Cyber attackers are increasingly banking on poor cybersecurity practices in financial institutions, raking in profits thanks to legacy practices and tech. Danny Bradbury investigates
Investigative journalists often follow the money in pursuit of a story. Unfortunately, cyber attackers follow it in pursuit of profit, attacking financial institutions to get it. According to Verizon’s 2022 Data Breach Incident Report (DBIR), the finance sector bore the most data breaches of all sectors ̶ and those are just the ones we know about. You’d be forgiven for assuming we’re referring solely to big banks. But beyond those, a panoply of smaller financial organisations is under threat and often less discussed. So how do attackers target them, and what can they do about it?
Concerns over cybersecurity in the financial sector are on the rise. The Bank of England publishes a report on systemic risk to the financial system twice each year. It first saw cybersecurity concerns among financial institutions spike in the second half of 2014. In the nine years since, those worries have trended upward. Now, three-quarters of banks consider cybersecurity the most prescient risk to the stability of the UK, making it the top perceived risk.
Those concerns are well justified. In 2022, Picus Security, which sells a security validation platform, analysed data retrieved from the UK’s financial regulator, the Financial Conduct Authority, via a Freedom of Information Act (FOIA) request. It found that the FCA, which regulates over 50,000 financial services companies in the UK, received 116 reports of material cybersecurity incidents in 2021, up 52% from 76 incidents the prior year. Two-thirds of the incidents in 2021 stemmed from cyber attacks.
Small fish, big catch
While large banks are an essential component of the financial system, there are many other financial institutions that experts believe are exposed to cybersecurity risk. These include everything from insurance companies through to savings and loans (like banks, but focused on residential mortgages) and credit unions, which are typically non-profit institutions focused on local customers. Then there are the investment companies and the financial advisers who sell their products.
Some of these organisations are more vulnerable than others, warns Jason Periera, president of the Financial Planner’s Association of Canada. Many small players in the financial ecosystem lack even the basic cybersecurity hygiene measures to protect themselves or their customer data.
“Banks are centralised, but the financial advisory space is far more disparate,” Periera says. Especially in the US, like in Canada, you have lots of solo practitioners all over the place with their own chosen technology stacks, with or without an understanding of technology and security.”
“Three-quarters of banks consider cybersecurity the most prescient risk to the stability of the UK, making it the top perceived risk”
Even if these financial institutions don’t deal directly with customer funds, they are still treasure troves of useful information. “If you want to steal someone’s identity, a good financial adviser has most of the information you need [to do so],” Periera adds.
These advisers are often relatively easy targets. Whereas a large bank with a dedicated cybersecurity team might have dedicated policies in place to protect itself, a small financial advisory practice often won’t have those resources, Periera warns. Of course, this affects attackers’ methods, he adds. “Everybody thinks technology is the issue, but this is almost never the attack vector.” Instead, he suggests that humans are the weakest link.
The financial sector has seen cases of human compromise. In 2015, hedge fund Fortelus Capital Management lost over £742,000 after an attacker called the company’s CTO pretending to be from its bank, Coutts. The attacker persuaded the CTO to generate codes with the bank’s security card so that the bank could cancel some suspicious payments. After the CTO handed over the codes, the attacker used them to siphon the cash. Because the attacker called on a Friday afternoon, Fortelus didn’t find out about the crime until Monday—that age-old Friday trick.
Misuse of technology is another problem for under-resourced financial institutions, warns Periera. He has seen some classic mistakes in this segment of the market. Writing down passwords and not using 2FA ̶ or using deprecated methods like SMS factors ̶ are some classic examples. At one financial adviser meeting, he asked how many people used a VPN when working remotely. “The answer from multiple people on that committee was ‘what the hell is a VPN?'” he recalls. That lack of understanding renders them especially vulnerable when using public Wi-Fi.
Beyond social engineering
While social engineering remains a critical threat in the finance sector, technology security is becoming more of a risk. Verizon’s DBIR shows a marked increase in system intrusions as a proportion of finance sector breaches since 2020, making it the most popular form of compromise. Servers were involved in 90% of breaches in 2021, compared to 50% in 2019. There’s more going on here than simple phishing.
Part of this increase is due to widespread technology vulnerabilities extending beyond the financial sector. For example, the Picus Security report found incident reports to the FCA spiking in March 2021. That coincided with the zero-day vulnerabilities that Microsoft patched in Exchange that month. If ‘zero-day vulnerability’ is an alien term to you, it means a previously unknown virus, malware or vulnerability where hackers have discovered the vulnerability before the software vendor was made aware of it.
Everyone’s a fintech player now
However, application security is also a problem for financial institutions because of the industry’s challenges, warns Alex Poizner, CEO of application security consulting company Parabellyx. “The interesting thing about pretty much every smaller financial services firm is that right now, they’re trying to become fintech,” he says.
The UK government’s 2021 Kalifa Review, which charted the UK fintech sector, found it booming. UK investments in fintech exceeded those of the next five European countries combined. As the fintech industry disrupts financial services worldwide, even the smallest wealth management practice or credit union must adapt and enhance their services to keep up.
“UK investments in fintech exceeded those of the next five European countries combined”
The problem is that small players are often stuck using their own in-house systems, developed over years of operation. “Bigger organisations such as midsize banks outsource those kinds of things,” Poizner says. “Smaller players do stuff in-house because it was traditionally cheaper to do it in-house rather than paying somebody.”
Those in-house systems represent a sunk investment that companies are unwilling to divest. But, conversely, the most modern, nimble financial players might have no infrastructure at all, instead relying on cloud services for their needs, says Eric Matthews, CTO at Parabellyx.
This creates a clear delineation between the two groups, which face different kinds of risk. “The older the business is, the more legacy infrastructure it has, and the more it has significant risk around that legacy infrastructure,” Matthews says.
Modern financial services companies reliant on the cloud face complete dissemination of the security perimeter as their data migrates to the cloud and everyone accesses it remotely. They must also navigate the separation of responsibilities that divide cybersecurity duties between them and their cloud service providers.
Catching up without messing up
UK financial companies with legacy in-house systems must integrate them with third-party fintech service providers to enhance their services. This presents new challenges, as they must adapt their systems to interact with third-party application programming interfaces (APIs). An API is a way for multiple computer programmes to communicate.
“Those smaller players that have been around for ages, especially credit unions, still need to figure out how to make their applications talk to 20 or 30 other financial institutions through those APIs,” says Poizner. “By opening things up on their end, they’re exposing themselves to much larger risk.”
Financial players outside the community of large banks face multiple challenges in shoring up their cybersecurity. Financial institutions, from brokers to credit unions, should examine their basic cyber hygiene to protect employees, data, and customers from attacks, including social engineering and account theft. If your financial institution is still asking customers to send sensitive documents unencrypted via email, you have a problem.
It’s time for financial institutions to understand their new security perimeter and where their data lies. Many must also go further, auditing decades of legacy code before they open their digital doors to a new generation of technology partners.