Actions financial institutions can take to avoid them
The banking industry in the U.S. has been undergoing large-scale digital transformation in recent years. Adoption of digital applications to replace their manual predecessors has significantly assisted financial institutions in moving toward more customer-centric service delivery. Digital transformation projects also result in improving business agility and resilience, and in facilitating regulatory compliance.
What is Digital Transformation?
In the banking industry, digital transformation refers to the front-end movement to offer more customer-facing services online as well as the back-end heavy lifting required to support those online services.
While Marketing and Sales are chief drivers of the shift to e-services, Operations is responsible for the enormous back-end effort, including information technology and data security.
A full-scale transformation touches all banking departments and virtually all bank employees. It also introduces risk into the equation.
Common Threats During Digital Transformation Projects
The financial industry is accustomed to managing risks of many varieties, and the risks that derive from digital transformation projects are not necessarily new.
What is new is the need for banking operations to heighten awareness and avoidance of these risks throughout the organization before, during, and after a digital transformation project. In addition, it is important that customers remain confident in the security and privacy safeguards the institution has put in place to protect their data during the project.
Among the most common threats to arise during digital transformation projects are identity theft, insider threats, ransomware, and supply chain attacks.
1 - Identity Theft
Identity theft can occur when customers’ personal information is inadvertently exposed, or when previous safeguards are no longer adequate to protect data privacy and security.
The core mission of digital transformation is to deliver electronic services to customers quickly and conveniently through their smartphones, laptops, wearables, and other digital devices.
These devices may have various levels and types of security, and their users rely on the financial institution to utilize the most secure systems available. Identity theft can also occur when (1) access credentials, such as passwords, are weak, (2) network or wi-fi connections are not secure, or (3) phishing schemes deceive users into disclosing their personal information.
Identity fraud occurs most often in new credit card accounts, mobile phone accounts, and business and personal loans, according to the Federal Trade Commission (FTC). In virtually all of these cases, customer data is collected, transferred, or stored electronically.
Identity theft in the U.S. cost $16.9 billion in 2019, according to Javelin Strategy & Research, and affected 5.1% of consumers. Contributing to the high cost of identity theft are the fraudulent purchase of goods and services, the opening of other accounts the criminal can continue to use after the theft has been discovered, and the theft of consumer tax refunds, to name a few.
2 - Insider Threats
These threats come from individuals inside the financial institution who have knowledge of or access to the organization’s computer systems. They may be malicious, with intent to harm the institution or its customers. Or they may be negligent, lacking knowledge of company security policies or simply disregarding them. In either case, insider threats place the organization at risk.
A digital transformation project may open avenues of access, even temporarily, that a disgruntled employee can exploit for personal gain or to damage the institution. The brief window during which one system is cut-over to another, or a new system is installed to replace a manual process, may inadvertently create vulnerabilities that can be exploited.
Human error can play a part in introducing threats as well. Programming errors, inexperienced coders, lack of communication, poor judgment, and similar human errors can result in vulnerabilities that may expose proprietary data or customer information.
It’s vitally important that IT and security teams plan carefully, create checks and balances for their employees, and remain hyper-sensitive to the potential for exposure or abuse from inside the organization.
3 - Ransomware
When an institution and its employees are focused on implementing a digital transformation project, with its many moving parts, it is not uncommon for distractions to occur and otherwise solid security safeguards to be relaxed.
This unusual environment can create opportunities for social engineering attacks, including phishing and spear-fishing ploys, aimed at acquiring login credentials that can be used to access protected data. These bad actors then encrypt the data and demand a ransom be paid in order to decrypt the data and render it useful again.
Although not new on the cybercrime scene, ransomware attacks continue to rise. According to BitDefender, ransomware attacks increased 715% in 2020, and were responsible for 81% of all financially motivated cyberattacks in 2020.
The average cost of a ransomware attack in the U.S. was $4.44 million in 2020.
4 - Supply Chain Attacks
These cybercrimes occur when hackers target less secure components of an organization’s supply chain. They may identify a back-door vulnerability in a third-party platform that hosts the financial institution’s customer data, for example.
A supply chain attack can occur in any industry. Today, most businesses rely on third-party resources to accomplish their various goals. Outsourcing is proven to save personnel, payroll, and benefits expenses, and to replace capital expenditures with operating expenses, which are treated differently for tax purposes.
Typically, a financial institution’s digital transformation project will affect a system from A to Z, including all third-party resources that comprise the system.
Depending on a third party’s own security operations, procedures, and policies, it is possible for vulnerabilities to exist in this element of the supply chain that do not exist in the financial institution itself. These vulnerabilities place the bank and its data at risk.
How to Prevent These and Other Threats
There are many measures for preventing threats that arise during digital transformation projects, whether identity theft, insider threats, ransomware, or supply chain attacks. Among the most important are company-wide programs to educate employees, annual risk evaluations, and security best practices for the supply chain.
Following are some of the actions financial institutions can take to reduce risk and better protect their customers, employees, suppliers, third-party resources, and other stakeholders and their data from these and other threats.
Best Practice: Employee Training
Training employees, and regularly retraining them, is one of the most effective actions a financial institution can take to protect institutional data, intellectual property, and other sensitive information.
According to Experian, a leading credit monitoring and reporting organization, employees should be trained to shred all paper documents containing information that personally identifies customers, employees, or other consumers once they have been scanned or otherwise converted to digital form.
- All employees should be trained to be suspicious of callers and emails probing for proprietary information. If in doubt, they can hang up and directly phone the company claiming to need the data. Phishing attacks and social engineering schemes will continue to be highly effective until awareness of these ploys is at top of mind for every employee.
- Similarly, employees should be trained to never open suspicious-looking email and never click on links in an unsolicited email. These are common delivery mechanisms for malware, including ransomware.
- Employee training, at all levels, should include the mandatory use of strong passwords and changing passwords every 60 to 90 days.
- Avoiding connecting to public wi-fi when using company devices is also important. And if employees travel for business, a mobile data management plan is vital to protecting their devices and the data they provide access to. This policy should extend to all devices across the entire digital ecosystem or Internet of Things.
For remote workers, anti-malware programs, security software, and use of virtual private networks can enhance online security at these end-points, which improves security for the entire organization. A VPN hides sensitive data by routing users through a secure server, essentially rendering them anonymous, which makes cyberattacks much more difficult.
Best Practice: Supply Chain Security
Supply chain security begins with an institution’s clear and complete understanding of each supplier and vendor, and full transparency into their data privacy and security safeguards. The greater the number of vendors in the supply chain, the greater the risk.
The healthcare industry follows an excellent model, based on HIPAA regulatory requirements, in which “business associates” or suppliers who work with healthcare providers must meet the same requirements and standards as the providers themselves.
This model logically applies to all industries, as outsourcing has become the norm and provider/vendor configurations have become increasingly complex. Financial institutions are required to comply with the Gramm-Leach-Bliley Act, and their partners and suppliers should be required to do the same.
Annual security risk assessments are as important for members of the supply chain as they are for the financial institutions they do business with. Proof of regular security risk assessments should be required by the institution, along with documented security programs. Cybersecurity insurance is also an option.
Essentially, each member of the supply chain should meet the same degree of scrutiny as the institution itself. Secure coding standards should be maintained when members of the supply chain have software development responsibilities. Web application assessments or vulnerability assessments can go a long way in helping identify software vulnerabilities. Developers should be kept aware of documents such as the OWASP Top 10 Security Vulnerabilities and should be trained in secure coding methods.
Additional security measures to protect institutional data within the supply chain include limiting users’ ability to install unapproved software. Organizations have lists of approved software for use by employees, and in the vast majority of cases this is more than sufficient to get the work done. By minimizing the number of users authorized to install third-party software on devices, organizations can significantly reduce risk.
Similarly, the fewer individuals able to access data, the lower the risk of an attack on the supply chain and the data maintained within it. It's vital for an organization to know precisely who has access to their sensitive data, at all points in the chain, in order to limit access to select users for specific functions. As in the healthcare industry, the “need to know” litmus test should govern the granting of data and system access.
For additional cybersecurity recommendations, the FFIEC has provided useful guidance for financial institutions in managing third-party vendor risk, including many instructional booklets and other resources.
Best Practice: Security Risk Assessments
Security risk assessments are a fundamental safeguard for financial institutions and their supply chains—regardless of whether their data has to do with employees, customers, suppliers, shareholders, or other stakeholders. The results of regular security risk assessments provide valuable input into a bank’s cybersecurity program and related employee training protocols.
A thorough security risk assessment encompasses these components:
- External and internal penetration testing and vulnerability assessments for institutional assets; penetration testing for web applications.
- Social engineering testing.
- Third-party / vendor risk assessments.
- Evaluation of existing security policies and procedures.
As an example, external penetration testing evaluates an organization’s network from the outside, scanning IP addresses and looking for ways into the network and access to data, just as a hacker would. This testing reveals vulnerabilities in the organization’s laptops, desktops, monitors, servers, routers/modems, and other electronic devices connected to the network. Vulnerabilities may be due to configuration errors, outdated software, hardware or software that are no longer supported, and other oversights requiring correction.
A risk security assessment report will document the findings of all testing conducted, identify the organization’s connected assets, prioritize the risks associated with the assets, document the mechanisms and safeguards in place to manage the risks, and provide additional vital insights. It also offers a roadmap for enhancing security measures and improving the results of the next scheduled risk assessment.
Financial institutions engage in digital transformation projects for many reasons, including to enable them to move toward more customer-centric service delivery, improve business agility and resilience, and facilitate regulatory compliance. Such projects can be distracting for IT teams and may create risks for the organization by shifting focus away from cybersecurity while systems are being replaced and other project activities are being conducted.
Four common threats arising from digital transformation projects are identity theft, insider threats, ransomware, and supply chain attacks. Effective ways to combat these threats include employee cybersecurity training and retraining, security best practices for suppliers and vendors, and regular security risk assessments for the financial institution and its suppliers.
With proper planning to address these threats, financial institutions can complete their digital transformation projects in a timely fashion without sacrificing their cybersecurity.