About the author
Ana Giraldo
Chief Risk Officer and Director Americas
Ana Giraldo is Thomas Murray’s Chief Risk Officer. She is based in Bogotá, Colombia, and also serves as Director, Americas. She leads our Risk Committee, and developed several internal risk methodologies to help clients assess their risk exposures to third parties. Ana is also the author of several technical papers on post-trade entities and risk.
It’s estimated that a cyber attack happens every 39 seconds, and financial services firms are the target of one in four of all malware attacks. Clearly, a mandatory multiple choice questionnaire sent to your people once every few months to check on their level of security awareness is no longer enough to combat the growing threat posed by cyber criminals.
Some threats are perennial – it is unlikely that ‘human error’ will ever not be a factor – but others are new or becoming radically more sophisticated and dangerous over time.
1. Social engineering
Rapid advances in artificial intelligence have elevated the humble email phishing attack. Around 90% of all successful breaches begin with a phishing attempt, and financial services are particularly susceptible to them.
Apart from being able to imitate a recipient’s colleagues or clients more convincingly than ever before, threat actors are also no longer limited to initiating contact with victims. For example, they can now hijack existing email threads and insert themselves into legitimate workplace conversations, making their presence in your network that much harder for anyone to detect.
For example, Amrit, Jasmine and Joanna are having a discussion over email about a thorny issue. Unbeknownst to any of them, Jasmine’s account is accessed by a threat actor who sends Amrit and Joanna a link to a useful article. In this scenario, it would be hard to fault Amrit and Joanna for clicking on it.
Continuous, real-time monitoring of your threat environment is the only way to combat such attempts.
2. Third-party attacks
Because the financial sector tends to invest more heavily in cyber security and threat intelligence than other industries do, cyber criminals will try more diverse methods to breach its defences.
Compromising the clients, suppliers or vendors of a financial services firm is often a much easier task than directly attacking the firm itself. These “supply chain attacks” are on the rise and are so effective because many are undetected.
According to the European Union Agency for Cybersecurity, of the supply chain attacks it analysed in 2021, in 66% of cases “suppliers did not know, or failed to report on how they were compromised.”
A robust third-party risk management (TPRM) process that begins during the Request for Proposal (RFP) stage is therefore essential, as is ongoing monitoring.
3. Ransomware
The heavily regulated financial sector is required to demonstrate the highest levels of operational resilience and breach preparedness. These requirements support both the infrastructure of the world’s financial markets and the security of client funds and data.
This means that many firms in the industry are more susceptible to extortion tactics – paying off cyber criminals can seem the easiest and most effective way to halt an attack and recover sensitive data. However, paying a ransom is no guarantee that stolen data will be returned, either uncompromised or at all. This is especially true in the face of developments like Ransomware as a Service (RaaS) gangs and double extortion methods.
IT Security teams must stay up-to-date with latest ransomware threats, and be given the tools they need to gather real-time information.
4. Distributed Denial-of-Service attacks
Although very crude, Distributed Denial-of-Service (DDoS) attacks show no sign of going away. In fact, in 2020 the number of DDoS attacks against financial services organisations and firms spiked by 30%.
The New Zealand Stock Exchange (NZX) was one of the victims that year. Trading was shut down for four days in the wake of a ‘mugging’ – the most dated and least sophisticated form of DDoS attack. The true impact may never be fully measured, as the attackers were then able to target firms listed on NZX and continue causing chaos even when trading resumed.
New Zealand’s regulator, the Financial Markets Authority, was scathing in its report on the incident. It described NZX’s IT staffing, crisis preparations and technology as “insufficient.” The FMA found that a DDoS attack was “foreseeable” and “should have been planned for.”
The problem is seldom that threat actors are simply too clever to be defended against. Too often, organisations are exposed to cyber risk through their own lack of preparation and resources.
The solution: Orbit Security
To protect your firm in an ever-changing risk environment, it is important to DAM – discover, analyse, and mitigate:
- Discover your attack surface using Orbit Security’s proprietary Network Footprint Discovery ML algorithm. From a single parent domain, we will discover all your interconnected infrastructure to a high degree of accuracy, regardless of who manages it.
- Analyse the threat intelligence assessments provided for every domain and sub-domain in your infrastructure, or view your risk exposure aggregated by the six threat categories in our methodology: Breach, Configuration, Mail, DNS, HTTP, SSL/TLS.
- Mitigate risks according to clear priorities set out in Orbit Security’s assessments, improve your security posture, monitor your third parties and report with confidence to your board.
Reporting is essential to any IT security team, and speaking senior management’s language is crucial. We help by providing off-the-shelf reports:
Management reporting
Our cyber security ratings present complex information in a way that’s easy for both stakeholders outside your team and senior management to understand, allowing you to communicate clearly and effectively what your security pain points are and what resources you need to address them.
Vendor risk reporting
You will be instantly notified if one of your third parties has its security rating downgraded. Thomas Murray will engage with them at your request to provide free and full access to their own threat intelligence assessment, improving the security of your entire ecosystem.