In an era of hyperconnection and increasing malware and cyberattacks, cybersecurity must be a priority for companies. Companies in the banking and financial sectors are the first to be targeted and have no choice but to strengthen their security policies to effectively combat cyber threats.
Banks and financial institutions : the bad pupils?
Global automated web security testing provider Immuniweb has just published a rather alarming study for the banking industry and its customers. External web applications, APIs and mobile applications from the entire S&P Global list, which includes the world’s largest financial organizations from 22 countries, were scrupulously examined. After various non-intrusive security, privacy and compliance tests, the verdict is clear. 92% of mobile banking apps contain at least one medium-risk security vulnerability while 100% of banks have security vulnerabilities or issues related to overlooked sub-domains.
Currently, sites often use combinations of proprietary and open source frameworks and other software to improve performance, tracking or SEO. But the integration of different vendors greatly increases the risks that can affect not only banks’ sites but also their subdomains.
It was thought that the RGPD would force companies to take the security of their data more seriously. More than a year after its implementation, it is clear that compliance with the regulation is not a priority, as only 39% of the official websites of banking institutions are currently compliant. A very low score for a market so targeted by attacks of all kinds.
Although banks are poor performers when it comes to cybersecurity, there is nevertheless a willingness to improve and rethink the models. The banking sector leads the world in cybersecurity spending, and it is estimated that the budget for application security will exceed US$7 billion by 2023, which suggests profound and effective changes.
1 https://www.immuniweb.com/blog/SP-100-banks-application-security.html
What are the risks for banks?
Today, customer data is a real asset. Hackers are therefore redoubling their inventiveness to get hold of it. The main points to watch are phishing, targeted malware, ransomware and internal human vulnerabilities. Threats are becoming polymorphic and banks must be particularly vigilant, especially in the face of Advanced Persistent Threats (APTs) that are progressively attacking and infecting the institutions’ IS. More and more banks are being targeted by these malicious programs (most recently Capital One in the United States, Desjardins in Canada and Unicredit in Italy).
Check Point’s “Security Report 2018” revealed that cybercriminals are primarily using two techniques to attack financial institutions:
– They target financial transaction platforms and thus secure a substantial loot. One of these is the impressive $60 million cyber-robbery of a Taiwanese bank in 2017. This followed a series of attacks on the SWIFT financial messaging system, made possible by a clever combination of internal intelligence and malware. “Jackpotting,” the hacking of ATMs, has also been very much in vogue in recent years.
– But it is above all the theft of information that is tending to develop through the hacking of professional email accounts and the exploitation of internal or cloud-related flaws.
In Europe, 66 major IT security incidents were reported to the ECB over a 15-month period from July 2017. This shows the urgency for banking institutions to protect themselves against ever more numerous and sophisticated attacks.
How to effectively protect yourself from cyber-attacks ?
To deal with these attacks, platforms must of course be protected by developing two main lines of defence. The first is to identify the “known” part of any “unknown” attack thanks to real-time threat detection tools, capable of analyzing continuous streams of files every day. The second area of defence to be developed is machine learning and artificial intelligence, which allow us to anticipate changes in hacking techniques and thus to better defend against them. These elements have been integrated into our R&D from the very beginning of the design of Gatewatcher’s detection methods. We started with the arsenal available to attackers in order to target what it was essential to analyze and detect in network flows.
However, it is important to remember that the other essential component of a bank’s security architecture is its employees. It is therefore essential to train, raise awareness and educate users on a daily basis about the latest attack techniques and vulnerabilities. The implementation of a real security culture is essential internally.
Nevertheless, in the face of increasingly virulent attacks, there is an urgent need for international cooperation between banks. This is the view of the G7 countries, which are calling for coordinated action and information sharing between financial institutions.