With every reported data breach or cyberattack, the cyber risk landscape gets a little more complex. Cyber criminals create new attack vectors, cybersecurity professionals develop new controls to protect their systems, the criminals get to work circumventing the controls, and so on.The result of this back and forth is that cyber risk professionals have a huge variety of risk factors to worry about. In response, risk managers and security specialists need to develop extremely complex cybersecurity programs to make sure all of their bases are covered.
With so many cybersecurity risks to consider, it’s inevitable that some will receive less attention than they deserve. Unfortunately, these overlooked risk factors could play a role in your next cyberattack, and if your financial services firm isn’t prepared, that could be extremely costly.
Here are a few historically overlooked risk factors that deserve some additional attention:
Financial services firms handle an incredible amount of sensitive information. Almost every day-to-day operation at most finance-industry organizations involves some amount of personally identifying information or payment information. At any moment, there could be millions of credit card numbers, social security numbers, account credentials, and more zipping around an organization’s systems.
Ensuring the security of this critical data requires more than protecting one’s own network. Comprehensive cyber risk mitigation also involves assessing the security programs of any vendors that might come into contact with this sensitive information.
For financial services firms, two categories of vendors are particularly important: point-of-sale providers and payment processors. Because sensitive information is at the heart of these vendors’ operations, their systems are favorite targets of hackers, and therefore their cybersecurity programs have to be extremely robust.
Every third party that touches sensitive data should be assessed carefully, but if resources are limited, POS and payment processing vendors should be at the top of the list.
Using BitSight Security Ratings for vendor risk management can help ease the burden on risk professionals and give them more time to focus on critical third parties. BitSight offers continuous monitoring of all vendors based on externally observable factors, so security teams can maintain ongoing awareness of the risks they’re exposed to by payment processors and POS vendors.
Mobile Application Security
An increasing number of people are accessing their banks, investments, and other financial services firms through online portals and mobile apps.
Financial services firms have poured a lot of resources into developing user-friendly mobile applications that enable customers to use their services on the go. Unfortunately, many of these applications have security vulnerabilities that could potentially be exploited by hackers.
A recent research effort analyzed the security of web apps from various industries. Shockingly, they found vulnerabilities in 100% of the financial institutions they tested.
Thankfully, financial services firms don’t need to wait until a data breach occurs to identify cybersecurity risks in their web apps and mobile applications. BitSight maintains security information on most iPhone and Android applications, so users can quickly see whether their application — or the apps of services they use — are up-to-date with best practices concerning encryption, TLS/SSL certificates, access management, and more.
One cybersecurity risk factor that is definitely not overlooked is the distributed denial-of-service (DDoS) attack. In DDoS attacks, a range of devices (typically infected with botnets) flood systems in order to take them offline. These can be acts of aggression or sabotage, or the attackers might use them as blackmail or as a distraction while a simultaneous cyberattack occurs.
DDoS attacks have been plaguing the financial services industry for years, and many risk professionals have come to accept them as an (unfortunate) reality of the job. However, while these attacks might be nearly impossible to stop, there are services out there that can enable financial institutions to minimize their effects and reduce downtime.
The answer lies in the cloud. Companies like Cloudflare and Akamai “prevent” DDoS attacks by simply scaling up capacity to handle even the largest DDoS attempts.
One of the key advantages of cloud computing has always been the ability to scale up and down as business needs fluctuate. DDoS protection is an acute example of this, and one that can help financial institutions avoid the negative consequences of the next attack.
It might feel impossible to contend with every threat in today’s cyber risk landscape. However, services like BitSight can help security leaders take on more threats without requiring tons of additional resources.