Posted 3 months, 2 weeks ago
For attackers and fraudsters around the web, financial institutions have a great big ‘X’ marked on their backs. Some estimates suggest that banks and other companies in the financial sector are 300 times more likely to face cyber attacks than other businesses, with IBM suggesting that nearly 20% of the total cyber security incidents in a given year come from attacks on banks. Last year, Mastercard claimed that they were fighting off more than 460,000 intrusion attempts every day.
Not everyone’s as big a target as Mastercard, but the stats above should certainly give CIOs and CISOs at financial institutions pause. Security incidents are fairly common and growing more frequent, and ignoring those threats is simply not an option. Whether we’re talking about introducing new security measures to comply with the SWIFT network’s CSP guidelines or introducing backend encryption measures to keep data safe in transit, there should be a real sense of urgency about protecting your organization from attacks. The best time to adopt a comprehensive approach to cybersecurity is four years ago—but the second-best time is right now.
To turn the relative doom-and-gloom of the stats sketched out above into something more productive, today we’ll try to give an overview of what the most important elements of a cyber security strategy might be for banks and other institutions. In order to do so, we first need to outline the specifics of the different threats that currently face banks. Here are a few of the threats that you need to be aware of when defining a cybersecurity strategy:
In most of these cases, the biggest issue that banks need to contend with is fraudsters who aren’t who they say they are. In a phishing attempt, an attacker might pose as a colleague or a C-level executive to gain trust and access; in a message manipulation attempt, the attacker is pretending to be both parties in a legitimate transaction.
Like we said above, in the nearly four years since the Bangladesh Bank heist, SWIFT has put out recommendations for improving resilience to these kinds of attacks. What are those recommendations? Well, they revolve around application hardening, virtualization platform protection, access control, and back office security, specifically focusing on end-to-end encryption. How are banks doing on these recommendations? Based on their “Three years on from Bangladesh” report, progress is somewhat slow. Some banks are adapting, but attackers and fraudsters are adapting as well. To wit, they found that malicious actors who had previously been using the cover of night to slip fraudulent transactions in unnoticed are now trying to camouflage their requests at the busiest times of day. By the same token, attackers are routinely using new payment corridors and spending more time doing reconnaissance work.
Though the threats are serious, there are steps that banks and other financial institutions can take to mitigate and prevent the sorts of attacks we listed out above. This can begin with user trainings designed to help email users and anyone who interacts with back-office systems notice when something might not be right—including some of the tell-tale signs of phishing scams and the markers of other inappropriate behavior. Some businesses also install anti-spam and anti-virus software across various elements of their IT ecosystems to try and flag anything that might signify malicious behavior. Endpoint security and strong encryption are also big pieces of the puzzle for successful anti-fraud efforts.
In some ways, banks’ ability to create and maintain a comprehensive vision for the security of their operations—one that has the buy-in of the C-suite and admins and technical users who may be helping install and maintain these solutions—is just as important as the choice of tools themselves. Why? Because a patchwork solution, or a solution that’s deprioritized as a result of implementation and maintenance issues, is still potentially extremely vulnerable.
If, for instance, you’re looking at the possibility of encrypting all of your messages and back offices processes end-to-end, including SWIFT messages and emails, it’s crucial that you have a comprehensive plan that covers your entire IT ecosystem. Not only that, but your plan needs to cover the email users and admins who are going to have to keep all of these measures afloat. We mentioned the importance of user training above, but training can only do so much—you need to give tangible support to reduce the likelihood of human error. This means that you need to avoid, for instance, deploying a multitude of disparate solutions for encryption key management, putting admins in a position where they can’t keep track of the location or expiration date of every key or certificate. By the same token, this means putting your employees in a position where complying with corporate policies isn’t a huge burden or a source of ongoing effort.
When we talked about encryption above, it wasn’t just a randomly selected topic. On the contrary, encryption is perhaps the most important part of the security equation for modern banks and financial institutions. Why? Because it acts as a bedrock of trust and security on which your other measures can rest. When it comes to SWIFT messages, for instance, the threats that we sketch out above are effectively neutralized if the contents of the transactions are encrypted end-to-end at the endpoints. Sure, an attacker could theoretically insert herself into the middle of your messages, but even if she intercepted a messages bound for the SWIFT network she’d have no way to read or alter them without the relevant encryption keys. If the solution you’re using gives you the ability to sign encrypted messages with your keys, then you can further ensure their integrity—meaning that no fraudster would ever be able to change an account number on a SWIFT message without it being extremely obvious.
This same logic applies to email phishing scams (an attacker could conceivably spoof your CFO’s email address in order to try and get PII out of someone in the accounts payable department, but there’s no way for that same fraudster to spoof your CFO’s private encryption key or trust words). But, like we said above, this kind of technology is only as powerful as its implementation. If your encryption solution covers some parts of your back office and not others—or if it won’t play nicely with your spam filters and your anti-virus software—it won’t provide consistent protection. In fact, it may increase your risk in some areas, since employees will be tempted to use shadow IT (a huge source of successful attacks, according to Gartner) that doesn’t comply with your security standards.
At the end of the day, the fact that users and admins are prone to error is the simplest argument in favor of automation. Things like spam filters and anti-virus software are theoretically mostly invisible to users—why can’t encryption be just as seamless? In fact, it is that seamless for users on apps like WhatsApp and Signal; businesses need to start treating corporate communications via email and bank transactions via SWIFT the same way by making encryption measures virtually invisible.
With an automated key and trust management system, you can encrypt SWIFT messages end-to-end without using up expensive human resources on PKI management andmaintenance, or complex installation processes. Zero fuss. Because p≡p automatically encrypts, signs, and decrypts messages at the relevant end-points, the system is even able to ensure that the sender’s key comes from the correct system, a feature not available with X.509 certificates. The result seamless, end-to-end protection at the application layer for everything that produces SWIFT transactions—meaning that you can comply with SWIFT CSP’s security guidelines overnight.
This kind of automation effectively stops future Bangladesh Bank heists in their tracks—and it does it all without the need for extra IT staff or for complex and expensive software solutions. p≡p’s easy installation covers your entire back office without impacting the daily lives of your employees at all. It doesn’t interfere with your existing IT ecosystem at all, and it saves you the trouble of adopting a complex encryption key management platform that will eat up your time and resources. At the end of the day, that level of ease-of-use is perhaps the most important security feature of all.
p≡p Security launches p≡p for Thunderbird and p≡p for iOS, together with new versions for Outlook and Android
Sept. 7, 2020, 6 a.m.