A Closer Look at Cybersecurity Threats and Proactive Mitigation

Introduction: Understanding Cybersecurity Threats

In today’s digital era, cybersecurity stands as a linchpin for financial institutions, guarding against a myriad of threats that jeopardize data and resilience. As financial professionals, it’s crucial to grasp the nuances of these threats to fortify defenses and protect against potential breaches regardless of the complexity and size of the institution. Though, as most know, efforts should be more focused on being proactive, like training and tools, but instead we’re forced to focus on related but reactive priorities. For reference, Splunk.com’s annual security survey (1,520 security and IT leaders) found that the top challenges to the security org are about this exact issue:

Because of this, it’s important to find methods to standardize, automate, and reward proactive efforts that best align the organization to understanding common cyber threats. As a part of those “methods”, training and awareness would be at the top of the list.

To assist, we’ll dissect the more common security threats: phishing attacks, malware incidents, and social engineering tactics to offer practical strategies for mitigation. By illuminating these threats and arming ourselves with knowledge, we can empower teams to confront cyber risk effectively and uphold the resilience of financial systems.

Phishing Attacks

Most of us can relate to hearing about the email or phone call to an elderly relative that almost (or did) cause loss of property and a paper-trail to unravel. It’s frustrating to hear when someone ‘falls’ for a simple phishing attack that we would have avoided. But that’s just it: there is a level of training required to see the tom-foolery and our responsibility as security leaders is to facilitate that education.

At its core, phishing involves the use of fraudulent emails, websites, or messages that mimic legitimate entities, such as banks or financial services providers. Despite the cool name, it represents one of the more pervasive and persistent threats to the financial sector. These communications often employ social engineering techniques to instill a sense of urgency or fear, compelling recipients to take immediate action and sometimes the wrong the one.

To mitigate the risks posed by phishing attacks, financial institutions must adopt a multi-faceted approach that includes employees, contractors, and vendors.

Phishing Mitigation

A few proactive ideas to consider:

1. Training Programs: These programs should cover topics such as how to identify suspicious emails, avoid clicking on unknown links, and report potential phishing attempts to the appropriate internal teams. A key part will be conducting simulated phishing exercises to test employees’ awareness and response to phishing attacks. These exercises can help identify areas for improvement and reinforce best practices for identifying and avoiding phishing attempts.
2. Reporting Channels: Establish clear channels for reporting phishing attempts, such as dedicated email addresses or hotlines, to make it easy for individuals to report suspicious emails or activities. Prompt reporting can help security teams quickly respond to potential threats and prevent further damage. Same vein, these channels should be simple to use and provide rapid feedback for a job well done.
3. Reward Programs: Implement reward programs to incentivize employees, contractors, and vendors for reporting phishing attempts or successfully identifying phishing emails. Rewards can include recognition, gift cards, or other incentives to encourage active participation in phishing mitigation efforts. I’ve not heard of a pizza party but perhaps yours will be first.

Malware Incidents

An abbreviation for “malicious software”, malware encompasses various types of harmful software designed to infiltrate systems, steal data, or cause damage. Though not exhaustive there are a few main types:

Category Name	Definition	Primary Goal
Ransomware	Software designed to block access to a computer system or files until a sum of money, or ransom, is paid. This form of malware encrypts the victim’s files, making them inaccessible, and typically displays a ransom demand, instructing the victim on how to make payment to regain access. Ransomware attacks can target individuals, businesses, or even entire networks, and the ransom demanded can vary widely. For perspective (and so we don’t feel lonely), in its 2023 State of Email Security Report, Mimecast found that 66% of respondents reported falling victim to ransomware with small and mid-sized companies having the most difficulty (70% – 77% experiencing an attack).	Extort money from victims by holding their data or systems hostage.
Spyware	Software built to secretly gather information from a computer or device without the user’s consent. It can monitor a user’s online activities, collect sensitive information such as passwords and credit card numbers, and relay this data to third parties without the user’s knowledge. Spyware often infiltrates a system through deceptive means, such as disguised as legitimate software or bundled with other programs. Once installed, spyware operates covertly in the background, making it difficult for users to detect its presence. It can slow down system performance, cause instability, and compromise the user’s privacy and security.	Gather sensitive information about users’ activities, preferences, or personal data.
Viruses	Designed to replicate and spread to other computers or devices (like the biological kind of virus — life finds a way). They can be hidden within seemingly harmless programs or files and can be activated when these files are opened or executed. Once a virus infects a system, it can modify, delete, or steal data, damage files, and interfere with the normal operation of the device. Viruses can spread rapidly through email attachments, infected websites, removable storage devices, and network connections.	Infect and spread to other systems, causing damage or compromising security.
Trojans	Named after the infamous Trojan Horse from Greek mythology (see Brad Pitt’s, Troy, for a 100% accurate retelling) are software disguised as legitimate programs or files to trick users into downloading and executing them. Unlike viruses and worms, Trojans do not replicate themselves, but they can perform various harmful actions once installed on a system.	Disguised as legitimate, facilitate data theft, system compromise, or further malware infections.

Malware Mitigation

As with phishing attacks, a proactive approach will typically lead to the best outcomes. Financial institutions can bolster their defenses against malware incidents by implementing a three-pronged approach to mitigation.

1. Technology and Tools specific to cybersecurity designed to detect and prevent malicious activities. One example is endpoint protection solution, i.e. safeguarding “endpoints”, such as desktops, laptops, and mobile devices, from malware threats. These solutions utilize various techniques, including signature-based detection, heuristic analysis, and behavioral monitoring, to identify and block suspicious files or activities before they can compromise the system.
   
   Additionally, firewalls can act as a barrier between an organization’s internal network and external threats, filtering incoming and outgoing traffic based on predefined security rules to prevent unauthorized access and block malicious content.
   
   Finally, Security Information and Event Management (SIEM) tools play a vital role in threat detection and response by aggregating and analyzing security event data from across the organization’s IT infrastructure. By correlating disparate logs and alerts, SIEM solutions can identify potential indicators of compromise and facilitate timely incident response efforts.
   
2. Employee Education and Awareness are essential to mitigating malware threats. These will follow roughly the same tenants as proposed within the Phishing section and curriculum would be leaned toward:
   
   – Using only approved software
   – Incident reporting channels specific to the type of malware
   – Continual awareness of the mechanisms for malware (vs. just the lexicon)
   
3. Vendor Risk Management or Third-party risk management, continues to rise in popularity as it draws out what software (or relationships) have already been vetted and approved.
   
   Financial institutions should establish comprehensive vendor risk management programs that include thorough due diligence processes for evaluating vendors’ security posture and capabilities. This includes assessing vendors’ adherence to industry-standard security frameworks, compliance with regulatory requirements, and the implementation of robust cybersecurity controls.

Social Engineering Tactics

Unlike traditional hacking methods that target technical vulnerabilities, social engineering exploits human psychology and trust to gain unauthorized access to systems or data. By exploiting human vulnerabilities, and often targeting employees, contractors, or vendors with access to critical systems or confidential data, cybercriminals find paths that are particularly challenging to detect and mitigate. As such, the financial industry is a prime target for social engineering attacks due to the high value of the information and assets at stake, as well as the trusted relationships between financial institutions and their customers.

Like Malware, Social Engineering encapsulates a range of tactics aimed at exploit though most tactics involve impersonation, manipulation, and persuasion to deceive individuals.

Category of Social Engineering	Definition	Unique Characteristic
Phishing	Sending fraudulent emails or messages that appear to be from reputable sources to trick individuals into disclosing sensitive information such as login credentials or financial details.	Cast a wide net
Pretexting	Creating a fabricated scenario or pretext to gain the trust of the victim and manipulate them into providing sensitive information or performing specific actions.	Creating a plausible pretext (story)
Baiting	Enticing individuals with the promise of a reward or incentive to lure them into clicking on malicious links or downloading malware.	Exploit human curiosity or desire for gain
Spear Phishing	Targeted form of phishing that involves personalized messages tailored to specific individuals or organizations to increase the likelihood of success.	Highly customized and convincing messages
Tailgating	Following an authorized individual into a restricted area or building by closely following them through access-controlled entry points.	Relies on exploiting vulnerabilities in physical security

Social Engineering Mitigation

To effectively mitigate social engineering risks, financial institutions must implement similar training programs as seen in Malware and Phishing.

Let’s call out a few novel points:

Employee Training is a bit more direct than others as the real issue is psychology. Regular security awareness training sessions can help employees develop a skeptical mindset and learn how to verify the legitimacy of requests for sensitive information. We generally reward empathetic thinking, but social engineering’s exploitation of it means that nuance is required.

Controls and Authentication are useful as they reduce “spread” risk and allow for least privilege access even if something does go sideways. Ensuring that SSO (or at least MFA) are in place can lower risk, by lowering radius.

Assessments are sometimes an annoyance as no one likes being told what to do, but these pen and auth tests can proactively identify weaknesses and help strengthen defenses against social engineering attacks. So next time compliance wants another round of look-see, perhaps we all just say “thanks for keeping us safe.” and then being frustrated later

So…

In summary, lots of things can go wrong if we don’t ensure proactive safeguarding of cybersecurity. In exploring the pervasive nature of threats facing the financial sector, including phishing, malware, and social engineering, we’ve learned that though there is overlap each have unique ways to monitor and measure.

In general, each form of threat will benefit from some type of:

1. Dynamic Governance
2. Employee Training and Education
3. Tools and Technology

Securing financial systems against cyber threats requires a concerted effort from financial institutions, workers, regulators, and even customers. By adopting a proactive and collaborative approach to cybersecurity, financial institutions can strengthen their resilience to cyber threats, maintain trust, and safeguard the integrity of the financial system as a whole.