In his 2019 annual letter to shareholders, J.P. Morgan Chase CEO Jamie Dimon wrote, “The threat of cybersecurity may very well be the biggest threat to the U.S. financial system.” At the time, J.P. Morgan Chase was spending almost $600 million to defend against cyberattacks after a 2014 breach that affected 76 million households and 7 million small businesses.
Financial institutions are primary targets of cybercriminals because, well, that’s where the money is. The Verizon 2020 Data Breach Investigations Report (DBIR) found that 86% of data breaches are motivated by financial gain — a 15% YoY increase. According to a Boston Consulting group cybersecurity report, banking and financial services organizations are 300 times more likely to be at risk of a cyberattack than other sectors. And the attacks can come from insiders, outsiders, hacktivists, or even nation-states.
Bankers’ hours, once limited to about five hours daily, Monday through Friday, are now 24/7/365. New technologies — online banking, apps — and automation are unmatched in user convenience, but they also bring numerous new vulnerabilities to the financial services industry. In this article, we look at some of the cyber threats facing the financial services sector, the impact, and how financial services companies can mitigate cyber risk.
Financial Industry Cybersecurity Threats by the Numbers
A 2021 list of cybersecurity statistics shows that:
- 67% of financial institutions reported a YoY increase in cyberattacks.
- 26% of financial enterprises faced destructive malware attacks.
- 79% of financial CISOs reported more sophisticated attacks.
- 25% of all malware attacks are targeted at banks and other financial industries.
- 79% of financial institutions say cybercriminals are increasingly sophisticated, leveraging highly targeted social engineering attacks.
As if those numbers aren’t disturbing enough, financial institutions saw a 238% cybercrime increase due to the COVID-19 pandemic.
Good to Know: The Federal Financial Institutions Examination Council (FFIEC) created the Cybersecurity and Critical Infrastructure Working Group in 2013. This group works to identify regulatory gaps and strengthen cybersecurity readiness among FFIEC agencies.
Cybersecurity Risks Facing Financial Services
We can't pinpoint the number of tactics hackers use to attack financial services firms, but the following are causing considerable concern.
Phishing — The Verizon 2021 DBIR put the verified data breach tally at 5,258, up from 3,950 in the 2020 report. Security breaches often originate with social engineering attacks such as phishing emails that trick an email recipient into providing personal information — often login credentials or credit card information. Between 2019 and 2020, financial services and insurance organizations saw, on average, a 125% increase in quarterly exposure to mobile phishing attacks. Roughly half of phishing efforts were attempts to steal corporate employee login credentials.
Ransomware — The financial industry saw a 1,318% YoY increase in ransomware attacks in the first half of 2021. Sophos reports that ransomware attacks have grown steadily since 2017, leading to cyber insurance providers paying out more than $1.6 billion in 2020 alone. Many of these attacks originate with phishing. Once bad actors have a firm’s sensitive data, they demand payment before returning it. In August 2021, Florida-based Envision Credit Union was a victim of a Lockbit 2.0 ransomware attack that put the financial data of more than 55,000 customers at risk. Just a month earlier, Silicon Valley venture capital firm Advanced Technology Ventures suffered a ransomware attack that stole personal information about the company’s private investors.
Credential Stuffing — Of the 193 billion credential stuffing attacks in 2020, 3.4 billion were directed at financial services organizations. That represented a 45% YoY increase. This brute force attack tactic uses known username and password combinations on multiple websites. Users often reuse login credentials across personal and business accounts, so if bad actors get one set, possibly through phishing, they can be used to access other sites. This means attackers can access account and transaction data that can then be used to make fraudulent transactions or purchases, apply for credit cards, or transfer funds between accounts.
Distributed Denial of Service (DDoS) — The Financial Services Information Sharing and Analysis Center (FS-ISAC), a global cyber intelligence sharing community focused on financial services, reported that a single threat actor executed DDoS attacks on more than 100 financial services firms in 2020. In a matter of weeks, the attacks spanned the globe, hitting banks, fintech companies, exchanges, credit card companies, payments processors, insurance companies, credit bureaus, asset managers, money transfer companies, and payroll services companies. The attacks threatened to disrupt sites and services using a DDoS attack if a ransom wasn’t paid.
Human Error — Thorough vetting and background checks are standard risk management procedures when financial firms hire employees. This weeds out potential bad actors, but even the best employees aren’t immune to mistakes. The growth of remote work means more employees are using home wifi to connect to company networks and resources, making the information sent back and forth more vulnerable than when employees are on-site. Outside threats are malicious, but the 2021 Remote Workforce Security Report reveals that employees who find workarounds to security measures usually don’t have bad intentions. Some bypass security to be as productive as possible. Others because they don’t understand how to use security tools in place. It may not be malicious, but the reality is that human error is the cause of 23% of data breaches.
While banks are cautious about hiring employees who will not steal from them, a significant cybersecurity risk occurs from employee errors, not necessarily due to intentional wrongdoing. For example, employees may open a phishing email that installs viruses on the bank’s network. This was the most common type of cyberattack in 2016. Given the COVID-19 pandemic and that many banking employees are working from home, simple employee errors and technological vulnerabilities may subject financial institutions to additional cybersecurity threats.
Using OpenVPN Cloud and the NIST Cybersecurity Framework for Financial Services Cybersecurity
The NIST Cybersecurity Framework outlines five straightforward steps financial services providers can take to protect their networks and their customers from cybercrime:
This diagram explains what each step involves:
OpenVPN Cloud makes it easy for retail and consumer banks, insurance companies, payment companies, and securities and investment firms to quickly deploy robust, reliable network security that mitigates phishing caused by human error, ransomware, and DDoS attacks with the potential to affect internal applications.
Phishing typically starts with an email that tricks a user into visiting what appears to be a safe website. If the user enters their login credentials on the phishing site, they’ve compromised their username and password. That site is where the login credentials or other personal data (like financial information) are obtained. OpenVPN Cloud with Cyber Shield, a built-in content filtering feature, helps curtail phishing attacks efficiently and effectively.
OpenVPN Cloud also protects against data loss and IT infrastructure damage by giving network administrator(s) the ability to require multi-factor authentication (MFA) — a security measure that requires users to provide multiple forms of identity verification to access their account — without making secure access overly difficult for employees. This is especially useful with the growth of remote work.
Financial Services organizations need the ability to evolve their IT security initiatives to stay ahead of threats. One way to do this is by building a threat intelligence baseline using reporting. The Traffic Reporting and Dashboards included with Cyber Shield deliver detailed statistics on traffic threats (malware, intrusion, DoS) and the device of origin.
OpenVPN is on a mission to enable secure connectivity between employees, devices, and networks for financial services providers of all sizes. And we don’t just make it easy to get started — we also make it free. Activate your account today to see how you can quickly and easily connect private networks, devices, and servers to build a secure, virtualized modern network that meets the demands of the modern financial services sector.