The top security threats to financial services in 2018

From

What are the top security threats to financial services in 2018?

If you are a small to medium business (SMB), how is cyber security relevant to you? Because only the big companies like Sony and Equifax get hacked, right? RIGHT?!

WRONG.

The truth is, cyber criminals are turning their focus to small businesses, because they are soft and sweet – the low-hanging fruit, so to speak. There may be fewer targeted attacks against SMBs, but there are campaigns after campaigns that target the mass, reaping huge profits for cyber criminals through ransomware attacks, phishing attacks and others. SMBs often lack the awareness and protection that the big guys consider basic hygiene, and this is exactly what hackers are counting on.

Here we list and explain the top 5 security threats for small to medium businesses this year.

Ransomware

Pay us $1,000 to get your files back (maybe)

Ransomware is a type of malicious software (often dubbed malware) that infiltrates a victim’s computer, denies access to the victim’s data on the computer and then demands money to restore the access. Most Ransomware does so by encrypting the victim’s files, but some new breeds can upload files (such as photos) to the attacker’s server and demand money for the release.

Ransomware typically looks for files such as office documents, images and backups. It then encrypts the files and alerts the user, demanding money and a deadline for payment. There is no way to decrypt (restore) the file without the decryption key held by the attacker, meaning the data will be rendered useless. Unfortunately, the victim may not always receive the decryption key even if they made the payment in time. In some cases, the decryption simply doesn’t work and even the attacker does not know how to decrypt the files/

How Ransomware is spread

Ransomware is typically spread via email attachments, but sometimes it’s by website downloads or manually penetrating the network and the malware installed. Ransomware attacks require very little skill to execute, but are highly efficient and successful in the eyes of criminals. So much so that it has evolved into an underground industry where ransomware platforms are for hire.

How to protect your business

  • Ensure you have a data backup plan and stick to it. Test your backup regularly, at least once every 3 months to ensure you can restore the data. Don’t pretend to do it, don’t leave it for later – just do it.
  • Install up-to-date anti-virus software
  • Keep your software, operating systems, firewall, routers and other systems up to date.
  • Educate users about opening suspicious emails and attachments.

Malicious emails

“Please click on the attachment for the latest market research report!”

Malicious emails continue to be a pain and trap for many users in 2017. These emails are easy to create as part of a campaign, and there is always someone who is in a hurry or just ‘didn’t think twice’ about clicking on that link. There are typically 2 types of malicious emails that affect small and medium businesses.

Malicious attachments

These are emails pretending to be a utility bill, a traffic infringement notice, or some funny pictures that entice a user to open the file attachment. The attachments are almost always malware that will then run on the computer. The malware can then steal and take control of your financial information, logins to bank websites, or anything you have on your computer. Often ransomware is delivered in this manner. This allows ransomware to control your computer to become part of a larger botnet – a group of “zombie” computers that participate in large scale attacks.

Phishing email

These emails pretend to be from your IT administrator or your bank websites – perhaps asking you to reset your password in the hopes that you will click on the link provided and enter your login credentials or personal details on the malicious website.

A more severe form of phishing email is called “spear phishing”, which targets single individuals or a group/sector. For example, financial advisers will be far more likely to open an email that claims to provide the latest market research report from what appears to be a reputable source then a random email with little relevance to their industry. These type of industry specific phishing emails have proven to be effective in attacking small and medium businesses and as such, has been one of the particular cyber attacks which are on the rise.

How to protect your business

  • User education comes out on top here. There is no substitute for teaching yourself and your staff how to spot a suspicious email, because even defence like anti-virus software or email spam filters can’t catch all malicious emails.
  • There should be some mechanism of email filtering on your network. Depending on the functionality, these mechanisms can filter the most common spam and phishing emails, to keeping up to date with the latest phishing email campaigns.

Internet of things

Attacker: Siri, can you unlock the door for me?

Our everyday lives have become more and more reliant and centred on digital technology and our appliances (PCs, phones) are increasingly getting “smarter”. Many small businesses have invested in technologies such as IP camera, smart TVs, smart locks, smart vacuum cleaners, mobile credit card readers, etc. These have brought convenience and in some cases – added security to the office, but if not managed properly, could be the one thing that gives the bad guys a point of entry.

Many such devices (collectively called Internet of Things (IoTs)), are in essence – computers in disguise. IoT devices function just like your Windows or iOS operating system, but with a caveat: they often don’t get the security attention from the vendors like their big brothers do. Tech giants like Microsoft and Apple are well versed in security and understand the security implications, so they regularly push out updates to the operating systems. Not so much for IoT devices. The vendors are not as well resourced, and not so much concerned about your security. Even if the device is initially supported and receives updates, chances are in two years the vendor would have moved on, leaving the device vulnerable to the latest security exploits.

To make matters worse, many of these devices have Internet connections, meaning that an attacker can reach and attack them from anywhere in the world. It’s not hard to find a security camera streaming live about someone’s home or office on the Internet, all because the vendor left a backdoor (that is now publicly known) or a default password left by the owner. Owners can also be a subject to ransomware or be coerced into participating in the next denial-of-service attack.

How to protect your business

  • Consider the security implications when you decide to purchase a new “smart” device. Do you trust the vendor to continue update and support the device? What are risks if you installed it? Do you have plans to mitigate these risks?
  • Change default passwords on all IoT devices you have installed. They are too easy to guess and often publicly advertised (e.g. on the manual and a search on Internet will reveal them).
  • Update the device as soon as you have installed. This ensures your device is secure against the latest security vulnerabilities.
  • If possible, put the IoT devices on a separate network (e.g. guest wi-fi) so your most critical assets (such as file storage and servers) are not on the same network. This reduces the risk of everything getting compromised due to a mere vulnerability on the IoT device.

Password hygiene

Human brains are not very good at creating and remembering unique, complex passwords that change regularly.

Passwords remain a popular choice for many applications and systems to verify who you say you are. However, they are notoriously easy to steal or guess. The core of the problem for most people is twofold – password reuse and difficulty to remember.

The nature of the password, and what makes them secure, is that they need to be unique and difficult to guess. This means for a very long time, the majority of websites and applications have been asking users to select a password that is complex and long (containing mixed case, numbers and symbols). In enterprises, it is also common for users to be forced to regularly change their password every month or so. Human brains are not very good at creating and remembering unique, complex passwords that change regularly. This means we create passwords with patterns that are easy to remember, and thus, easy for hackers to crack. Some great examples over the years are 12345678 and Welcome123!

We are also very likely to reuse those passwords across different websites and systems because there are a plethora of systems asking for them. The passwords are stored on the website, together with the usernames, often as email addresses. The bad guys know about all these, and they often break into websites and systems to steal the login credentials. There are now millions of passwords that have been stolen over the years.

To guess someone’s login, the bad guys can either try with the stolen login credentials, or common passwords that many people use.

How to protect Your business

  • Develop and follow a proper password policy in your organisation.
  • Use a password manager for storing passwords (don’t know what this is? Try LastPass)
  • Use separate accounts and passwords for each system and website.

Software vulnerabilities

Not implementing security updates is like having a broken lock on your door.

There was once a saying that for every line of code written, there is a bug. That may not be entirely true, but it shows how extensive software bugs are in just about everything digital.  Software vulnerabilities are just that, they are bugs. New vulnerabilities are being discovered at an alarming rate, and often just one of these is enough to let an attacker to take control of your entire network, and perhaps your digital life as well. What’s more is that you probably won’t know a thing while they are exploiting these vulnerabilities.

Most attackers rely heavily on known vulnerabilities, that is, vulnerabilities that have been publicised and well documented. Once a vulnerability is known, software vendors will (hopefully) rush to implement a fix. These fixes are the updates you get on a regular, and sometimes, ad-hoc basis. Thus it is extremely important that you install these updates as they become available, to block out the bad guys. Not implementing security updates is like having a broken lock on your door.

How to protect Your business

  • Enable auto-update wherever possible on all IT assets
  • Install updates as soon as you install a new system

Things to keep your eye on in 2018

  • Ransomware is here to stay. There will be new variants, new techniques and ever larger campaigns developed by the cyber criminals.
  • Increased interest in crypto-currency hacking. The surge in value of cryptocurrencies in 2017 has made them a very attractive target for easy financial gains. Because they are not regulated by a bank or government, it also makes the job much easier for hackers to transfer and steal.
  • Identity theft. Given the recent major breaches in personal identifiable information, we expect that there will be an increase in identity theft. Australia is not affected as badly as the US and UK, but with the incoming breach notification laws, we may see more in the news about breaches that were not reported.
  • Speaking of which, the new breach notification law will become very relevant to Australian businesses, as every business that handles client’s TFN is applicable. This will be a good time to take a good look at your security posture.

You must be logged in to post or view comments.