Expert Forum: Cyber Security Risks Facing FII and Mitigation Strategies
August 22, 2022
By Adolph Barclift, Chief Information Security Officer at Five Star Bank
According to IBM’s Cost of a Data Breach 2021 report, the average cost of a major cybersecurity incident to a business or organization is more than $4 million.
That’s a staggering number, but it puts the importance of information security for businesses and organizations under the spotlight—and attached to blaring sirens and alarms—that this problem deserves. In my more than 20 years as a cybersecurity professional, I’ve seen the banking industry become a prime target for external threats such as credential-stuffing, phishing, and ransomware attacks. Digital banking and banking as a service (BaaS) initiatives have greatly increased the attack surface of foreign investing funds (or FII), and are now facing threats that are often interconnected—and will persist for the foreseeable future.
But as a whole, properly managing information security is about making connections between various events to see the relationships. To do this, you need to understand the threats, how they can become interconnected, and how this interconnection could wreak havoc on your business or organization.
Here is an exploration of main threats commonly encountered, and why defending against each should be made a priority for your operations.
Devised as detrimental software to block access to a computer system and elicit a financial ransom from those affected, ransomware continues to act as an effective tool for informational security disruption. These malware maneuvers doubled from 2020 to 2021, and for banks specifically, attacks on partners pose nearly the same risk (from a data export perspective) as an in-person attack on the bank itself.
Over the years, the use of ransomware has gained popularity by perpetrators because of the ease of purchase, use, low cost, and generation of desired payout. According to a recent data breach investigation report from Verizon, these attacks represent 64% of all malware incidents reported. Virtually anyone can initiate a ransomware attack that could pay for itself in a single attempt if they can obtain valid access to a victim’s operating system—which is typically done via the next theat.
Phishing attacks—typically through SMS or email—are generated to gain an entry point into the organization, compromise the credentials of both the target and those who the target interacts with, and are the root of all evil as it relates to cybersecurity risks. The reason is simple; it’s far easier to exploit a person and capture data than it is to exploit a hardened operating system on a physical device. This is often done by impersonating a senior official within an organization (such as the CEO or CAO), a trusted vendor, or customer.
A recent report in the New York Times revealed more than 11 billion scam texts were sent in March 2022 alone; and these messages are simple to produce and cheap to deliver at a scale that makes them extremely effective. And unfortunately, attacks are becoming easier and more effective, thanks to the growth of AI-as-a-Service (AIaaS). This makes the need for vigilant defense and awareness more vital than ever.
From effective phishing expeditions comes employees with compromised credentials, and presents yet another imperative cybersecurity risk.
As detailed above, compromised credentials are the launch point for cyber-attacks. It’s the basis by which most malicious activities occur, including scanning of file shares, new account creation, payroll, and access to other systems. Customers or members whose personal and payment information is accessed poses a dual threat to the businesses and organizations infiltrated by phishing perpetrators, compromising the individuals and the company.
In all cases, the objective is to move up the information value chain to access higher-value assets. But with more than 290 million victims of these attacks in 2021 alone, it’s a problem that threatens everyone, regardless of position or affluence.
Shortage of Cybersecurity Skills
Cybersecurity roles in any organization require a unique combination of skills, including knowledge of computer architectures, understanding of computer operating systems and their administration, and an expert familiarity with networking, email, and messaging formats.
These skills are critical in banks, specifically—but unfortunately, individuals who boast these skills are currently at a premium. According to a recent report by cybersecurity firm Trellix, nearly a third of the cybersecurity workforce is planning to leave the industry in the near future, creating a dearth of needed professionals as the threat of attacks becomes more sophisticated and grows at a frightening rate. That same report detailed that 85% of polled organizations claimed a workforce shortage is impacting their ability to secure their IT systems and networks.
Globally, there are 3.5 million unfilled cybersecurity jobs, with about half a million unfilled in the U.S. This problem can’t be alleviated overnight, but training and recruitment for these positions needs to be addressed as urgently as any cybersecurity threat.
About the Author
Adolph Barclift joined Five Star Bank as its Chief Information Security Officer (CISO) in 2020, and now serves as subject matter expert responsible for the development and delivery of a comprehensive information and cybersecurity program protecting the bank’s assets, employees, and customers.
Interested in producing an Expert Forum for your organization? Contact our Member Engagement Team: Nancy McNamara and Ann Brooker.
Expert Forum: Key questions employers should ask before choosing group health coverage
Several studies underscore the cost of poor health on worker productivity, including a 2018 study by the Integrated Benefits Institute which found costs related to lost productivity from illness amounts to $530 billion annually, or 60 cents for every dollar employers spend on health coverage.
Expert Forum: Will a sports injury, genetics, or overactivity affect me or my child as we age?
You might not think about it when you’re a teen or young adult, but the orthopaedic injuries we experience in our youth can have implications later in life. Your genetic makeup may also play a factor in joint deterioration or mobility as you get older, but it’s not all doom and gloom: You or your child CAN make a full recovery and also take steps to stay healthy as you age! Here are some common scenarios that Excelsior Orthopaedics treats people for every day.
Expert Forum: Health savings accounts can be an appealing benefit to younger employees
With employee resignations and job openings currently at levels not seen for more than 20 years, employers are struggling to find ways to attract and retain high-skilled workers. In order to survive and thrive during the “Great Resignation,” it’s become more imperative than ever for companies and businesses to provide a wide range of employee benefits.
Expert Forum: Expanding Resources for Minority Owned Businesses
At Bank of America, our goal is to drive responsible growth in the markets and communities we serve. Part of this commitment includes addressing the root causes of inequity through the lens of economic opportunity and racial equality.