Around the world, financial services companies and their customers have been the key targets of cyber-criminals who consistently and continuously search for vulnerability points that can be exploited. For instance, A recent cutimes report indicates that 96% of financial institutions surveyed experienced physical fraud and 79% experienced cyber fraud frequently via small skimmer tools and scripts, PIN compromise, transaction reversal fraud, cash trapping, eavesdropping, card trapping, jack-potting the dispenser and money laundering, within the last 12 months. Despite having inbuilt cameras, ATMs are accessed via physical force, malicious keys, malwares and more.
Datto’s recent Annual Global State of the Channel Ransomware Report surveyed 1400 MSPs across the globe and found that ransomware was the prevalent malware threat to organisations, 85% of MSPs stated. For instance, Ursnif Malware was launched against Japanese Banks earlier this year. Recently, Chile’s ATM interbank network, Redbanc stated that 41,593 credit and debit cards from 13 banking and non-banking institutions were compromised on its network. Also, important personal information such as credit card details, social security numbers and more were maliciously obtained from Capital One’s network.
Verizon’s 2019 Data Breach investigations report shows that a combination social engineering, and phishing attacks are the main mode of cyber-attacks against financial services companies to steal credentials and credit details, with 72% of attacks coming from external sources, 36% from possibly malignant company staff and 2% of attacks from partners. The report recommends two-factor authentication (2FA) like JETHRO’s jPrivacy, for organizations to secure customers, employees and partners.
In another report, Positive Technologies recently carried out a penetration testing of some financial institutions and found that 67% of the banks had outdated software; 58% stored sensitive data in clear text; 58% used dictionary passwords; 58% used insecure data transfer protocols; and 50% of the banks showed flaws in “remote access and control interfaces available to internet users. Additionally, 33% of the banks tested had weak anti-DNS pinning; and are susceptible to SQL injections. These calls for consistent security review and the need to proactively put adequate measures in place before the occurrence of an attack.
Top Strategies for ensuring Enterprise security include:
- Adopt a proactive approach to security: It is important for IT teams to prepare ahead of an attack by anticipating susceptibility. The report by mckinsey indicates that organizations can use a risk-based approach to effectively reduce risk and reach their target risk appetite at less cost. This is done by segmenting and proactively focusing on potential cyber target points in the enterprise. When the enterprise is well structured it will be easy to respond resiliently if a cyber-attack occurs.
- Develop a dynamic enterprise security policy: In today’s threat landscape, an extensive security policy must empower IT teams for optimum performance. The policy should be responsive and captures wholistic requirements like periodic security training and awareness for staff especially on how to spot dynamic scam trends, strategy for business continuity and disaster recovery, approach to updates, changes and more.
- Effectively applying and updating the policy:- Having a business continuity and disaster recovery solution in place ensures the resilience of business operations in the event of an attack; using multiple security on all layers as against a single solution; and having a dedicated cyber security team in place that monitor systems and ensure business continuity. IT teams must ensure systems are up to date with the latest updates. For instance, keeping ATM software up to date with the latest security patches, changing default details for both locks and master password ATM settings, ensure only peripheral complaint devices are integrated with the ATM, implementing SSL and TLS security protocols, eliminate port scanning by using wireless devices on a private network and so on. Effective policy application requires the collaborative efforts of various teams and should be done according to appropriate regulations.