Cybercrime, Financial Services’ Newest Bogeyman
Cybercrime, Financial Services’ Newest Bogeyman by J. Shaw for The Daily Coin
A peculiar trait of many cyberattacks is that they’re indiscriminate, and so businesses both large and small are vulnerable to hacking. It’s not so much that there’s no defense against data breaches but that the scattergun approach criminals take to sowing mayhem is almost guaranteed to catch at least one website with their virtual pants down. As evidenced by the enduring popularity of SQL injection attacks, not everybody takes web security seriously.
That latter point is worrying, especially as cyberattacks on banks and money lenders skyrocketed in 2016. The UK’s Financial Conduct Authority claims an increase of 1,400% in reports between 2014 and September 2016. However, it’s worth noting that much of that surge comes from the fact that hacking attacks on financial services didn’t really exist as a crime three years ago, with just a handful of incidents reported to 2016’s 75.
The numbers have little bearing on the cost though – £8 billion, all of which came out of the pockets of consumers. Put another way, poor security and aggressive hacking are increasingly a public concern rather than something that people in suits have to worry about, although there’s an obvious need for some soul-searching at the top of the corporate chain too. Inevitably, without an increased focus on prevention, the damages can only go up.
According to CNN, the United States loses upwards of $100bn a year in costs attributable to cybercrime, with the average business (in all sectors) losing $15 million annually. Security company Incapsula claims that a $38/hour Distributed Denial of Service attack can cause $400,000/hour in damages, inclusive of costs incurred from lost custom, damaged hardware, legal troubles and other clean-up fees.
Avoiding cybercriminals can be straightforward in many cases though. For example, web application firewalls are readily available and offer protection against all threats on the Open Web Application Security Project’s Top 10 list, including SQL injection, a technique which can allow hackers to manipulate and control databases. The remainder of the list includes things like broken security features, which, again, are easily prevented.
An emerging threat for the financial industry is ransomware, a type of malware that encrypts the victim’s files until a fee is paid, often in a cryptocurrency like bitcoin, for their release. Simultaneously the best and worst aspect of ransomware is that it doesn’t really care who or what it targets. So, in the event that a major institution falls to this type of attack, the levy might still be something like $300, as in the WannaCry attack on the UK’s NHS earlier this year.
The concern with ransomware is that not paying by a particular deadline means that everything encrypted in the malware attack is destroyed – and, in some cases, it might happen even if the ransom is handed over. Obviously, in the case of a financial institution, the damage could be catastrophic, with customer details, patents, mortgage details, and so forth all lost. Mercifully, for the US at least, WannaCry missed the country almost entirely.
Financial institutions need to recognize the fact that unprotected firms represent a honeypot for cybercriminals, especially given their association with vast stores of money.