We often hear stories about cyber attacks at large organisations – how a company was forced to pay a huge sum in order to protect its data. Despite the huge figures, large institutions are able to brush off the impacts of the attack quite easily; smaller financial institutions do not have this luxury, as cyber-attacks on them can be detrimental.
Guy Moskowitz is the CEO and co-founder of Cor, an all-in-one cyber security platform for mid-market organisations, used by over 5,000 growing business and lean IT teams, empowering organizations to defend against malware, ransomware, phishing, and bots across devices, users, and cloud applications. He has over 20 years of experience in leadership roles, having worked as vice president and management member in various hi-tech companies, before choosing to launch his own company in order to focus on developing products in telecommunications, and security for the private and governmental sector.
Speaking to The Fintech TimesMoskowitz analyzes how smaller FSIs can best prepare themselves for cyberattacks to ensure they do not suffer the grave consequences should they fall victim to one:
While data breaches at big banks might grab headlines, recent developments show that smaller community banks and credit unions have become prime targets for cyber-criminals.
Unlike their larger counterparts, small and mid-sized financial services institutions (FSIs) lack the resources to hire and build comprehensive security teams or spend millions on cybersecurity tools. And though these FSIs may be small, their impact is huge. Nearly 97 per cent of the banks operating in the US are community banks. These institutions hold $3.4trillion in total assets across almost 5,000 banks and 29,000 branches.
With the perception that their defences are weak, cyber-criminals view these smaller banks as easy, profitable prey. Cybersecurity concerns and challenges may seem insurmountable, but modern technologies such as AI and machine learning can effectively protect small and mid-sized FSIs from a potentially devastating attack without straining resources.
Top cybersecurity worries
The average cost of a data breach for financial services companies is $5.85million. Big institutions can afford this – they have huge security, compliance and legal teams dedicated to rectifying any breaches and minimising financial impact. But for smaller institutions, which are attacked with as much volume and sophistication as the largest institutions, the impact is infinitely more damaging and harder to recover from.
Aside from strained resources and financial implications, the following cybersecurity concerns are top of mind for smaller FSIs:
In addition to money and assets, cybercriminals can steal credentials and sensitive personally identifiable information (PII) like social security numbers (SSN), credit card numbers, addresses or emails, creating a propagation of damage beyond the initial breach.
There are many types of attacks that financial institutions might face, including phishing, malware and insider threats. However, ransomware attacks on FSIs are increasing at a break-neck pace. One such example occurred in May 2021, when three undisclosed community banks out of California and Florida were targeted by two prominent ransomware groups known as Darkside and Ragnar Locker. They posted evidence of the break-ins, demanded ransom and threatened to expose even more sensitive data if the ransom was not paid.
- Downtime and operational availability:
When a smaller bank gets targeted, operations can be paralysed. Everything from teller services to account services and online banking can be brought to a halt.
According to LexisNexis Risk Solutions, annual expenses related to financial crime compliance surged 147 per cent from 2019 to 2021 for US banks with less than $10 billion in total assets. Banks face tougher regulatory compliance rules than any other industry. For example, they must comply with the GLBA (Gramm-Leach-Bliley Act) to protect customers’ data. But retailers, tech companies and others that process and store financial data are not subject to these same standards. Until all data can be equally protected, banks have more to lose when it comes to a breach. A retailer might have fines to pay and lawsuits to fight, but a bank faces all these and risks losing its banking license. Smaller FSIs must comply with the same regulations as big banks and lenders, but without the same resources to quickly identify, respond to, report and rectify a breach.
Once an attack becomes public, reputational and customer retention damage is much greater for smaller financial institutions. Customers may want to switch to other, bigger institutions they perceive as more secure. Furthermore, customers who have lost money or data may seek damages legally.
There’s a big imbalance among financial services companies. Small and mid-market FSIs are under the same level of duress as big banks from both hackers and regulators, but without access to the same security expertise, staff and budgets. Unable to afford expensive enterprise solutions, they turn to piecemeal solutions that don’t adequately protect their entire organization or may even outsource their cybersecurity, adding unknowns to the equation and actually increasing risk.
With cyberattacks growing among financial services companies, it’s important that even small community banks have a sound cybersecurity strategy. The good news is that massive financial institutions, smaller organizations are more agile and can quickly adopt new technologies unlike to ensure safety and thwart attacks.
Successfully-secure small FSIs are beginning to leverage AI, automation and machine learning to fight off all kinds of cyberattacks without building out a robust team – faster and more accurately than humans ever could.
Modern FSIseed modern cybersecurity
According to a recent What’s Going On in Banking 2022 report, 51 per cent of bankers and 43 per cent of credit union executives cite cybersecurity as a top concern, yet only 23 per cent of banks and 18 per cent of credit unions view it as a tech priority. This is perhaps because of the perceived commitment needed to get cybersecurity technology in place. But, it’s not necessary to buy multiple point-solutions to fight off different attack vectors, dish out millions in enterprise tools or relinquish control by outsourcing cybersecurity.
Small-to-medium-sized FSIs can adopt a simple, non-disruptive, modern approach to cybersecurity that will not break already stretched IT budgets and teams. Using AI and machine learning, the majority of attacks can be blocked without human intervention. This approach automatically detects and contains malicious software, and distinguishes between human and bot-generated actions to detect potential attacks. Threats are automatically remediated and unauthorized data sharing is prevented.
FSIs ready to adopt this modern approach should keep in mind a few key considerations as they evaluate solutions:
- Does it cover all security end points with one engine?
- Is it non-disruptive and automated?
- Does it ensure PCI compliance and automatically identify violations?
- Does it prevent unauthorized data sharing or access?
- Can it identify potential malware and ransomware activity across all vectors (email, file sharing, cloud apps)?
- Does it block phishing scams, ransomware and malware instantly?
- Does it offer 24/7 monitoring of suspicious email activity?
Cybercrime is not going away anytime soon. It will only get more dangerous and damaging. Until smaller financial institutions take the steps to arm themselves to the same degree as their larger counterparts, they will continue to be viewed as easy prey.
Even without big teams and budgets, small and mid-sized FSIs can deploy modern technologies that leverage AI and machine learning to proactively, automatically and continuously protect themselves from leaked data, stolen funds, regulatory fines and reputational harm.