By Ross Brewer, Vice President and General Manager of EMEA and APJ for AttackIQ, touches on how financial institutions can build a threat-informed defence and navigate the current compliance space.

Ransomware continues to proliferate in today’s ever-expanding digital economy, hindering companies’ and Governments’ abilities to ward off threats. The highest number of ransomware attacks has been recorded last year – over 470 million, making 2021 the costliest year to date for enterprises. A total of around $6 billion was lost because of cyber-crime in the U.S., according to a recent report by the Federal Bureau of Investigation. Businesses in the U.K. have also been hit hard by cybercrime over the past year, with financial losses amounting to over £1 billion. Global malware campaigns targeting financial institutions (MirrorBlast), as well as notorious financially motivated cybercriminal gangs, including Cobalt who have attacked 100 financial firms in more than 40 countries, are placing even more pressure on businesses.

Attackers follow opportunities and thieves follow the money. As banks pivoted to online banking over the last 20 years, criminals went online, conducting heists in cyberspace that Bonnie and Clyde once did in person. To combat these destructive attacks, banks are doubling down on their security budgets, and Governments across the globe are pushing for strengthened regulations. While financial services have to report when a breach has taken place and highlight their response in the event of an attack, there are no boxes to tick when it comes to their performance data. With regulators, auditors, and lobbying associations asking for more granular detail, and every process becoming a digital process, financial institutions are experiencing more and more pressure when it comes to threat detection and response readiness.

Cybersecurity compliance for financial institutions, which today seems more like a spider web of overlapping mandatory and optional regulations, makes it even more difficult for enterprises to navigate the current threat landscape.[i] Only by keeping up with the evolving compliance space, as well as choosing the right threat protection provider, institutions can stay one step ahead of cybercriminals.

The evolution of the compliance space

Governments around the world are seeking to strengthen cybersecurity regulations, propelling a whole sector to adopt advanced solutions for cyber compliance. In March, the U.S. Senate passed the Strengthening American Cybersecurity Act, which would require companies involved in critical infrastructure to report cyberattacks and ransomware payments. And in the U.K., the Government has set out to improve cyber regulations across the board, investing over £2 million in its National Cyber Strategy. Singapore has taken more stringent steps: in the event of a cybersecurity breach, banks will have to pay higher penalties with the maximum penalty for a breach standing at around $736,791.

Compliance is risk management and threat management coming together. Businesses should be able to use risk metrics and build executive reports around them, especially with professional associations, lobbying associations, and auditors asking for more detailed performance data. This is where automated security control can aid teams by providing real-time data on the effectiveness of their security programs. Through knowledge-based frameworks, such as MITRE ATT&CK, security programs can be put to the test effectively, using knowledge of adversary tactics, techniques, and procedures (TTP). Simulating real-world behaviours is the key to building a repository of relevant data that can be shared with regulators and investors, as well as preparing businesses for facing a real-world threat.

A transformation of the computing universe

With businesses moving operations to the cloud, securing systems and protecting supply chains have grown immensely in complexity. While most major cloud service providers have native security controls within them to improve cybersecurity, security teams often fail to recognize them, as well as validate them: 82 per cent of breaches could have been stopped with existing controls. Third-party supplier breaches have also increased in ruthlessness, with “island hopping” becoming a widespread phenomenon. Rather than launching a direct cyberattack, ransomware operators are now after vulnerable partner networks. Recent research finds that 60 per cent of financial institutions experienced an increase in “island hopping”, a 58 per cent increase from last year.

Because of this, businesses must assume that their external defences will be breached by intruders, and carry out the continuous automated testing of their controls. This “assume breach” strategy needs to be followed by investment in best-in-class capabilities, whether this means investing in talent, or better technology. For example, threat detection platforms that are mapped to most of the major cloud providers will be more effective in protecting financial institutions against attacks. Protection of systems can only be ensured through continuous testing, and it is important that companies also consider moving away from testing controls only once or twice a year.

As ransomware attacks grow in complexity, and the threat landscape expands, the finance sector finds itself at a crossroads. With the compliance space evolving regularly and auditors asking for more granular performance detail, institutions need more support in building a threat-informed defence. TTP knowledge-based frameworks, paired with continuous testing aided by automated security controls, will ensure that banks, brokerage firms, and payment providers are protected from breaches, building a safer future for the sector.

[i] https://www.upguard.com/blog/cybersecurity-regulations-financial-industry