Banks, fintechs other financial services are attractive to hackers because of the sheer volume of data and funds they carry.
And innovations such as cloud services, remote work and increasingly complex third-party services have given attackers more ways than ever to get their hands on it. Legal changes and regulation may help turn the tide in the years to come, but for now the message is clear: financial services must raise their security game if they want to stay in business.
Why hackers love financial services
Cybercriminals tend to be after three things: money, data (which they can monetise) and disruption. Financial institutions have a huge target on their back because they offer all three in one tempting package:
The largest banks handle trillions of dollars daily
Financial services companies may store everything from payment details to estates, legal documents, insurance information and – as seen in the recent Medibank hack – private health information
A banking outage can affect millions of customers’ transactions; a bank’s collapse can cripple entire economies
Digital transformations have allowed businesses and people to bank from anywhere, employees to work from anywhere and helped businesses leverage nimble, scalable cloud services. But that shift has dramatically increased their attack surface, and criminals have been quick to exploit it. The networks of supply chains and third-party services have also grown more complex – the 2020 Solarwinds hack, for instance, spread malware from a single IT firm into multiple organisations, including the US Treasury.
The global threat is reaching our shores
Thanks to our increasingly interconnected world, the problem is global. Hackers stole over $100 million from Bangladesh’s central bank in 2016, while Uganda’s mobile-money networks were hit by an attack that put them out of action for several days in 2020. Russia’s invasion of Ukraine in 2022 saw Distributed Denial of Service (DDoS) attacks target the Ukrainian financial sector.
While it’s easy to handwave away these attacks as something that happened in less-developed parts of the world, newer attacks are hitting closer to home. In 2021, Kiwi banks including ANZ New Zealand were forced to take apps and websites offline after DDoS attacks. Then, in October 2022, the Medibank hack exposed the data of 9.7m million Australians and drove the company’s share price down to its lowest level in two years.
The Reserve Bank of Australia says worse is to come, suggesting that “it is inevitable that at some point… a significant financial institution will be breached,” leading to “systemic implications” including a loss of public confidence, with problems spreading from institution to institution.
Banking is already one of the biggest avenues of attack for cyber fraud, with online banking making up 12.6% of reports to the Australian Cyber Security Centre (ACSC) this year. Financial services are under threat from both opportunistic, workaday cybercrime and more sophisticated, sometimes state-linked groups. Spoofed websites and phishing-as-a-service are growing risks, and ransomware targeting the industry is soaring, with one startling study finding that attacks rose tenfold in 2021.
New government measures are raising the bar for security
Given the huge potential impact of incidents, it's no surprise to see the Australian government take a tougher stance on cybersecurity. Amendments to the Critical Infrastructure Act in 2022 now give financial services companies only 12 hours to report major incidents.
In the aftermath of the wave of breaches that hit Australian companies in October and November 2022, the government announced plans for increased funding and a specialist cyber security taskforce – and introduced legislation dramatically ramping up the penalties for organisations that do not look after their data, with fines of over $50 million for serious or repeated breaches. Those penalties may make life harder for many organisations, but they’re also an extra incentive for companies to strive for excellence in cybersecurity.
CISOs should harden attack surfaces by doing the basics well
Organisations hoping to make themselves a harder target should start by ensuring they have a strong foundation. Key measures include:
Optimising firewalls and mandating Multi-Factor Authentication
Running an efficient patch management program that prioritises high-risk updates
Auditing your data to ensure you are not keeping more customer or employee information than you have to, or retaining it any longer than necessary
Running effective Identity and Access Management, and ensuring roles only have the minimum permissions they need – Zero Trust approaches extend this practice to its natural “trust no one” conclusion
Giving effective awareness training to all staff, and implementing device and social media policies to help manage your attack surface
Assessing the security measures and compliance of third-party partners
Guage your defences with maturity frameworks and risk assessment
Building cyber resilience is not a one-off measure. Financial services in particular are frequently in cyberattackers’ crosshairs: your security must keep moving and evolving.
While cybersecurity will look different for every organisation, formal frameworks are a useful yardstick to gauge cybersecurity maturity, like the baseline Essential Eight or the financial services regulator Australian Prudential Regulation Authority’s Prudential Standard CPS 234. Government partnerships can offer collaboration, accreditation (via programs such as the Trusted Digital Identity Framework) and threat sharing, with some threat intelligence sharing now automated.
Risk-based models can be adopted alongside or instead of maturity frameworks. A thorough and ongoing assessment of real-world threats and risk can help you shore up vulnerabilities and deliver the tools and training that will bring you the largest return on investment. Having control and visibility across your network with silo-busting tools such as Security Service Edge (SASE) and Extended Detection and Response (XDR) will help you identify and manage threats faster.
Threats are growing, but financial services can build cyber resilience
From ransomware to phishing, threat actors are circling, and financial services are a tempting target. With the sector also increasingly tightly regulated, businesses must work constantly to manage threats and show a duty of care to their customers and shareholders. A dynamic, multi-layered policy, informed by industry frameworks or risk-based analysis, is the best way to ensure cyber resilience, and build security that you can bank on.