Hackers are the Financial Sector’s Biggest Threat

There’s no question that hackers are a big concern across all industries. News sources deliver a continuous stream of panic-inducing headlines about data breaches, and major consulting firms insist that cyber security should rank as a top priority for business. The risks are serious, and the damage can be catastrophic.

Now, government officials are raising the alert level a step further for the financial sector. In May, SEC official Mary Jo White told reporters she believes that hackers are the most significant threat to the global financial system. White explains that although firms are aware of risks and taking measures to advance protection, “their policies and procedures are not tailored to their particular risks.”

These statements follow shortly after a breach of the Bangladeshi central banking system, from which hackers stole $81 million by exploiting the SWIFT global transfer system.

The financial sector is undoubtedly experiencing increasing pressure from hackers as firms move more and more operations online. Recent reports indicate that attacks are becoming more frequent and more intense. And considering the sizeable amount of data and money they handle, hedge funds and private equity firms should be particularly concerned about these developments.

While cyber security governance at financial firms continues to primarily focus on IT, hackers are targeting a different weak spot: employees. Second only to social media sites, financial organizations rank as a top target for phishing attacks. And while the Nigeria Prince email phishing scams are easy to spot, unsuspecting employees are falling victim to an entirely new, formidable breed of social engineering attacks, which include:

  • Spear-phishing: a phishing attack that appears to be from a trustworthy source that the target knows and trusts.
  • Waterholing: creating compromised sites hosting zero-day exploits on its servers. Targets fall victim to the site in their course of conducting regular business.

While most threats to large financial firms, and especially hedge funds or private equity firms, have focused on securing transactions to fraudulent accounts, organizations are also experiencing a broader range of exploit types with more diverse goals. A recent example is the GameOver Zeus ransomware attack that locked approximately 15,500 employees out of their computers, demanding a ransom to regain access.

The wider range of exploits in the financial sector poses a threat to the stability of the global finance infrastructure, and it calls for more vigilant, proactive investigation into vulnerabilities. Yet reports indicate that most financial firms conduct penetration tests no more frequently than once a year. While penetration testing can be difficult to conduct regularly with internal resources, you can run more frequent tests by leveraging an expert pen testing team utilizing black, gray, and white hat techniques.

To combat advanced persistent threats, financial firms also need to achieve compliance with requirements defined by the SEC across five control areas: identify, protect, detect, respond, and recover. (We specialize in assisting firms with the compliance process to meet these requirements.)

Finally, thwarting sophisticated social engineering attacks requires sophisticated employee awareness. A phishing assessment, including simulations of the latest phishing techniques, can accurately gauge whether your employees are likely to disclose sensitive information.

For more information about how Gotham Security can assist your firm with enhancing its cyber security posture, contact us at info@gotham-security.com or 917.734.4120.