Firms operating in the finance sector are attractive targets for cyber criminals for many obvious reasons.
The potential costs to reputation and revenue are arguably much higher for the myriad of financial services organisations. A ‘security incident’ involving a bank’s online services costs the organisation almost £1.4 million on average, according to a new global report by Kaspersky Lab.
The report, which looked at cyber security threats in the financial sector, shows that this cost is double the price of recovering from a malware incident, which costs approximately £645,000 on average to resolve.
>See also: Cyber crime and the banking sector
In the UK, the Financial Conduct Authority (FCA) regulates 56,000 financial services firms, from the largest banks, insurers and market infrastructure providers to the smallest advisers.
Even the smallest firm can hold large quantities of sensitive data that, if compromised, could have a knock-on effect to other areas of the finance sector, and business in general.
So how can businesses assess if organisations are following best practice when it comes to guaranteeing the protection of user’s data? Here are some areas for consideration:
Prevention through education
A recent keynote speech delivered by the FCA outlined the need for a ‘security culture’ in firms of all sizes – from the Board down to every employee. It pointed out that cyber is not just an IT issue, but covers people, processes and technology.
Good governance, identification and protection of key assets, detection, response and recovery and information sharing, with the regulator and other parties, were all seen to be key factors. Even the Bank of England has paired up with artificial intelligence and blockchain specialists in a bid to keep up to date with the fast-growing Fintech sector.
When users or staff try to access sensitive data from an infected machine, or over an insecure network connection, then security can be compromised. When somebody logs into a secure network from a machine that is infected with key-logger or other spyware, this can expose a user’s password and other sensitive data to a third party.
Training for users and staff should highlight the need to avoid using insecure machines or unencrypted networks to access corporate networks or sensitive data. Using an insecure wireless network to access sensitive data poses security risks.
It would be foolhardy for organisation’s to rely solely on end user’s common sense, they should look to educate in advance. Password administration is critical and careful consideration needs to be given before installing unreliable browser extensions, for example.
However, as we all know that is bound to fail. The end-user will always be tricked however savvy that they think they are. Education is important but it simply isn’t enough. We have to assume that the end-user will be infected at some point and think about other ways to protect organisations.
Insurance and damage control
Banks and other financial services organisations can rely on insurance to cover some business losses but the potential reputational damage is impossible to recover.
There should also be adequate disaster recovery plans in place to help mitigate some of the consequences of any such cyber attack but we should still focus on preventative measures to avoid security breaches in the first place.
This raises the question of what organisations operating in the financial sector should be responsible for when it comes to securing their end users? After all, the “man on the street” does not have the resources or the technology to protect themselves.
To prevent hackers from exploiting vulnerabilities, organisations need to know where their applications are and whether they are built using trustworthy components.
Anyone using open source components must be aware that there will be vulnerabilities. Modern web applications are built using hundreds of components that usually include many millions of lines of code that are open to vulnerability.
A strong SAST tool will allow a developer to be more effective in finding bugs and producing high-quality code.
When we consider traditional application security in the financial sector, this has always been about protecting the server and the communications channel.
Web application firewalls (WAFs) were designed to help guard against a wide range of web application threats including SQL injection, cross-site scripting, session hijacking or denial of service (DDoS) attacks.
Traditionally, code protection meant storing as much code on the server as possible. Even today, that approach certainly offers the best protection, but introduces some disadvantages such as the need to force an internet connection and certain performance issues.
Also, these days applications are becoming increasingly based on the client-side and there’s even a trend towards building single-page applications. This raises major security concerns due to the fact that client-side applications can be modified completely by anything that is able to inject malicious code into the browser
Malicious browser plugins, Man-in-the-Browser (MITB) trojans or untrustworthy 3rd party code are just some of the examples of real threats that can modify the application’s normal behaviour to exfiltrate sensitive data, inject unauthorised information or commit fraud, misleading the users and severely affecting business reputation and revenue.
These attacks can’t be mitigated with conventional server-side security solutions. They target the application and its users and cost hundreds of millions of dollars to companies in the financial sector.
Behaviour analysis is not enough to tackle this problem as it is unable to combat MITB since the user is operating the machine, using the application. Biometric technology is also easily circumvented.
>See also: The data protection breakthrough
However, nowadays organisations can spot fraud in their websites using new solutions that prevent tampering of the DOM and removal of known threats on the client-side. If something suspicious is spotted, the application backend can immediately be notified, allowing near real-time reaction from the application to the possible fraud attempt.
If those solutions are also well protected on the client-side they are very hard to get around. In fact, client-side RASP (Runtime Application Self-Protection) is able to make applications self-defensive and resilient to tampering and reverse-engineering.
There’s no doubt that the number of cyber attacks is going to grow tremendously. Our own investigations at Jscrambler revealed that it’s actually very common for e-banking, insurance, and investment websites to be modified – a particularly worrying trend for the financial sector that suffers attacks on a daily basis.
It is important to highlight that General Data Protection Regulation (GDPR) will be applied from May 2018 which means that any organisation that operates in Europe or deals with European resident data could be subject to severe penalties of up to 4% of global turnover if they fail to protect the data of EU residents. Therefore, it is vital that application security strategy in the financial sector is able to evolve sufficiently to also consider the client-side.
Sourced by Rui Ribeiro, CEO and co-founder of Jscrambler