Cybersecurity & the Unseen Enemy

Remember the days in banking where the bad guys were the ones who walked into the bank wearing a mask, holding a gun and demanding all your money? While the occasional criminal may still attempt to pull an “old school” stunt like that, today’s enemies hide more than just their faces – they remain completely invisible and are more dangerous than ever.  They’re the enemies who make you lie awake at night, wondering if your bank is safe, cringing to think what might happen if it isn’t.

As marvelously technologically advanced as we in the banking industry have become, all our technology creates a vast screen behind which the unseen enemy plots, schemes and launches attack after attack.  The days of lining up face to face across a field and fighting our enemies are long past.  We are now at war with a variety of faceless enemies whose motives are numerous: the pure thrill of hacking a system, profit, greed, espionage, political or ideological motives, vanity, extortion, sabotage, revenge and good ole trolls.  No matter the reason, they have time, resources and dogged determination to do you, your bank, your employees and your customers harm. 

As marvelously technologically advanced as we in the banking industry have become, all our technology creates a vast screen behind which the unseen enemy plots, schemes and launches attack after attack.

War Strategy.
In light of this new methodology of warfare, perhaps it’s wise to hearken back to the oldest of strategies. Know your enemy.

The Enemy. The face of the enemy is as diverse as their motives. Young and old, foreign and domestic, they may not fit an easily quantifiable profile. In fact, of all criminals, they are the most challenging to profile.

The Battlefield. The battlefield is essentially the internet and the lines of connectivity that link us to our money, our passwords, our personal information and our data.  The nature of the battlefield means there are hidden passageways everywhere that we haven’t even thought of:  tunnels, back-channels, fox-holes, trapdoors and fake walls that confound us at every turn.

The Prize.  What’s at stake? Although some bad guys set out to wreak havoc, for many it’s simple greed. They’re out to steal or collect any information that will result in financial gain for them: names, addresses, social security numbers, credit/debit card information, user IDs and passwords, confidential corporate information… Stolen data may be held for ransom, sold on the dark net, or used to make purchases. Hackers often try to crack email passwords, then test those log-in details on other popular sites, since many people use the same credentials for multiple accounts.

The Tactics.
Next, understand your enemies’ strategies and tactics. While the following list is far from complete, since criminal creativity expands the list on a daily basis, it provides a basic framework for expectations on potential attack mechanisms. 

1. Spoofing – Sending an email disguised to look like it’s coming from someplace other than its actual origin. The IP address may be changed, the email address may mimic a known domain, and the email formatting may imitate the design of a well-known company or site.
2. Phishing – A social engineering hack in which the bad guy attempts to trick a target into providing access to the target’s system. Example: a spoofed email message appearing to come from a legitimate IP address belonging to a bank or major Internet site. The email requests the target enter their login and password or financial information.
3. Spear phishing – Same as above, but with information targeting a specific individual or organization.
4. Mobile banking Trojans – An app that looks like your trusted banking app, but that’s actually just an overlay. Underneath, a mobile banking Trojan tricks you into entering financial credentials and personal information. It can also gain administrative rights to intercept SMS messages, making it possible to record two-factor authentication codes as well.
5. Malware – Short for “malicious software,” malware is any program or file embedded into a system to run an unauthorized process for the purpose of capturing information, sabotaging the system, holding it for ransom, or other negative outcomes.
6. Ransomware – Malware that takes hold of your system and encrypts it, sometimes attacking individual files. Attempting to access the encrypted files triggers the ransom note, which claims you are locked out until you make a payment. The messages sometimes pretend to be from an official government agency accusing you of committing a cybercrime, which scares many into paying the ransom (which is often demanded in Bitcoin).
7. Spyware -Malware used by hackers to spy on you, so they can access personal information, bank account details, online activity, and anything else they may deem valuable. On mobile devices, spyware can log your whereabouts, read your text messages, redirect calls, and much more.
8. Bot – (also known as a zombie) an Internet-connected computer that’s been compromised by malicious code in order to use the computer for something other than what was intended. Bots work together in botnets.
9. Botnet – A network of devices infected by hackers and used together to perform tasks such as DDoS attacks, mining Bitcoin, and spreading spam emails. Almost any device connected to the internet, including home routers, can be infected and pulled into a botnet without its owner ever noticing.
10. Distributed denial-of-service (DDoS) attack – This is the easiest, most common type of black hat (hacking for financial gain or other malicious intent) hacking attack. The attackers use multiple hosts to send requests to a target site at such a rate that it crashes.

The Scope. The nature of this war is that it is ongoing.  All public IP addresses are regularly under attack. And the breaches that happen aren’t necessarily made public.  We usually hear about the really big ones, but according to Wikipedia, the only breaches that make the data-breach lists are those involving a compromise of more than 30,000 records. In 2016, a New York Times article quoted Donna Gregory, unit chief at the FBI’s Internet Crime Complaint Center (IC3) as estimating that only 10-12% of all U.S. cybercrime victims were reported.

On May 8, 2019, the website www.digitalguardian.com, published an article called The Top 10 FinServ Data Breaches. These are noteworthy because in recent years, some of the biggest hacks have involved financial service providers: banks, payment processing companies, loan providers and credit reporting bureaus. Some of the names you might recognize on this list are Equifax, Inc., Heartland Payment Systems, JPMorgan Chase and CitiFinancial.  The total number of accounts/individuals affected by the data breaches listed? Over 519 million. 

The unseen enemy is the one you can least afford to ignore.

In his April 4, 2019 letter to JPMorgan Chase shareholders, Chairman and CEO Jamie Dimon said, “The threat of cyber security may very well be the biggest threat to the U.S. Financial System.” His company alone spends $600 million a year on cyber security, employing 3,000 individuals dedicated to cybersecurity. And they still were the victims of a substantial data breach in 2014!

Apparently, asset size, ample funding and staffing don’t necessarily equate to security.  Unfortunately, neither does a smaller asset size provide a bank with obscurity and safety.  According to a study from Nationwide, banks with less than $1 billion in assets were the victims of nearly half (47%) of all bank-related cyber-crimes between 2012 and 2017, and financial institutions with less than $35 million in revenue accounted for 81% of hacking and malware breaches in 2016 – a jump from 54% the previous year.   The reality is that all banks are at risk, and the cost of a breach is something that must be considered. 

According to the 2019 Annual Cybersecurity Report from Cybersecurity Ventures, cybercrime damages are anticipated to cost businesses and organizations $6 trillion annually by 2021.  This number “represents the greatest transfer of economic wealth in history… and will be more profitable than the global trade of all major illegal drugs combined.” A 2015 report from Juniper Research, a U.K.-based market analysis firm, predicted the average cost of a data breach would surpass $150 million by 2020.

This may be information you already know or suspected, as bankers are known for having a pretty decent grasp on cybersecurity and its risks. The question is – do you have an effective strategy in place? This is war, after all.

What you don’t want to be is merely reactive or defensive.  As noted above, the cost of dealing with a breach once it’s occurred may be substantially more than the cost of being proactive.  Or, in simpler terms:

The Best Defense is a Good Offense.
Good leadership starts at the top.  Most community banks have IT personnel and an Information Security Officer appointed to oversee the Bank’s Information Security Program.  These are critical placements, but data breaches and cyberattacks affect the entire enterprise, not just a single unit, division or department.  Decisions to mitigate these threats shouldn’t be relegated solely to IT or the ISO. 

Invest in 5 practical, offensive strategies starting now:

1. Train Your Employees – They may unwittingly be your weakest link. They need to be as current on the latest types of attacks as your IT staff and ISO.
2. Establish Sound Policies and Procedures – This may seem archaic or even obvious, but as the nature of threats has evolved over the past few years, have your policies evolved accordingly?
3. Risk Assessments – Before bringing any new technology on board or implementing new strategies, services or products, thoroughly risk assess them! You might inadvertently be installing a back door for the bad guys.
4. Regular Reviews/Testing of Controls – Remember the days of atomic bomb drills? Earthquake drills? Fire drills? These days, for your bank, that takes the form of audits – vulnerability assessments – phishing testing – social engineering testing.
5. Involve the Entire Organization – In battle strategy, ignorance is not always bliss – sometimes it’s just dangerous. The more knowledgeable your entire organization is, the more prepared you are for attacks. Sharing information often helps thwart a potential breach.

Although the nature of our enemy may change over the years, the battlefields appear different and the tactics employed unique and more devious, there is timeless wisdom to be applied to our fight.  In the words of one of our country’s greatest military strategists, George Washington,

“It is unfortunate when men cannot, or will not, see danger at a distance; or seeing it, are restrained in the means which are necessary to avert, or keep it far off…Not less difficult is it to make them believe, that offensive operations, often times, is the surest, if not the only (in some cases) means of defence.”