SUMMARY: Company leaders often think that a cyber attack will never happen to them because their company and its data are of no interest to hackers. This article explains why financial services firms should be concerned about ransomware attacks, the best practices financial services firms can take to prevent an attack, and given the unique regulatory requirements, how financial services firms can recover from a ransomware attack after they have become infected.
Why Financial Services Firms Should Be Concerned About Ransomware
According to the Audit and Consulting firm RSM International in the United Kingdom, around 819 cyber incidents were reported by Financial services firms to the Financial Conduct Authority (FCA) 2018.
RSM said that Retail Banks were the most frequently affected by cyber-attacks (486 security incidents) followed by wholesale financial markets (115 attacks), and retail investment firms (53 incidents). Financial firms reported around 93 cyber-attacks, in which half of these (48 attacks) were phishing attacks while 20 percent (19 attacks) were ransomware attacks (cisomag.com).
- The firms store a lot of valuable and confidential customer and corporate data.
- The firms tend to have significant cash on hand, and the high cost of downtime makes them more likely to pay a ransom to get back encrypted data.
- Their IT security is perceived to be deficient, especially within smaller banks and credit unions.
Company leaders often think that a cyber attack will never happen to them because their company and its data are of no interest to hackers.
Olympia Financial Group was hit by ransomware, the financial services firm acknowledged in a recent press release. Eight days later, the firm announced it had completely recovered from the crippling cyberattack. The ransomware attack did not affect ongoing operations, including foreign exchange trades, at Olympia, the company said. “The malware used to perform the attack encrypted electronic data stored on Olympia’s network so it cannot be read or used,” but no customer information was compromised, according to a press release. (biztechmagazine.com)
In one of the largest hacks of a financial institution in history, Capital One announced in July that it had suffered a data breach, impacting tens of millions of credit card applicants. Users’ banking information, including transaction history, balances, credit scores, and addresses, was stolen. Some peoples’ social security numbers were taken, but credit card information was not compromised, Capital One said at the time. Paige Thompson, a software engineer who previously worked for Amazon, was arrested and charged with computer fraud and abuse in connection with the hack. She could face up to five years in prison and a $250,000 fine if convicted. (businessinsider.com)
In July, a data leak at First American Financial Corp., the largest real estate title insurance company in the U.S., exposed transaction records of 885 million individuals. According to Brian Krebs, American journalist and investigative reporter, First American leaked hundreds of millions of documents related to mortgage deals going back to 2003. (securitymagazine.com)
State Farm, the insurance provider in the US, was compromised in a credential stuffing attack. The firm acknowledged the cyberattack, filing a data breach notification with the California Attorney General, and by sending out “Notice of Data Breach” emails to users whose online account log-in credentials were obtained by the hackers. The insurer’s data breach notification email said, “State Farm recently detected an information security incident in which a bad actor used a list of user IDs and passwords obtained from some other source, like the dark web, to attempt to access to State Farm online accounts. During our investigation, we determined that the bad actor possessed the user ID and password for your State Farm online account.” (securitymagazine.com)
A shocking report by the UpGuard Data Breach Research team revealed that decades’ worth of data in a storage server belonging to the Oklahoma Department of Securities had been exposed for nearly a week before the breach was discovered. A search engine called Shodan registered that the data was publicly accessible on Nov. 30, 2018. Analysts at Upguard discovered on Dec. 7 that the server contained sensitive content and updated the Oklahoma Department of Securities the very next day, prompting them to revoke public access to the sensitive data almost immediately. The extent of the breach remains to be determined as the range of data left unsecured included personal information, internal communication records, and login information. (techgenix.com)
Accounting software company Wolters Kluwer faced a devastating malware attack, shutting off service and panicking many accountants who were racing to file their clients’ tax returns by a May 15 deadline. As CNBC reported, some accountants worried they were going to have to file returns by hand. The IRS eventually extended the deadline an unprecedented seven days. (cnbc.com)
A ransomware attack will most likely, at some point, happen to you. Some of us are trophies like Capital One; some of us are low hanging fruit for petty criminals looking for an easy score. We all need to digest that. No more apathy, ambivalence, or denial. It’s time to recognize the threat, understand it, and protect ourselves because the cost of ransomware prevention vs recovery is a hell of a lot better business decision. The more you know the better you can prepare for and prevent the worst from happening. By implementing the best practices in Ransomware prevention, financial services firms forestall an attack and recover more quickly from a ransomware attack after they have become infected.
Fifty percent of small businesses feel they are not prepared to handle a Ransomware attack. I’m frankly surprised this is not a higher percentage given the dynamic nature attacks. Do you think you’re prepared? How would you know what prepared looked like? What was prepared last month will not be the same as being prepared this month. It’s no surprise that the state of cybersecurity is constantly changing. Criminals will be criminals. Knowing this does not make it any less annoying to think that just when you have addressed one vulnerability, another one (or two) opens up. It can drive a business leader, who wants to just serve clients, grow, and enjoy work, nuts. The long list of threats just keeps growing like a field of dandelions. Hackers love the cat-and-mouse game of attacks. The game never ends. Being prepared means continuous diligence in making your company more difficult to penetrate than the guy next door.
There are only two mistakes one can make along the road to truth; not going all the way, and not starting. —Buddha
How to Prevent a Ransomware Attack on Your Financial Services Firm: Best Practices
Hackers are opportunistic, cheap, and look for easy targets. They use a host of free tools to easily identify new targets to hit (i.e., companies that do not have even basic security in place). Your goal is to do everything possible to make your firm an undesirable target. Our clients who put these practices into place are 90% less likely to experience an infection.
We’ve put together a Ransomware Best Practices Checklist to prepare you and your organization before, during, and after a ransomware attack.
RELATED: Take Ransomware Seriously…Seriously
1. Complete Regular Backups
All data is backed up locally and in the cloud. It is backed up at least daily and better yet every hour or two. The cloud storage is secure and cannot be deleted. Test the entire system every month or two to make sure it is secure and working properly.IMPLEMENTATION COST: $$ RISK REDUCTION: 100% TIME: Low EFFORT: Low
2. Educate your ENTIRE team about security
And I mean everyone. Discuss some best practices and examples of ransomware hacks that have been in the news. The more people know the more security-aware they are. You can even start using a security awareness training 3rd party (Google it!) that will “test Phish” your team and provide cybersecurity education videos/testing.
IMPLEMENTATION COST: $ RISK REDUCTION: 50% TIME: Low EFFORT: Low
3. Filter Out as Many Threats as Possible
Spam, spyware, malware, viruses, and phishing emails – Use an Email Security and Threat Prevention platform (Google it!) so most of the bad items never even make it to your email.
IMPLEMENTATION COST: $ RISK REDUCTION: 50% TIME: Low EFFORT: Low
4. Install (THAT MEANS PAY FOR) Advanced Anti-virus and Anti-malware
Use something better than generic free antivirus and make sure it’s running optimally, up to date, AND you’re actually using and learning from its reports. I would like to give you some examples of good anti-virus solutions but detailing those publicly is a security risk (the bad guys see what is being used and then can work on specific attacks on that application). Contact me and I’ll be glad to share some details!IMPLEMENTATION COST: $ RISK REDUCTION: 80% TIME: Low EFFORT: Low
5. Have an End Point Detection Platform Running to More Fully Protect Your Systems
Think of it as your personal AI that is monitoring your computer activity. If it finds something of concern, it will automatically block the activity. Even if you click on something you shouldn’t, this should prevent anything bad from happening.IMPLEMENTATION COST: $ RISK REDUCTION: 80% TIME: Low EFFORT: Low
6. Practice Good IT Hygiene:
- Local machines DO NOT have administrator rights (so no rogue apps can be installed)
- User access to servers is regulated/limited/reviewed
- Updates are installed at least weekly and critical security ones immediately
- Users are regularly educated
- Backups reviewed and tested
- Someone is on top of all of this and managing everything. Too often it is just handed to someone who does not want it and then it gets ignored.
7. Prepare an Incident Response Plan BEFORE an Attack.
This is a straightforward plan that helps you navigate through the landmine items if you have a cybersecurity fiasco. Just Google it to find a plan template.
IMPLEMENTATION COST: $0 RISK REDUCTION: 10% TIME: Medium EFFORT: Medium
I cannot tell you how often I hear company executives saying something like this: “No one wants my data, so why is anyone going to spend the time to hack me? I’m not too concerned with security”. Ugh. That point may be true to them, but it has no bearing at all on most of the cybersecurity today, particularly Ransomware. Do better! You may not think your data is “valuable” and the Ransomware hackers don’t care about the intrinsic value of your data, but the fact you have and rely on any data at all has a ton of value to them and to you.
In the end, the best way to address a ransomware infection is to not get one in the first place. The annual cost to proactively protect your company from a ransomware attack is $7,140 (based on a 40 user company). Is it worth about $600 bucks a month to highly protect your organization from a week of operational downtime, brand destroying reputation hits, and customer dissatisfaction caused by hackers and ransomware?