As cyberattacks grow more sophisticated, organizations are increasingly worried not just about data theft but also about threats to their critical infrastructure. With hackers backed by rogue nation-states, the risk landscape has expanded exponentially—affecting consumers, employees, and even supply chains.
A report from Javelin Strategy & Research, New Stakes of Cyber Resiliency in the Era of Cyber Warfare, explores how large organizations can protect themselves against these risks. Tracy Goldberg, Javelin’s Director of Fraud and Security and author of the report, emphasizes the importance of cyber resiliency, which she defines as an organization’s ability to withstand and recover from attacks.
Attacks From an Array of Enemies
Privacy risks associated with social media and artificial intelligence have become even more severe, especially as political adversaries such as Iran and China back these cyber threats. These groups are researching financial institutions’ supply chains, exploiting vulnerabilities in API networks through island hopping techniques, and launching attacks to infiltrate systems.
Cyber resiliency is essential for long-term defense against these escalating threats. To enforce cyber resiliency, Goldberg recommends a holistic approach. This includes securing every device connected to the enterprise, educating employees on phishing attacks, ensuring the use of VPNs, and thoroughly assessing third-party connections and supply chain risks.
All of this requires a forward-thinking mindset. Organizations building a cybersecutiry strategy should look not just at the next year but at the strategic evolution of cyber resiliency as the company grows.
A holistic approach is especially necessary as hackers have become sophisticated enough to launch multi-pronged attacks. Take, for example, a distributed denial-of-service (DDos) attack that could serve as a smokescreen for something more nefarious on the back end.
“When a DDoS attack takes an online banking site down and consumers can’t get to their online banking, that’s going to distract cybersecurity teams from getting the site back up,” Goldberg said. “It also takes them away from another attack that could be using some kind of back door to get into the network.”
Target suffered such an attack through its supply chain over a decade ago. Cybercriminals infiltrated a heating and refrigeration vendor, then used that access to funnel their way through and breach Target’s network.
“It’s outside of your purview if one of your vendors gets hacked,” said Goldberg. “But if you have a vendor that’s connecting to your network, there should be certain access points they can’t enter through.”
The Risk for Financial Institutions
Financial institutions have a specific vulnerability in this area. With the instability of the financial market and the rise of mergers and acquisitions, some smaller institutions will either close down or be acquired by other institutions.
These mergers and acquisitions pose significant cybersecurity risks. As entities merge, disparate systems must be integrated, creating potential security gaps.
Obsolete servers may still house sensitive information or provide access to forgotten networks. If not properly secured, they present a tempting target for hackers.
The Threat from Nation-States
The lines between nation-state threat actors and cybercriminal rings have become blurred. Nation-states are funding and supporting cybercriminals who often serve as a front for more nefarious.
“We have not done a good job as an industry of attributing the attacks to specific groups,” said Goldberg. “There was an argument a decade ago that indicators of compromise and attribution didn’t really matter–if you were seeing fraud, you were seeing fraud. But now we’re finally realizing that that’s not necessarily the case.”
Nowadays, proceeds from cybercrime are being used to finance terrorism and launder funds that ultimately support entities like the Iranian government, for example. What might seem like a simple romance scam could, in reality, be tied to a significant national security threat.
The Promise of Anti-Money Laundering Tools
Financial institutions have tools at their disposal that can effectively promote cyber resiliency. Anti-money laundering (AML) processes can connect many dots, but because these tools have been used in isolation for decases, they have failed to make critical connections that could more readily detect fraud and preemptively prevent cybercrime.
According to the U.S. Patriot Act and the Bank Secrecy Act, from an AML standpoint, there are certain entities that banks cannot provide funds to. Red flags may be raised on the AML side, preventing funds from being transferred to an account holder in a particular region. However, similar alerts are often absent when the fraud team reviews a consumer’s claim of being scammed. These teams should be working in tandem.
Fraud, cyber and AML often compete for budget. AML teams typically receive larger budgets for technology investments due to regulatory compliance mandates, but the same technology can be leveraged across all three departments when signals are shared. This approach reduces cybersecurity gaps and AML concerns simultaneously.
Technology investments across the enterprise can ultimately enhance cyber resiliency. For example, anti-phishing campaigns led by the fraud department could contribute to cyber resiliency by tracking suspicious actors. Even if individuals don’t initially appear to be the same, the fraud team might identify commonalities, such as shared IP addresses or mobile phone numbers linking multiple accounts.
Looking for Direction
In the past, the federal government has set standards for organizations to adhere to. But in the new landscape, financial institutions will have only themselves to turn to.
The Biden administration issued an 11th-hour cybersecurity executive order, calling for far-reaching inclusivity and accountability among government agencies, industry sectors, and tech and software providers to strengthen cybersecurity resilience. However, with the transition to a new administration, the order will have little direct impact on cybersecurity resilience and responsibility.
“When there’s no policy, what standards do we look to?” asked Goldberg. “Financial institutions need to find other standards or regulatory agencies to look to for guidance. Cyber resiliency is going to be the responsibility of the organizations themselves.”
The post Building Cyber Resiliency into Financial Institutions appeared first on PaymentsJournal.
