Financial firms face cyberattacks on all fronts
Phishing, spear phishing (when an email appears to come from a familiar client or business partner but is another phishing attack) and social engineering continue to be issues for financial services firms trying to protect themselves from cyberattacks, according to David Kelley, surveillance director in the Financial Industry Regulatory Authority's Kansas City office. Kelley participated in a cybersecurity panel at the Rocky Mountain Securities Conference on Friday, outlining the most common issues firms are dealing with.
In addition to the familiar cyberattacks above, ransomware and account takeover are increasingly common.
Establishing processes to recognize and remedy vulnerabilities on an ongoing basis are critical to firms' cybersecurity efforts. The panelists at the conference shared ways to address the various risks — internal and external — that firms face.
Even at big firms, account takeover is “a big deal,” Kelley said. “That may be the thing we hear about most from a lot of firms,” he said. A client’s account credentials are stolen and the hacker tries to move the account to another institution.
Firms should take stock of what controls they have in place to prevent unauthorized changes to a client’s account.
“The losses from these kinds of schemes can be enormous,” David Glockner, regional director of the SEC’s Chicago office and moderator of the panel, said, referring to Ubiquiti Networks, which reported a $39 million loss last year from “what was essentially a business email compromise.”
Kelley said that in June, FINRA started seeing an increase in reports of distributed denial of service (DDoS) attacks, especially among small and medium-size firms, where hackers would shut down a firm’s website and extort them for bitcoin.
“Cybercriminals have determined how easy it is to make money,” panelist Kevin Witt, chief technology officer of Kestra Financial, said. “The old notion that cybersecurity was all about protecting your customers’ privacy and nothing else” is no longer accurate. “It’s also about protecting the availability of your systems and information, and the integrity of those systems.”
Stealing information is a difficult crime to monetize, he added. It may be easy to steal information, but it’s harder to find someone to sell it to. “It doesn’t take any sophistication at all to hold someone’s information for ransom. It’s a very scalable business model.”
Hackers don’t even have to understand the information they’re stealing, “but they can encrypt it and hold it hostage for $10,000,” Witt pointed out. Furthermore, bitcoin makes it easy to collect ransoms anonymously, he said. MORE