Cyber Attacks Are the "New Normal" for Financial Services Industry
Location: McLean
Date: 2013-12-06
Five years ago, questions directed at boards of directors
and senior executives at financial services firms on the toughest
risk management issues might have resulted in responses like
“liquidity risk,” “regulatory compliance,” or “bad debt.” Few, if
any, would have mentioned cyber security. Today, the same question
generates a much different answer.
“They do this by developing a much more dynamic cyber security
approach that includes actionable threat intelligence, advanced
adversary hunting as well as data protection and access controls
developed at a much greater degree of granularity.”
In 2014, the trends that matter to CISOs, CIOs, chief risk
officers and board members at large and small financial services
enterprises reflect their acute concerns about cyber security risk
management in today’s “new normal” of persistent threats. Today,
Booz Allen has compiled those areas of focus for its annual list of
the “Top Financial Services Cyber Security Trends for 2014.”
In recent years, executives have watched the landscape change,
seeing how DDoS attacks from the Izz ad-Din al-Qassam Cyber Fighters
had the potential to destroy data, and reputations. They learned
that cyber threats attack a bank wherever it does business, not just
where it is headquartered. And they witnessed the critical benefits
of public-private information sharing.
“Our conversations with clients have significantly evolved from a
focus on threats and capabilities to creating a balanced and
holistic cyber program that responds to an institution’s critical
business risks, while considering the new realities of a complex and
interconnected operating environment,” said Bill
Stewart, senior vice president and head of Booz Allen’s
commercial finance program. “We are increasingly helping clients to
work through how best to align cyber spend with an ever increasing
potential exposure. Threat actors continue to grow in
sophistication, driving our clients to respond. Simply increasing
spend is not the always the best option -- we are helping our
clients build programs that respond to their material business risks
while balancing resource expenditures. “
The Top Financial Services Cyber Security Trends for 2014:
- Banks generate and receive threat intelligence, but is it
useful? – Major financial institutions are starting to
understand that there are enormous volumes of potentially
relevant information, but actionable intelligence is more
difficult to identify. Fusing threat intelligence with other
disciplines such as incident response and fraud is a proven
method for connecting data elements to create actionable
intelligence. Although 100 percent accuracy can only be a goal,
an active defense is critical to protecting against threats that
are exponentially smarter with each attack.
- Mobile security platform weaknesses are giving rise to
new threats – The Perkele Trojan – a crimeware kit -- and
other cross-platform malware have identified large gaps in
mobile device security. These threats take advantage of
weaknesses in mobile device platforms when information is sent
to a hacker who then “owns” the device. Although Perkele has not
yet spread globally, it is expected to rapidly grow beyond the
Middle East during the 2013 December holiday season as
consumers’ online purchases increase.
- Developing countries with growing liquidity will see more
attacks on their local banks – As the saying goes, criminals
go where the money is. Countries across the Middle East, Latin
America and Asia Pacific are making great strides in modernizing
their economic infrastructures, which puts them on sophisticated
attackers’ radar. The Saudi Arabian Monetary Agency says that
fraudulent operations target Saudi and GCC banks once every 14
seconds.
- Mid-tier banks and non-banking financial institutions
beware – Attackers are moving from large-size banks to
regional and mid-tier due to their lack of security. Unlike
their larger cousins, mid-tier and regional banks, wealth
management organizations, hedge funds, etc., often lack the
financial, technology and manpower to introduce widespread cyber
security protections. When grouped together, these organizations
are like a row of dominos that, when attacked, can create a
cascade of systemic risks that could impact banks of any size.
- Thwarting insider threats requires firm-wide planning and
preparation – Whether an employee accidentally shares
passwords or falls prey to a social engineering attack, the
cyber “hygiene” challenges of today can no longer be a
responsibility solely owned by IT. Banks need to develop
multi-disciplinary teams that include IT, human resources,
internal communications, marketing and legal to communicate to
all staff the importance of being cyber risk aware and knowing
what to do when a concern arises.
- The NIST framework creates challenges for financial firms
while opening the door for liability protections from a growing
cyber security insurance industry – The NIST cyber
security framework moves financial services firms closer to a
set of voluntary guidelines that would create a de facto
“standard of care,” which would then make private sector
enterprises liable in the event of cyber breaches in which PII
or other valuable data is destroyed or taken over by attackers.
While this creates liability risk for banks, it also opens the
window for the insurance industry to offer policies that help
firms offset this liability.
- Big data demands data-level security, while offering a
broader cyber solution – Banks depend on data. As
operational data is moved to the cloud, proper fine-grained
security controls are necessary to ensure banks not only avoid
sharing sensitive data, but also defend against adversaries
moving laterally across their data sets. As part of this
transition, financial institutions have the opportunity to
upgrade security architectures and integrate improved controls.
In addition, this new architecture can allow for the deployment
of advanced analytics to deal with enormous volumes of security
data to better identify trends of malicious behavior.
“As financial institutions increasingly deploy mobile and cloud
technologies and integrate their partners, suppliers and customers,
their data perimeters are becoming much harder to define. As a
result, some are essentially redefining the concept of a network
perimeter,” said Stewart. “They do this by developing a much more
dynamic cyber security approach that includes actionable threat
intelligence, advanced adversary hunting as well as data protection
and access controls developed at a much greater degree of
granularity.”
In order to better protect an organization’s network system, the
IT leaders must collaborate with the C-Suite to develop a holistic
and forward-looking program that transforms their security posture.
Booz Allen executives will be participating at the February 2014 RSA
Conference, and available to discuss the need for information
security professionals to find their business voice – that is, how
to bridge the language gap between technology, risk management, and
cyber security to prepare for the new wave of cyber attacks.
To subscribe or visit go to:
http://www.riskcenter.com
http://riskcenter.com/articles/story/view_story?story=99916134
|