems that can be caused by password re-use, open the organization to spear-phishing or enable even more complex social engineering attacks.
Making progress requires a more agile and strategic approach, and firms within the financial services industry have led the way toward using other forms of intelligence to prevent or mitigate such cyberattacks. Threat intelligence companies have evolved to provide, according to Gartner, the “context, mechanisms, indicators, implications, and action-oriented advice about existing or emerging” hazards companies need to make an informed decision about how to address security needs and concerns.
But that technical threat intelligence about a company’s IT infrastructure is not enough. The savviest organizations are beginning to adopt a more proactive approach, by layering in identity intelligence, or threat actor tracking. By combining open source information with privately held data, intelligence analysts, security operations, threat hunters, incident response and forensic professionals no longer just play “whack-a-mole,” but instead delve deeper into understanding precisely who is behind the attacks. This allows intel analysts and operators not only to anticipate attack styles and catch the warning signs as early as possible, but helps financial services firms learn more actionable information to assist in their own protection. And it’s helping law enforcement put more criminals behind bars. Monica Pal is CEO for 4iQ