Is Our Financial Cyber-Security Adequate?

Everything is connected to the internet these days.

Even a $400 juicer. And that has made it possible for us to go shopping in our pajamas at any time of day or night and to do our banking without waiting in line to interact with a human teller. But implicit in accessing any of those services is an understanding that the information we share in those transactions will remain secure. But unfortunately, that’s often not the case.

The same networks that have made such conveniences possible are also used by cyber crooks looking to rip us off from thousands of miles away. And as their methods have gotten increasingly sophisticated, it’s become much more difficult to thwart them. This is especially an issue for financial services firms, which have sensitive information for thousands or even millions of individuals in their data centers.

There have been dozens of well-publicized security breaches this year affecting millions of people.

Most have been considerably smaller than the WannaCry ransomware attack in May that affected corporations and government agencies in 99 countries. (And sometimes the danger comes not from criminal intent but from carelessness as in the case of the Republican consulting firm which left personal information on 198 million voters exposed on Amazon Web Services for two weeks in June.)

Like most people these days I bank and invest online, so to get an idea of what is being done to protect both financial services firms and their clients I recently took part in a webinar, Cybersecurity and the New Definition of ‘Adequate’ put on by Kurtosys and featuring Rich Bolstridge, Chief Strategist, Financial Services, at Akamai Technologies.

Akamai’s research found that the average cyberattack costs banks and financial services firms $1.5 million, in lost revenue, technical support, operational disruption and lost productivity. Not to mention the reputational damage, operational disruption and added burden of remaining in compliance with the rules set by various federal and state regulators.

The webinar provided a lot of technical detail, but I’m not a tech guy, so I’ll just touch on some of the highlights here. The threats include not just the familiar dedicated denial of service (DDoS) attacks, but also credential abuse, account takeover and fraudulent money movement. The techniques that cyber crooks use are evolving rapidly and defenses that were state-of-the-art just three years ago are probably inadequate today.

The biggest problem facing financial firms is that the size of the attacks has grown exponentially. Prior to 2016 most attacks were around 100Gbps (gigabytes per second), but then they jumped to 300Gbps and almost doubled by the end of the year. Attacks at the rate of 600Gbps are becoming common, and Bolstridge says not even the world’s largest banks have systems that can handle that kind of volume.

What’s making this possible? Bots.

A few years ago defensive systems could identify IP addresses that made multiple attempts to access their systems, but now as many as 75% of these addresses are only used for one day, so such defenses become ineffective. And now with the Internet of Things, like the aforementioned juicer, bots can hijack seemingly innocuous devices and use them in attacks against major institutions.

We haven’t gotten to the point yet where the bots, like Skynet in The Terminator franchise, are taking over and like any tool, bots are neither good nor bad on their own. It’s how they are used. They make search engines work and allow financial sites, like Mint, to aggregate all our financial accounts for easier management. But they can also be used to compromise various devices and gadgets from the internet of things that connect online, in addition to computers.

Old-fashioned firewalls are no longer adequate to handle the volume or types of attacks that cyber crooks are using these days. Just as data storage has moved from hard drives to the Cloud, so must security.

Bolstridge concluded the webinar by noting that cybersecurity for financial firms is only going to get more challenging. Not just from the volume and types of attacks, but also from regulators who are demanding that financial firms protect their clients and their data. For financial services firms that means allocating more resources to maintain security controls, accompanied by ongoing upgrades and investment.

It won’t be easy and it won’t be cheap. But what else can banks and brokerage firms do? They certainly need to have a crisis plan in place to meet a cyberattack occurs. If they can’t protect clients’ most sensitive information, they’re likely to move their assets to a provider who will.