Financial service firms stand to lose big if they fall victim to an attack. It’s not just your data that’s on the line—it’s your money and your reputation, too. When it comes to putting together a cybersecurity plan to keep your business safe, there are a few things every financial services firm needs to know:
1. You will be targeted by cybercriminals, even if you’re a small business.
One of the biggest misconceptions in cybersecurity is that small businesses won’t be a target—this just isn’t the case. Cybercriminals know small and mid-size businesses don’t have the same cybersecurity resources as enterprises and use it to their advantage. If you are in business, you are a target for cybercriminals. It’s a matter of when—not if.
Financial Services firms are especially lucrative for cybercriminals because you’re dealing with personally identifiable information (PII), financial information and money. The potential payoff for cybercriminals is huge—meaning for you, the potential loss is huge.
You’ll likely be targeted in several ways. First, as part of “spray-and-pray” style attacks, where cybercriminals send out mass emails, trying to trick as many victims as possible. This style of attack is typically used to steal login credentials or to spread ransomware.
Second, you will be targeted based on specific qualities of your company in a large-scale attack. This can be as broad as targeting you based on the software you use. These will be spray and pray style attacks, but they will look like notifications for an app or software you use (like this Office 365 example). This category also includes attacks that target you, along with other companies, for being a financial services firm. The IRS has documented a trend around tax season where cybercriminals target tax professionals, pretending to be professional associations or state governments.
Third, you’ll be targeted on an individual basis. CEO impersonation attacks (sometimes called business email compromise or BEC attacks) are becoming increasingly common because they are so much harder for victims to spot. In these attacks, cybercriminals imitate high-level employees in your organization and try to trick other employees into wiring money (up to hundreds of thousands of dollars) or sending personnel files to them. Sometimes, cybercriminals will get access to a CEO real account (usually through a spray and pray attack) and send out the scam emails from there, making it even more difficult to spot these.
Without putting measures in place to stop each of these kinds of attacks, you’re leaving your business vulnerable to attack.
2. Your customers will be targeted, too—maybe by cybercriminals posing as you.
In addition to targeting you, your clients will be targeted. They’ll be targeted through the same methods as above. It’s very possible they will be targeted by cybercriminals pretending to be you, though CEO impersonation style attacks.
Wire transfer fraud scams are a form of phishing where the attacker sends the victim a message, pretending to be someone else and asking for money. These have hit the real estate industry especially hard, with hackers pretending to mortgage companies and telling victims they need to wire their down payment.
Talk to your clients early in the relationship about your cybersecurity and how they can expect to communicate with you, especially when it comes to financial transactions or any emails involving their sensitive information. Make sure they can contact you—and you can contact them—outside of email.
3. You may have already been breached and don’t know it yet.
Cybercriminals don’t always act as soon as they get access to an account. More and more often, cybercriminals will sit silently in a system after getting access and wait for the right time to act.
Take the wire fraud scam scenario above. Cybercriminals don’t need to make up a reason to ask someone to wire money (though that does happen). In many cases, especially with financial service firms, they can wait for a real scenario to present itself and insert their information and get the money before anyone notices.
It can be difficult to know if you’ve been breached if the hacker hasn’t acted yet. If you notice any suspicious activity or if you have anyone mention they aren’t receiving your emails, get your IT team to check it out. There are also some security apps that can track and flag any suspicious activity, like if someone logs into your account from a different location.
We recently watched a hacker in action to learn from their behavior in order to better protect our clients.
4. One of your most significant cybersecurity vulnerabilities is your employees.
We don’t mean your employees are intentionally giving away your information—but human nature and cybersecurity best practices don’t always align. Most people are interested in doing their jobs and don’t spend a lot of time thinking about cybersecurity.
If you have an employee who regularly deals with moving money around for clients, they probably won’t notice a phishing attack asking for money to be moved around—because that’s what they’re used to seeing. If you have an employee who regularly opens email attachments as part of their job, they’re going to open email attachments—even though that’s a common way to spread ransomware.
In a recent survey, Dell found 72% of employees will send out confidential or regulated data, given the right circumstances. We don’t mean bribery or extortion. The right circumstances include a manager asking them to do it or because it will make their job easier.
The best way to handle human nature is the limit the damage it can cause by putting preventative measures in place. You should also give your employees comprehensive cybersecurity training, so they understand the risks and warning signs, and so they know what to do in the event of an attack.
5. Implementing a security app doesn’t necessarily make you compliant with regulations.
It’s not enough to turn on encrypted email and audit logs and call it a day. It may seem like an obvious statement, but the tools you put in place to meet regulations do not, by themselves, make you compliant—they just give you the ability to be compliant.
It’s on you to make sure these tools are being used in a way that complies with any regulations you must meet. It’s not uncommon for employees to turn off or go around security measures that are annoying or make their job more difficult to do.
One example is encrypted email. Dealing with encrypted email can get annoying because in many cases, it can be a multi-step process to see the email. So, some people won’t always use it when they should. But sending PII and financial information in an unencrypted email can leave it exposed to hackers (and in many cases, violates regulations).
Make these tools as easy as possible for your employees to use—and then enforce using them. Apps like Office 365 Data Loss Prevention can scan emails for PII and other sensitive information and stop it from being sent out.
6. Cybercrime is always evolving, so your cybersecurity strategy needs to evolve with it.
It would be nice if you could set your cybersecurity policy once and not have to worry about it again. But cybercriminals are always looking for new ways to make a buck. Like with any market, new trends and fads are popping up all the time.
Unfortunately for you, this means you cannot ignore your cybersecurity. As cybercriminals change and advance their tactics, your security will need to adapt and change, too. A few years ago, multi-factor authentication wasn’t necessary for most people, but these days, it’s becoming almost non-negotiable as hackers find better ways to steal your password.
It’s unlikely you have to time to do learn and manage the tools to protect your company as well as stay on top of new developments in cybercrime in addition to managing your business. Palmetto Technology Group works with companies to manage those tools. We make sure you have the right tools for your business, that they're working as expected, and living up to their promise of keeping you safe. Please reach out to us if you have questions about managing your cybersecurity or IT infrastructure needs.
Our Ultimate Cybersecurity Guide has been updated for 2019, you can get your copy of the ebook below.