Sign In

Communications of the ACM

ACM News

Financial Services Firms Battle Cyberthreats


Cybercriminals often see an immediate monetary gain from their crimes when targeting banks.

Financial services firms are under siege from cyberthreats, even as they face a shortage of qualified cybersecurity personnel.

Credit: Reuters/RT/Google

Banks, investment firms, and insurance companies are responsible for safeguarding the assets and financial well-being of consumers and businesses, but the financial services industry is the target of more digital security incidents than any other sector. With trillions of dollars of assets at risk, identity thieves, scammers, and cyber-terrorists view banks and other financial services providers as prime targets.

In recent months, Facebook has been in the news as revelations about the amount of data it shares on its users have been unearthed. Said Avi Cohen, CEO of The Floor, a Tel Aviv-based financial technologies (FinTech)-focused cybersecurity firm that works with six of the world's largest financial services firms, "Banks have a different responsibility than Facebook. Facebook's primary thing to protect is customer data. Banks have to protect not only their customers' data, but also their actual financial assets."

The convergence of a growing number of sophisticated cybercrimes and a shortage of qualified digital security professionals to counter these threats has created an environment that is exposing the financial services industry to higher costs and greater risk. The global cost of cybercrime is estimated to be as high as $608 billion, according to the Center for Strategic and International Studies, a bipartisan think tank in Washington, D.C.

Management consulting firm Accenture says cybercrime costs each financial services company worldwide an average of $18.3 million per year, an amount that grew more than 40% from 2014 to 2017. Fortunately, the industry has recognized it must invest in technology and human resources to keep our hard-earned money safe.

Frequent Cyberattacks

In September 2017, consumer credit reporting company Equifax disclosed that it had been hacked, exposing to cybercriminals the personal and financial information (including Social Security numbers and driver's license information) of 145 million Americans. This incident opened the eyes of many to the extensive damage that can be done with a single breach.

Cybercriminals are taking their craft to new levels of sophistication, though many of the methods hackers are using are derivative of long-used techniques. Hackers exploited known security flaws in both the Equifax breach and the WannaCry ransomware attack and were able to take advantage of unpatched systems to gain access to information. Demanding ransom in the form of cryptocurrencies has been the trend since 2016, as was the case for WannaCry.

More recently, the U.S. Federal Bureau of Investigation (FBI) warned banks of a sophisticated form of cybercrime—a so-called "cash-out" scheme—that permits hackers unlimited cash withdrawals from automated teller machines (ATM). Krebs on Security has reported that cybercriminals have hacked into banks' systems, removed fraud controls, and even modified account balances to give themselves even greater access to cash.

The financial services industry was the target of 27% of all digital security incidents in 2017, according to IBM's X-Force Threat Intelligence Index. More than four out of five bank chief information officers and executives in the U.S. surveyed by Bank Director listed cybersecurity as a top concern; that is no surprise, given that criminals often see an immediate monetary gain from their crimes when targeting banks.

If there is something positive to be found in the increase in the number of cyberattacks on the world's financial systems, it is the significant opportunity for well-trained information technology professionals and firms to create innovative digital crime detection and prevention solutions. Netscribes reports the cybersecurity industry has benefitted from massive investment by financial services companies: $24.28 billion in 2017, projected to grow nearly 60% to $39 billion in 2022.

Identifying the Threats

Financial services providers must deal with any number of digital threats, and criminals are constantly evolving their methods, making the job of cybersecurity that much more difficult. The Floor's Cohen said, "Cyberthreats are coming from a number of vectors. Organized crime and state governments are the main players, while employees and customers can spread them, though generally not maliciously." A study by Juniper Networks found that 80% of cybercrime involves organized crime factions; this is a complete reverse from a decade ago, when 80% of these crimes were committed by "independent loners."

The industry must be prepared to face threats as large as a distributed denial of service (DDoS) attack that can prevent millions of customers from accessing their accounts, or as small as a few users being scammed out of their savings with phishing emails. Financial institutions must also be able to adapt to new channels of cyberthreats. For example, ThreatMetrix says in its Q1 2018 Cybercrime Report that 55% of financial transactions on its Digital Identity Network are on mobile devices, making the mobile channel increasingly attractive to criminals.

Financial institutions typically employ threat detection systems that integrate artificial intelligence, behavioral analytics, risk-based transaction authentication, and other technologies to combat cybercrime. These technologies must provide near-instantaneous information and be frictionless across a global network that handles billions of transactions a day. This ecosystem includes consumers, retailers, credit card processors, lending officers, and many others. This means that there is a huge demand for experienced, well-trained people fluent in cybersecurity.

Security Professionals Wanted

As the financial services industry has been trying to close the gap against digital threats, it is faced with a shortage of qualified cybersecurity personnel. It is expected there will be a gap in the cybersecurity workforce of 1.8 million employees by 2022. This shortage of people skilled in the technologies needed to meet this demand is viewed as a major challenge to companies across all industries.

ISACA, a global association of information security professionals, found in its "State of Cybersecurity: 2018" report that more than half of companies (51%) said that it takes three months or longer to fill a cybersecurity position. The study also found that 61% of applicants for cybersecurity positions were not qualified for the position for which they were applying. This lack of qualified personnel has companies turning to vendors around the world for off-the-shelf cybersecurity solutions as an alternative to hiring.

Israel  is gaining attention for its expertise in cybersecurity. CB Insights has reported that Israel was second only to the U.S. in its share of cybersecurity investment deals over the past five years; Israel accounted for 7% of cybersecurity deals made from 2013-2017, a strong-but-distant second to the U.S.-based firms that accounted for 69% of cybersecurity deals.

In a separate study, CB Insights classified 29 high-momentum cybersecurity start-ups as "Cyber Defenders." Six of these companies (21%) are headquartered in Israel, second only to the U.S., which is home to 62% of those Cyber Defender firms (headquartered primarily in California).

One reason for this, explains Cohen, is that the Israeli military is producing cybersecurity experts who then enter the private sector. "In a sector where there is a lack of talent, there is strong competition for these highly qualified experts," says Cohen.

Prepared, Despite Challenges

While hackers are getting more sophisticated, the financial services industry has recognizing the threats and is taking action. "Banks are being much more proactive of late to the threat of cyberattacks," said Cohen. "They are actively seeking out vendors, looking for technological leadership to stay ahead of cybercriminals; to stay ahead of the curve."

Despite the shortage in cybersecurity expertise, most executives (69%) surveyed by Bank Director said they felt that their bank had adequate in-house expertise to address cybersecurity.

Universities have recognized the opportunity to educate students for high-paying jobs, and more and more schools are offering cybersecurity degrees and certificates. Greater availability of these programs can help fill the void financial institutions are facing.

Mark Broderick is a Tampa, FL-based writer and analyst covering the financial services and payments industries.


 

No entries found