07:40 PM
Deena Coffman
Deena Coffman

Interpreting Cyber Risk Trends

Verizon says 75% of financial sector breaches in the past decade involved web application attacks, DDoS, and card skimming.

There's no scarcity of metrics on the cyber threats facing financial institutions. Software and hardware vendors and many consulting firms often publish reports from their data or experiences. Reviewing these reports can take hours, and with time as the scarcest of resources, administrators need to be able to zero in on the most relevant information.

Below is a cross section of important points from some of the most popular and widely regarded studies. We've also taken a deeper dive into each issue in an effort to highlight how these trends translate into the banking sector.

Continued mobile threats
HP's Cyber Risk Report (registration required) focuses on applications and has information on the mobile threat landscape that is particularly applicable to FIs increasing their mobile banking footprint. Among other findings, the report revealed that, "nearly 46 percent of iOS and Android applications analyzed use encryption improperly."

Unfortunately, administrators are growing weary when it comes to mobile device security. Predictions in 2013 about rampant malware threats haven't really materialized. But that doesn't mean the financial sector can get complacent. Smartphones and tablets are becoming ubiquitous and are used so casually that it is almost a perfect storm of exposure. Attackers haven't taken advantage of the weaknesses so far, but we can't be certain they won't do so in the future. Network managers must recognize the very real threat mobile device vulnerabilities pose, and they must remain vigilant when it comes to managing this point of risk.

The mega breach
Symantec's Internet Security Threat Report is known for its focus on all things web. Among the trends noted in this year's study was the impact of the "mega breach." The total number of breaches in 2013 climbed 62% from 2012, but the bigger news may have been that eight of last year's breaches exposed more than 10 million identities each.

For the financial industry, the effects of these massive events go much deeper. Day-to-day operations are impacted, from the need to monitor huge numbers of accounts for potential fraud to the issuance of millions of new payment cards. No matter where the exposure occurred (retailers suffered the majority of the mega breaches), banks are often the first place consumers turn for answers about account security. Ongoing identity theft concerns will surely occupy FIs for many months to come.

Data breach costs
The Ponemon Institute has a strong history of gathering data on financial damages, and its Cost of Data Breach Study (registration required) is a valuable tool. Of special interest to FIs will be the findings that several proactive steps -- having a robust security posture, implementing an incident response plan, and appointing a CISO -- reduced data breach costs per record by $14.14, $12.77, and $6.59, respectively. Given the mega-breach trend, these per-record-breached amounts add up quickly.

Reactive efforts to data exposures are often the focus for banks and credit unions. Customers are issued new payment cards -- sometimes out of an abundance of caution, rather than in response to confirmed fraud -- and account monitoring typically happens after the fact. But the Ponemon study shows the tangible monetary value behind specific preventive measures.

Watering holes
A combination of findings highlights a particularly dangerous trend. HP's report includes a ZDI analysis that finds Java is susceptible to nearly every common software vulnerability. Symantec's report showed an increased use of "watering hole" attacks, which leverage weaknesses in less secure sites ultimately to go after more lucrative and highly secure organizations.

These industry-spanning dangers are especially concerning for banks. Malware, security gaps, watering holes, and Heartbleed-type vulnerabilities allow hackers to find entry points and use those compromised connections to sneak past the often robust protections guarding financial networks. Segmenting and encrypting sensitive data against these attacks should be a priority for banks, since security weaknesses across the web will be an ongoing concern.

Overall trends
Verizon's Data Breach Investigations Report is full of analysis, so much so that network administrators may not have the time to digest the entire report. But just a few points in the study can offer FIs enough information to focus on the areas where they’re most vulnerable.

According to Verizon, 75% of breach incidents in the FI sector over the past decade involved "web application attacks, distributed denial of service (DDoS) and card skimming." To make the best use of available resources, banks should prioritize security efforts in those areas.

Fortunately, measures don’t have to be elaborate or expensive to be effective. In its 2013 study, Verizon found that 78% of attacks rated "low" or "very low" in difficulty. (The company did not update that figure in this year's report. The trend has held true for several years, and we have no indication this year would be any different.) This means FIs implementing fundamental, relatively low-cost but relevant security measures will be ahead of the game in protecting their networks from thieves.

Deena Coffman is chief executive officer of IDT911 Consulting and has broad experience providing guidance to clients adopting technology or building programs relating to data privacy, data security, and electronic discovery. Prior to joining IDT, she was the chief operating ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Author
7/9/2014 | 9:45:00 AM
Re: Security a Boardroom Issue
I know that by law bank boards must review disaster recovery plans & testing once or twice a year. Does anyone know if there are similar requirements around cybersecurity, customer privacy and other data security-related concerns?
User Rank: Author
7/9/2014 | 9:18:34 AM
Re: Security a Boardroom Issue
Indeed, many says the CISO now is a role that must have regular, direct contact witht he board, as opposed to being off in its own little part of the business somewhere.
User Rank: Author
7/8/2014 | 9:00:49 PM
Security a Boardroom Issue
Thanks for this overview, Deena. It doesn't seem that there's much good news in these trends -- clearly dealing with security is becoming ever-more complicated, challenging and expensive. These reports also illustrate how critical it is for security to be addressed at the board level. A number of the recommendations, including appointment of a CISO, are not something that a bank's security professionals could implement on their own. It takes focus and commitment at the highest level to approve these investments, elevate the CISO role, and drive changes in employee behavior that can improve security.
Register for Bank Systems & Technology Newsletters
White Papers
Current Issue
Bank Systems & Technology
BS&T's 2014 Elite 8 executives are leading their banks to success, whether it involves leveraging the cloud, modernizing core systems, or transforming into digital enterprises.
Bank Systems & Technology Radio
Archived Audio Interviews
Join Bank Systems & Technology Associate Editor Bryan Yurcan, and guests Karen Massey and Jerry Silva from IDC Financial Insights, for a conversation about the firm's 11th annual FinTech rankings.