Effective Cybersecurity Demands Involvement From Everyone at Your Bank


cybersecurity-7-10-18.pngCybersecurity is one of the most discussed risks facing financial services companies today, but many organizations are taking too narrow an approach to combating cybercrime. These organizations make the mistake of placing responsibility for defending against the risks solely on their IT professionals.

As criminals continue to develop increasingly targeted attacks, institutions must tackle cybersecurity from an enterprise-wide perspective that goes further than mere regulatory compliance. Cybersecurity can no longer be the function of a single department–executives must see that it is embedded throughout the enterprise, from the branch to the boardroom.

Common Cybersecurity Gaps
Even institutions that have invested funding, allocated resources, built perimeters, and complied with regulations can fall prey to a single point of cybersecurity failure. Some of the recent major attacks have resulted, at least in part, from one of the following fail points:

  • Poor governance
  • Weak passwords
  • Inaccurate monitoring or unattended security information and event monitoring functions
  • Inadequate system patching procedures
  • Lack of cyberintelligence (external information gathered on known attacks)
  • Insufficient training
  • Lack of incident response planning

Notably, vulnerabilities such as weak passwords and insufficient training involve more than just IT staff. Organizations that involve all departments empower their employees and think daily about how their actions protect or expose the organization, and translates into multiple points of control. Strong governance is, of course, essential to achieving such an embedded mindset.

The Need for a Tailored Approach
Many financial services organizations have responded to cyberthreats by investing heavily in costly, one-size-fits-all technology systems. They rely on traditional controls for protection, like firewalls, encryption, anti-virus software, and multifactor authentication. These components are helpful and most often are necessary; however, many institutions require more tailored controls and processes. Instead, organizations should adopt enterprise-wide cybersecurity programs commensurate to their particular risks and sensitive assets.

For example, it’s common for a financial service organization to provide employee training on cyber risks. But standardized, “off-the-shelf” training does not consider the varying degrees of risk across the staff population. For training to be meaningful, it must be customized to different employees’ roles and access to data.

To develop such training, as well as other appropriate controls, an organization will need to identify the assets it wishes to protect and the associated access points. Each department or business unit that maintains sensitive information must catalog the information and classify the sensitivity of each asset, taking into account the organization’s risk appetite (the acceptable level of risk exposure). The departments then should identify all methods of access to each asset, as well as the parties with such access, and quantify the resulting risk.

Only when armed with this information can a financial services organization tailor appropriate controls and properly allocate resources against the related cyberthreats. For example, most organizations do not need to treat data across the enterprise equally. Rather, they can define unique security controls for the most sensitive data. Similarly, it might be wise to institute the most comprehensive training in the departments with access to sensitive data, are customer-facing, or those who provide information to third parties on behalf of the organization.

Enterprise incident response is another area that calls for a more customized. An organization should identify employees best positioned to notice suspicious activity and ensure they know how to respond. IT employees who are monitoring account and system activity should be included in this process, but key stakeholders and employees who are client and third-party facing also should be involved. The organization also must have an appropriate response plan ready to execute when those on the front lines raise the red flag.

Critical Steps
To adopt an enterprise-wide cybersecurity program, financial services organizations should:

  1. Identify and prioritize sensitive assets.
  2. Design and implement tailored and global controls aligned with sensitive assets and their associated risks (including dual controls for especially sensitive areas).
  3. Ensure executives and the board are aware of and aligned to the tailored program, which includes making cybersecurity part of the overall strategy of the institution.
  4. Educate employees specific to their roles and the associated.
  5. Manage cybersecurity at the enterprise level and on employee devices.
  6. Continuously monitor significant areas and environmental changes.
  7. Keep software and systems up to date.

Multiplying the Benefits
Financial services organizations that take a broad view of cybersecurity establish more effective and cost-efficient controls. Moreover, organizations with all of their employees on the same page are more likely to enjoy improved performance.

Five Big IT Threats Facing Banks


cybersecurity-7-6-15.pngEvery week there is a new headline regarding the latest data breach or newly discovered vulnerability in widely deployed software. Below, we’ve compiled a list of five threats we think will see increased importance in the upcoming year.

Zero Day Attacks
The past year has brought unprecedented levels of mainstream media attention to a number of zero day vulnerabilities including Heartbleed, Shellshock, and Poodle. A zero day vulnerability is a flaw in software, hardware or firmware that is exploited as soon as or before it becomes generally known to the public. These vulnerabilities have taken advantage of long standing but previously undiscovered programming bugs in widely deployed software platforms. Due to the discovery and subsequent exploitation of these vulnerabilities, cyber criminals and nefarious nation state actors have begun to take a much closer look at these previously ignored code bases. The common theme with many of these newly discovered and highly popularized vulnerabilities is that they don’t necessarily target Windows-based systems as many other successful attacks in the past have. Instead, they were discovered on software libraries that are present on a large number of networked devices, which are often overlooked when developing a security model.

Social Engineering
We will continue to see more sophisticated attacks on the most vulnerable part of a financial institution’s network, their employees and customers. With multiple layers of protection from IPS devices and firewalls on the perimeter of most networks, attackers rarely attempt to directly attack properly secured networks directly (with the exception of the previously mentioned zero day vulnerabilities). Instead, they focus their efforts on compromising one or more workstations on the bank’s internal network or the customer’s workstations. From here the path to compromising confidential information is simpler and obtaining even standard user credentials can allow an attacker to run further attacks and escalate their privileges to that of an administrator on the network.

Continued proliferation of social media in the banking environment has greatly increased the amount of information an attacker can gather remotely on individuals within the bank. This information can then be used in creating spear phishing attacks targeted at individual employees who appear to be coming from a co-worker within the bank, but in reality, contains a link to a malicious website or include a malicious attachment disguised as something as innocuous as a spreadsheet. These same spear phishing attacks can be directed towards the bank’s customers, often appearing to come from the bank itself. With the increase in advanced phishing techniques, solid employee and customer training in how to spot a potentially fraudulent message as well as steps that can be taken to verify the authenticity of a message will be important tools this year.

Credit/Debit Card Theft
Banks and their customers were affected by a multitude of breaches at retailers this past year. Retailers seemed to be compromised on a nearly weekly basis, including Home Depot, Jimmy John’s Gourmet Sandwiches, P.F. Chang’s, Michaels, and many more. In October 2014, Special Agent Jason Truppi of the FBI told USA Today that in the previous 12 months, over 500 million financial records had been stolen, thanks in large part to the breaches listed above.

Cyber Extortion
Cryptolocker was a fairly widespread piece of ransomware that made headlines in 2014 and impacted financial institutions and their customers. Instead of covertly infecting a system and attempting to steal confidential information as most malware does, ransomware instead takes the opposite approach, encrypting files and displaying a very visible message on a system demanding payment for decryption.  This type of attack has proven to be successful for criminals, with the creator of Cryptolocker receiving over $3 million in ransom payments for encrypted data.

Attacks on Mobile Devices
With mobile platforms continuing to become more popular for activities such as mobile banking, it’s no surprise that attackers have started focusing more efforts on developing malware that targets mobile platforms. Mobile users often don’t use the same level of caution when downloading applications and accepting windows that pop up that they would when on a personal computer, leading to an environment that is easy for an attacker to take advantage of. This coupled with the relative lack of antivirus solutions available for mobile devices has led to a 112 percent increase in mobile malware samples detected in the past year by McAfee.

Are You Prepared to Manage a Crisis?


7-14-14-article.pngMore than most companies, banks rely on the trust and confidence of the public. The 81-year-old deposit insurance program has made Depression-era bank runs, where frightened depositors once lined the street waiting to withdraw their money, a relic of the past. But there’s a new risk that the deposit insurance system can’t protect against—the theft of sensitive customer information by cyber crooks—and banks of all sizes need to have a crisis management plan at the ready in case they get hacked.

Recently, I participated in Bank Director’s 2014 Bank Audit & Risk Committees Conference in Chicago, where there were several presentations on cyber security, and one message came through loud and clear: All banks are at risk, including even small and medium-sized ones. In fact, smaller institutions might be in even greater danger than much larger ones because the bad guys—and I’m talking about hackers in Eastern Europe and Russia—figure that they’re an easier mark.

Any community bank CEO or director who thinks their institution is too small to worry about cyber crime is living in an altered reality.

There were also a couple of presentations on crisis management, which goes together with cyber crime like ham and eggs. Not only is your bank at risk of getting hacked, but you need to have a crisis management plan that can be put into effect quickly in case it does. This is important! If your data systems are broken into and sensitive customer information gets into the wrong hands, your customers will feel differently about the bank unless something is done quickly and done well.

The issue here is public trust and confidence.

It’s important to know in advance what to do—and what not to do when a crisis explodes (and often that’s how crises announce themselves to the world, with a big boom) because you probably won’t have a lot of time to react.

In her presentation on crisis management, Rhonda Barnat, a managing director at the New York-based communications firm The Abernathy MacGregor Group, cautioned against the urge to over-disclose information such as how many customers were impacted by the breach, or how the breached occurred, because this factual information will end up becoming the story. Barnat also said banks should be careful how they use social media during a crisis—for example, they shouldn’t necessarily respond to a negative video on YouTube with a rebuttal video. Instead, the bank’s primary focus should be on taking care of the affected customers. In other words, the best way to rebuild trust and confidence is to fix the problem and make customers whole, not wage a public relations campaign. Do the right thing and word will get around soon enough.

Barnat says there are 10 common mistakes that companies make when managing a crisis, including getting out in front of the story, which often just leads to confusion because facts have a way of changing.

Maureen Morrissey Brown, who is the senior vice president and public relations director at Huntington Bancshares, also gave a presentation on crisis management. Brown said it’s important to have a plan in place so that if a data breach does occur the bank can hit the ground running. This plan should do the following:

  • Create a crisis management team that can quickly go to work if the bank is hacked and customer information is stolen. This team would normally include the CEO, legal counsel, the bank’s compliance officer, senior public relations officer and an outside public relations firm.
  • Take some time to identify possible scenarios – a data break is one such scenario obviously, but others might be an acquisition gone bad, an earnings restatement if it’s a public company or old-fashioned fraud by an insider.
  • Create what Brown refers to as “holding statements,” which are statements that you will release to the public if any of those scenarios occur. These might have to be modified depending on the circumstances, but at least you’ll have something to work with.
  • Appoint a spokesman to deal with the media and give that person training on how to respond publicly in crisis situations.
  • Assign roles and responsibilities to team members so that everyone knows who does what.

Brown had this last bit of advice: Design the plan to be comprehensive but allow for unforeseen situations, update the plan frequently, always be on the lookout for developing challenges, and monitor the reactions of competitors, peers, customers and suppliers.

Brown ended her presentation with a recent comment that Warren Buffet made to CNBC about General Motor’s poor handling of the controversy involving faulty ignition switches, which have been blamed in 13 deaths.

“Get it right. Get it fast. Get it out. And get it over.”

Winning the War on Cybercrime: The Four Keys to Holistic Fraud Prevention


8-19-13-Trusteer.pngCybercriminals are stepping up their attacks on financial institutions by gaining control of customer devices with sophisticated malicious software installed on a computer or mobile device to secretly read online credentials. The criminals then conduct real-time credential theft and take over accounts. Current technologies are simply not capable of identifying and preventing these attacks and are overloading bank fraud prevention operation teams with unnecessary false positive alerts. In the latest real-time account takeover scheme, cybercriminals use malware to steal user credentials at login, block users from logging into online banking, use the credentials in real time to log into victims’ accounts, and also steal any secondary authentication requests the bank receives from the user to bypass the bank’s security and gain full access to accounts.

The main reason cybercriminals continue to succeed is that they are using highly evasive advanced financial malware for a wide variety of attacks that are very difficult to detect. Cybercriminals are acutely aware of the technologies deployed by most financial institutions and simply design attacks to circumvent these controls. Bypassing them remains relatively straightforward because the controls are isolated rather than integrated with each other.

The Four Keys to Holistic Fraud Prevention

A holistic platform to prevent fraud must be built on four key elements that ensure sustainable prevention of cybercrime in light of the rapidly evolving threat environment.

Comprehensive Coverage
A comprehensive fraud prevention platform is required to protect an organization from fraud attempts across all possible access devices and all attack methods.

Real-Time Intelligence
An intelligent fraud prevention platform correlates data from multiple sources including malware infection, phishing incidents, and device identification, to conclusively detect and prevent attacks.

Adaptable Controls
A fraud prevention platform should adapt to changes in fraud attacks by rapidly deploying countermeasures without overloading your internal resources.

Transparent Protection
A transparent fraud prevention platform does not burden customers with complex authentication protocols or long delays in processing while transaction alerts are sorted out.

Financial institutions that adopt such a holistic solution acquire highly accurate fraud detection that entails negligible customer involvement. When it does involve customers, it is only because the bank has conclusively determined there was attempted fraud, malware or phishing. Additionally, the bank’s fraud prevention capabilities should meet the critical regulatory requirements delineated in the Federal Financial Institutions Examination Council Authentication Guidance Supplement.

Fighting the war on cybercrime will not get easier for financial institutions. Cybercriminals use a divide-and-conquer approach by relying on poor communication about fraudulent activity between financial institutions as well as poor communication between fraud prevention systems that exist in silos. Traditional fraud prevention technologies help reduce fraud but are easily defeated by advanced cyber fraud techniques. To date, advanced financial malware has bypassed virtually every authentication method. Malware also has bypassed risk engines that detect anomalies by learning behaviors and transaction patterns to conduct fraud within tolerable statistical limits.

To win the war on cybercrime, institutions must wage their battles on the front lines—at the customer endpoint. This is where malware and phishing initiate the chain of events that eventually leads to fraud. Breaking the first link of the chain keeps fraud from ever entering the system where it can be overlooked by risk engine analytics or bypass authentication methods. Focusing fraud prevention efforts on the customer endpoint affords the highest likelihood of preventing cyber fraud. This protection, however, cannot be accomplished by simple customer education. The attack sophistication requires banks deploy equally advanced protection technologies, including customer endpoint malware detection.

A holistic fraud prevention platform focuses on preventing fraud at the customer endpoint. Just as important, it incorporates the four key elements that ensure maximum effectiveness with minimal disruption, today and into the future. As cybercrime threats evolve, so does the fraud prevention platform, quickly and seamlessly.