Cybercrime is on the rise across all levels of industry and government. Nowhere is that more apparent than in financial services, where firms like banks and credit unions experience attacks nearly 300x more often than other industries. This is even accounting for the increased risk of cyberattack that schools and healthcare organizations faced as targets of opportunity in the COVID-19 pandemic.
What are banks doing about the threat they face? They’re spending an increasing portion of their budget on cybersecurity, of course. Deloitte’s data from 2020 shows that financial institutions spent 10.9% of their budget on cybersecurity last year, up from 10.1% the year before. While that’s good news, the average cost of a breach remains on the rise: reaching $8.94 million last year. Given that budgets are rising and the cost of breaches are rising, now the question is are banks spending their increased IT security budget in the right place?
The Old Threat Prevention Methods Don’t Work Any More
The world of cybersecurity has changed dramatically in the past 10 years. The types of hacks, from exploit kits, malware, ransomware, and other forms of malicious attacks have exponentially grown in scope and complexity. Nowhere is this more apparent than the financial sector – a favorite target of hackers and scammers because of its rich trove of customer data.
Banks are subject to some of the most complex attacks, with ransomware that includes double-extortion vectors and human-operated methodologies, alongside the rising demand for data to be unencrypted. Although Acer recently “won” the title of highest ransom demand, that doesn’t mean financial services companies don’t experience advanced attacks. The threat is so significant, in fact, that the SEC last year issued an explicit warning for the banking sector.
Despite the shift in attack vector, banks most commonly spend their IT security budget on detection-centric platforms such as antivirus and EDR or XDR. Detection-centric platforms, including even the so-called “next-gen” antivirus platforms, are great against known and file-based attacks that are based on known patterns of behavior or known file signatures. What they don’t do very well is defend against truly unknown attacks that have nothing in common with existing threats. Even the “next-gen” solutions that operate on machine learning are only as good as their training data, which by necessity is existing attacks and existing tactics, techniques, and procedures (TTPs).
No matter how fast these detections are made and these detection-centric vendors update their platforms, cybercriminals can always alter their TTPs to bypass these updates. Detection-centric platforms are by design reactionary to changing cybercriminal techniques. The way forward isn’t with this pathway--not if banks want their systems to remain secure. Instead, banks must take a proactive approach to their defense.
How Banks Can Spend Their Cybersecurity Budget Wisely
CISOs and other senior cybersecurity leaders need to keep abreast of the changing nature of attacks. The fileless exploits and other advanced threats that attackers have started to use more frequently affect system behavior without leaving a signature and can bypass detection-centric platforms, which means banks may not know they’ve been hacked until customer data ends up on the Dark Web. As a result, senior leaders need to seriously consider adopting a proactive, prevention-first approach to disrupt attacks before the malware or malicious fileless threat can even begin to run.
Banks need to implement the basics of a proactive approach prior to adding more layers on top of their already extensive security stacks. This includes things like training employees on security awareness, limiting admin privileges, and completing the zero trust strategy that they’ve likely already implemented for identity and access management as well as network security.
Extending zero trust to the endpoint, and specifically to application runtime, ensures that threats which bypass existing security controls don’t get a foothold. With zero trust runtime deployed on the endpoint, ensuring protection from malicious in-memory threats, supply chain attacks such as the recent SolarWinds attack can’t proceed. This extension of zero trust to workstations and other locations within the security perimeter is a critical step forward toward reducing the risk of a breach.
Banks and other financial institutions have already committed an increased portion of their IT budget to cybersecurity. This is a logical decision to remove cybercrime risk from the business; the problem is that banks need to be spending their cybersecurity budgets in the right place.
That right place is not pouring all their spending into traditional protection systems like antivirus that only catch known attacks. The result of focusing budget on detection-focused threat prevention means that financial institutions risk leaving themselves exposed to the advanced, unknown attacks now in use.
Instead, banks and financial institutions must adopt a more proactive approach to their security. This starts with basic cyber hygiene steps and continues with completing the zero trust strategy that they’ve already implemented at the network and identity level. Only then can banks hope to begin stemming the tide of cyber attacks.