Verizon’s Data Breach Investigations Report (DBIR) is the most comprehensive and cited source of statistical data and trends related to cyber security incidents. Data breaches are traced, categorized, and analyzed to provide intelligence used by security organizations and businesses of many types and categories.
The goal of the DBIR report is to help companies understand the dynamics of cybercrime in order to take preventative action and decrease the attackers’ ROI. Every year, our HORNE Cyber team annotates the full report to highlight the most impactful findings and compare the data with their own learned observations. See their rich, informative overview here. Here, our HORNE Banking team has done a similar overview of the 2016 Data Breach Investigations Report: Financial Services Report.
Key Findings from the 2016 DBIR Financial Security Report
Looking at over 100,000 incidents from 82 countries, including 2,260 analyzed data breaches, the 2016 DBIR report tells a central story. Cybercriminals remain motivated by the money they can make by exploiting unforced errors.
Looking at the pure number of security incidents by victim industry and organization size, the financial industry ranks third, after public and entertainment entities. But when the industries are listed by the volume of confirmed data loss, financial services institutions have the dubious honor of the top ranking.
Honing in on the financial services industry, we see that web app attacks, denial of service (DoS) attacks and payment card skimming account for 88% of all incidents.
Web app Attacks = 48%
Web app attacks made up 48% of all security incidents in financial services - the greatest share of any industry. This was due to the impact of Dridex in 2015 – a strain of malware designed to break into bank accounts. Many incidents made use of stolen credentials, infecting devices with viruses that capture keystrokes for harvesting later. The majority of attacks were the result of opportunistic malware infections.
Denial of Service (DoS) = 34%
DoS attacks are a malicious form of disruption and a powerful threat to businesses. They use botnets to swamp networks, bringing organizations to a standstill and forcing key services offline. They disrupt critical systems, cost millions every day in lost revenues and damage reputations. And as DoS attacks grow in size, frequency and complexity, they’re increasingly being used as a way to perpetrate financial data security breaches.
Payment card skimming = 6%
Payment card skimming made up the smallest number of incidents in this sector, but they represent 9% of all confirmed data breaches – second only to web app attacks. In financial services, all payment card skimming breaches are tied to ATMs.
The Defender-Detection Deficit
Perhaps the biggest storyline for the financial sector is the defender-detection deficit. This is not new, but the gap between insufficient defense efforts and threat actor successes is stunning. In 98% of cases, systems were compromised in minutes or less. Across the board, it typically takes a minimum of weeks for most victims (54%) to even become aware of the attack – but in the financial sector, that number can be as high as 66%. And longer to engage a solution.
That suggests attackers have plenty of time to find the potentially lucrative data they’re looking for. So, what are the best actions for financial organizations to take to detect and mitigate these costly risks?
Defending against each of the three primary risk categories requires a specific set of approaches. Web apps require two-factor authentication or biometrics and protocols for locking accounts after repeated failed attempts. All CMS platforms and third- party plugins should have a robust patch process, and processes should be in place to continually monitor and validate inputs.
Recommended DoS attack prevention measures have included segregating and isolating assets, organizational mitigation planning, and testing for gaps in infrastructure and processes. Because payment card skimming issues are directly related to ATM machines, prevention centers on monitoring processes and tamper controls.
Unfortunately, by now, many of these recommended efforts have become table stakes – both for businesses and threat actors. Hackers are just as able to read reports like these, and have proven their ability to stay a step ahead of prevention measures time and again.
In the past month alone, the Department of Homeland Security (DHS), the FBI, and FFIEC all issued warnings and advisory statementsfor financial institutions. FFIEC warned financial institutions to assess the risks of interbank messaging and wholesale payment networks, urging them to request specific security control recommendations from their payment system provider. In the wake of one of the largest financial cybercrime operations to date, the FBI issued a warning to U.S. banks of a malicious cyber group targeting foreign banks. And the DHS has started three new task forces specifically focused on cybersecurity matters.
Looking at these current scenarios and warnings in light of the DBIR findings, our HORNE Banking and Cyber teams advise clients to go beyond even measures cited by the very comprehensive Verizon report. Three efforts are absolutely central to improving the cyber resilience of financial institutions going forward:
Financial institutions must shift to the offense if they are going to succeed in securing their network. As the DBIR report so aptly states, “forewarned is forearmed.” It takes an adversarial, hacker mindset and a habitual level of monitoring and prevention. The entire HORNE team, led by our specialists in HORNE Cyber, take an industry focused approach to doing exactly that for our clients.
Join the conversation and receive updates of new posts: