The U.S. financial services industry is the largest in the world, worth approximately $1.4 trillion as of 2016, according to the U.S. Department of Commerce.
And although this sector represents only 7.3 percent of U.S. GDP, it has the dubious distinction of being the object of 24 percent of all data breaches―the largest of any industrial sector, according to Verizon’s 2017 Data Breach Investigations Report. The report also noted that 73 percent of all breaches were financially motivated.
So what gives? Why the cybersecurity imbalance when it comes to this particular sector?
The simple answer is that if you are a skilled hacker, the financial sector can “show you the money,” to paraphrase the well-known line from the film “Jerry Maguire.”
In 2018, the financial services industry can expect bad actors to attack with increased ferocity and sophistication, especially as the global economy surges post-recession and the use of ransomware and other forms of digital extortion becomes more prevalent.
Here are some things the financial sector will want to keep an eye on as the cybersecurity landscape evolves during 2018.
1. Insider threats
Although external attacks on financial service organizations are by far the most prevalent, insider attacks are alarmingly on the rise.
A Forrester Research survey indicated that in 2017, 54 percent of respondents experienced internal attacks, and 41 percent experienced attacks involving third-party vendors and suppliers. Making matters worse is that cybercriminals who steal employee credentials will often gain access to critical financial data while lying low until they are caught.
The most common types of insider threats financial service organizations face include:
- Stealing or sharing restricted information, such as passwords, for personal gain
- Theft of trade secrets, customer databases, future product rollouts, or financial performance data
- Disgruntled employees who sabotage company data, damage systems, or disrupt network operations
Adding to the problem is that the majority of employees in one survey of U.S. and UK employees indicated that they didn’t see it as a security risk to share login credentials.
2. Social engineering
Hackers use social engineering―a wide array of cyber techniques―to trick employees into revealing important confidential information and downloading malware using vectors like phishing, email, texting, and social media.
Instead of trying to exploit vulnerabilities in operating systems and software, bad actors target employee behavior patterns and curiosity.
The problem is only getting worse.
Recent reports indicate that the number of bogus accounts on social networks grew by 300 percent in the first quarter of 2017 alone. In March 2017, Time magazine reported that up to 10,000 U.S. Department of Defense employees were targeted via a Twitter phishing campaign.
Financial organizations that make use of social engineering testing and employee awareness training will undoubtedly be in a better position to guard against these exceedingly imaginative attacks.
On May 25, the European Union General Data Protection Regulation (GDPR) becomes law. The regulation is designed to limit the exposure of EU citizens to data breaches and establish a standard best-practice formula for individual data privacy as well as regulate how personal data is collected and stored.
So how does this affect U.S. financial institutions?
GDPR mandates that any organization that offers goods or services to, or monitors the behavior of, EU citizens―using tracking cookies, etc.―must be in compliance even if they are located outside of Europe.
It also applies to companies that process or retain personal data of EU citizens regardless of the company’s location. Many organizations will be affected, given the global reach of the U.S. financial services industry.
The regulation has teeth to it as well. Organizations that are found to be non-compliant can be fined up to €20 million or 4 percent of their annual global turnover, depending on which is larger.
While the advent of the Internet of Things has generally made life more convenient for individuals, it has also introduced more attack points and compliance issues for financial service organizations, due in large part to cloud storage policies and the increased use of mobile devices for banking and credit card transactions.
The research and advisory firm Gartner assessed that 8.4 billion connected devices were in use globally as of 2017―up 31 percent from 2016 and greater in number than the world’s population.
While that may be a good thing for financial services organizations striving to offer better customer service, it’s also an Achilles’ heel, because bad actors are increasingly targeting the inherent vulnerabilities of mobile devices.
Hackers are introducing more spyware like Pegasus, which masquerades as a downloadable app and opens back doors to harvest data without the user knowing it.
5. AI Adoption
Most of us associate artificial intelligence (AI) with androids or malcontented computers depicted in science fiction movies, but the rapid increase in costly cyberattacks has prompted the financial services industry to take a earnest look at using AI as a cybersecurity weapon against hackers.
AI and machine learning are essentially software capable of detecting threats and predicting outcomes based on past events. The expectation is that the damage from cyberattacks will be mitigated faster or prevented altogether.
Tighter compliance requirements are mandating that companies respond faster to cyber breaches, and AI is being used increasingly to stop hackers before they compromise network security.
In fact, seven of the largest banks in the U.S. have devoted substantial financial resources toward cutting-edge AI initiatives. JP Morgan Chase, for example, recently invested $3 billion in new technology initiatives, including $600 million for emerging FinTech solutions.
As cyberattacks become more frequent and costly, and as compliance regulations become tighter, expect the financial services industry to invest heavily in new technologies designed to thwart the efforts of bad actors and provide better service and user experiences for their customers in 2018.