Are Cybercriminals Winning? The Tale of Cyber Attacks Against the Financial Sector
Malware authors and cybercriminals of today are after profit at the expense of legitimate businesses and individuals. A cyber attack is very different from a physical theft, as the damage is long-lasting. In a physical theft, the loss is usually only at the upfront of the incident, while with cyberattack the lost is both the day of the incident and days or months after. This is because the news about getting hacked or infected with a virus has a huge negative effect on a company’s reputation and erosion of customers trust.
The financial services sector has been hit by major cyber attacks recently, with an average of $18 million in damages per affected company, this is much higher than the average $12 million per incident for other sectors. But all of these are dwarfed by the high frequency of attacks against the U.S. Postal Service system, where 4 billion instances of attacks were recorded in 2016 alone.
The total spending a company needs after a cyber attack may vary depending on the situation. With the introduction of GDPR for EU-member states, the cost of the after attacks skyrockets further. The regular spending after a cyber attack prior to GDPR imposition was litigation fees, regulatory fines, security infra spending, positive PR campaign, identity theft protection service and credit monitoring services for the victims.
If the company mishandled the damage control procedures after the public knowledge of the hack, then it can spell financial trouble for the firm. There is still hope that a positive change will reach a critical mass soon, as according to a survey covering 400 global bank executives, 71% of them concentrate on higher spending on cyber defense.
However, cyberdefense is a not a one-size fits all campaign, as the cybercriminals are also innovating at their end. They employ and develop new ways to extract money from their victims, from ransomware to banking trojan and the latest development from their arsenal, the cryptojacking malware. Traditional ways to extract information from unsuspecting users are still there at their disposal, phishing and social engineering.
Aside from direct damaging attacks like virus infection, DDos (Distributed Denial of Service Attacks) is also one of their longtime reliable weapons. A financial institution can heavily benefit from the services of white hat hackers. Penetration testing these days are no longer luxury services that any company that values their security and privacy can ignore. Change of perspective is required, as pen testing by a 3rd party is never cheap, but definitely orders of magnitude cheaper than trying to recover from a major hack, security breach or virus infection.
The financial industry having the money to engage in their business should also have enough sources of the fund for penetration testing. It is a friendly but deliberate audit of the entire computing and network system of the company, employing the knowledge and experience of white hat hackers. They will literally try to break into the company’s computer and networking system with only the management and a few key members of the IT team knowing it before the test attacks. This will help determine how employees will react in an emergency, how they handle phishing calls, emails and messages from outsiders and the general outlook of the company inside-out during a simulated disastrous computing event.