As one of the most prominent targets of cybercriminals, fintech has always been probably the most cybersecurity-conscious sector, subject to advanced regulation and with a solid backing of security professionals. ESET Ireland takes a look at a few aspects of fintech cybersecurity.
Just before the GDPR regulation was adopted, Adrian Mullett, head of technology sector for Bank of Ireland told Silicon Republic: “Ireland has a strong cohort of companies active in security. But what you are seeing now are massive changes in regulation compliance, and this is where fintech and security work hand in hand… We are seeing a move towards managed security providers consolidating their tech with fintech and regtech to meet compliance needs of various organisations. GDPR is merely a symptom of that as well as being a driver in and of itself.”
The EU Directive on the Security of Network and Information Systems, which Ireland has adopted includes proportionate technical and organisational measures, such as the security of systems and facilities, incident handling, business continuity management, monitoring, auditing and testing and compliance with international standards.
But, a few year later, the seriousness of the threat cybercrime poses to businesses offering financial services is reflected in the cost of a data breach in the financial industry. According to IBM’s Cost of a Data Breach 2020 report, the average cost of a data breach in the financial services sector was US$5.85 million compared to an average of US$3.86 million. The financial sector is an attractive target for bad actors, especially due to the type and amount of information it collects from its customers and partners. In the event of a successful breach, the data can be used for identity fraud or sold on dark web marketplaces, which can lead to reputational damage to the breached entity as well as possible reputational and monetary damages to the customers affected.
A key area that is preventing companies from tackling cyberthreats head-on is that they have insufficient budgets allocated to cybersecurity. According to a survey conducted by consulting firm Ernst and Young, 87 per cent of surveyed organisations said that they did not have a sufficient budget to achieve the levels of cybersecurity and resilience they were aiming for. The lack of resources means that companies cannot hire enough cybersecurity talent or institute technical measures they need to be resilient when facing off against various cyber threats. Some organisations underestimate the value of cybersecurity for their business and instead opt to invest in other aspects they deem more worthwhile, such as financing expansions or developing new products. They could argue that the costs outweigh the benefits, such as the cost of cybersecurity measures outweighing potential losses from a data breach.
Verizon’s 2020 Data Breach Investigations Report estimates that 63 per cent of attacks carried out against financial institutions are done by external threat actors motivated by monetary gain. Organisations can expect that cybercriminals employ credential-stuffing attacks, social engineering attacks, fraud, DDoS attacks, and malware. The Covid-19 pandemic has increased the risk, particularly because many companies were forced to shift to working remotely, a move that introduces its own set of challenges. Since the shift came suddenly, companies may not have had enough time to properly institute cybersecurity policies that would deal with possible weak points due to employees working from home.
“Every company should have a business continuity plan in place in case a cyberattack occurs. A proper plan should always include data backups and, if budgeting allows it, a whole backup infrastructure; critical especially if a ransomware attack occurs.”
Employees are the cornerstones of any organisation, but, as the age-old adage goes, “to err is human”. The IBM report found that human error is one of the three major root causes of data breaches, accounting for 23 per cent of breaches. To mitigate the chances of any of these scenarios happening, companies should provide proper cybersecurity training to their employees. Exercises where employees are taught how to spot phishing or social engineering attempts should be conducted routinely.
Every company should have a business continuity plan in place in case a cyberattack occurs. A proper plan should always include data backups and, if budgeting allows it, a whole backup infrastructure; critical especially if a ransomware attack occurs. For the backups to be effective, they must be both updated regularly and tested frequently to ensure that they are operating properly. While financial organisations remain lucrative targets for most cybercriminals, they can still ramp up their defences enough to mitigate the possibility of falling victim to most threats. However, to build up sufficiently strong defence mechanisms, companies need to take a holistic and balanced approach, which consists of investing both in employee training and adequate technological solutions and business continuity plans.
Any combination of the aforementioned factors could spell a perfect storm for most organisations when faced with a cyberattack. On the bright side, financial services companies are taking cybersecurity concerns seriously on the highest level. Global management consulting firm McKinsey found that 95 per cent of the board committees that they surveyed say they discuss cyber-risks and tech risks at least four times a year. It’s worth noting, however, that building awareness in top management needs to go hand in hand with investing adequate sums in cybersecurity solutions and training personnel to the best possible standards.
T: 053 914 6600