Last Updated on 8 December 2021 by Alastair Digby
2020 promises to be an interesting time for cyber security in financial services, not least because of Brexit and the US election. Find out why financial services need penetration testing now more than ever before.
What financial services have been doing
Data security and privacy are very much top of the financial services agenda. Due to rigorous legislation, such as GDPR General Data Protection Regulation but also customer security and brand confidence.
Organizations throughout the financial sector, and beyond, are acutely aware of the damage a cyber-attack can do to their brand and reputation. They are coupled with the adverse effects for customers and employees.
All of which make cybersecurity and data protection crucial to your business.
- 2019 had one massive positive. Organizations of all shapes and sizes across all sectors recognize the vital role cybersecurity plays in their business
- The Financial Institutions Sentiment Survey 2019 a report from Lloyds Bank Commercial Banking surveyed over 100 senior financial services decision-makers to explore the key themes shaping their sector. It found that cybersecurity had moved to the top of the tech agenda and with greater prominence | lloydsbankinggroup.com
- 46% of senior decision-makers said cybersecurity was one of their firm’s top three technology investment strategies. Customer satisfaction came first 49% followed by operating costs 48% | lloydsbankinggroup.com
- Firms are arguably more dependent than ever on technology. With rapid advancement, the risks from cybercrime are increasing, placing extra pressure on financial institutions to change the way they operate | Robina Barker Bennett, MD, head of financial institutions, Lloyds Bank Commercial Banking
- 70% of executives prioritize cybersecurity as an area for tech investment | lloydsbankinggroup.com
- To protect against credential theft and to address regulatory compliance, enterprises are increasingly adopting multi-factor authentication MFA and biometrics using mobile devices | lookout.com
- Cyberattackers can grab up to, on average, seven years worth of personal info | pwc.com
- Because of its impact on systems, business interruption from cyberattacks is the scenario companies worry about most | pwc.com
- Manual security management is no longer feasible for large web app infrastructures, which is forcing financial service organizations to rethink their web app security strategy
- An effective cybersecurity strategy and cyber incident response plan is a necessity, not a luxury
Cyber attacks and vulnerabilities
- The #1 threat in financial services data breaches were website applications | Verizon
- The threat landscape is far more multifaceted than even five years ago, and organizations have often struggled to keep up. 44% of business leaders say they haven’t planned radically enough in the face of rapid technological and business changes. | Ian Bradbury, CTO, financial services, Fujitsu UK
- All apps from 30 major banking applications had at least one known security risk identified. 25% of them included at least one high-risk security flaw. Vulnerabilities included insecure data storage, insecure authentication, and code tampering | accenture.com
- The financial sector is the most vulnerable to attack of all the industries tested. With web apps the most vulnerable to attacks | zdnet.com
- Vulnerabilities in shared banking systems and third-party networks have been the cause of major banking cyberattacks. The Scottrade data breach exposing 20,000 records was down to a professional services vendor
- Bangladesh Bank lost $81 million to hackers who exploited a vulnerability in a shared banking system called SWIFT
- Hackers exploited a vulnerability in Westpac Banks’ third-party PayID system. Gaining access to the personal information of 98,000 customers | smh.com.au
- Lack of awareness in regards to third-party security could cost banks millions in 2020 and beyond. External vendors must be continuously monitored for cybersecurity vulnerabilities
- AI will be used to A/B test phishing lures and landing pages and improve their conversion rates. While new domains will be generated and registered by AI algorithms | lookout.com
- Direct attacks on infrastructure are becoming much more expensive, requiring more time and greater hacking skills. This could see a rise in social engineering attacks in 2020, with large amounts of money on offer to insiders | Kaspersky
- Cloud-based threats will grow. Organizations need to maintain control of critical data through real-time vulnerability management
- Employee mobile use continues to rise, as does the level of business data stored on them. The effect of mobile malware is low, but data breaches through mobile use and misuse is a concern
- Say goodbye to Microsoft support for Windows 7 on 14 January 2020. When a vulnerability is found, Microsoft will no longer patch or update the OS. History will repeat, with at least one major attack leveraging the vulnerability to affect companies around the world, similar to what we saw with the end of life of Windows | forescout.com
- Email is still an area to focus on | cisco.com
Penetration testing for financial services
- Penetration testing and red teaming serves as one of the foremost tools a financial institution can have within a robust security program | gfma.org
- A critical mass of connected devices will occur for organizations in 2020. Forcing them to reevaluate their security risk | forescout.com
- Pen testing allows finance organizations to evaluate their network and web apps. Which strengthens their infrastructure and organization against cyber threats | gfma.org
- Every device used to access company systems is yet another endpoint to secure. One way to reduce risk is to provide access via a secure web app infrastructure with real-time vulnerability management
- Effective protection requires not just suitable cybersecurity training for employees and business partners, but also in-depth security and vulnerability management to prevent attackers from obtaining sensitive data in phishing attempts | netsparker.com
- The bridge between finding unknown threats and acting upon the right ones lies in an effective security posture. Aka vulnerability management | cisco.com
- One thing remains certain in 2020: cybersecurity is not just about tech. Human x machine intelligence will address the growing threats from around the world
- Pen testing and day-to-day security should be complemented with effective vulnerability management. Sprawling web apps and services are increasingly hard to secure. Automated solutions are a necessity to reduce the workload on understaffed teams
- As software development increases, vulnerability management becomes more critical. The attack surface has grown from local code to pipeline code. We’re seeing organizations start to build security into each phase of the development pipeline, and expect to see more of this shift in 2020 | Suzanne Ciccone, Veracode
- Security teams have to deal with more threats than ever before, but the demand for cybersecurity professionals continues to exceed the worldwide supply
Financial services regulations
If were honest, the main reasons for a lot of financial services to undertake pen tests were because regulation forced them to. Regulation still requires testing, but this is no longer the only driving factor.
Brand reputation, data security, and customer care are now the main reasons for pen tests to happen.
However, here are some regulation facts and a wee reminder of what regulation you need to comply with:
- Payment Card Industry Data Security Standard PCI DSS requires:
- The use of strong passwords, and the regular updating of all passwords used within your organization
- Ensuring adequate cryptographic initialization and service on all ATMs
- Scanning of e-commerce environments by using an Authorized Scan Vendor ASV
- Effective daily log monitoring
- The creation of instructional materials for the implementation and use of mobile payment systems
- General Data Protection Regulation GDPR asks for:
- A process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
Penetration testing is an accepted and trusted component of the financial services industry’s armory against today’s unrelenting threats
- NIS Directive isn’t exclusive to the finance sector. However, it does relate to relevant digital service providers’ RDSPs. There’s an implied need to introduce controls to reduce risk and increase resilience | itlab.com
- MiFID II took effect in January 2018. Just one month before, up to 33% of UK firms were not readyâ€¦ This was despite severe penalties of up to 5 million euros or 10% of annual turnover for non-compliance | internationalinvestment.net
- MiFID II requires compliance steps to be taken by companies involved in trading, covering everything from voice recording to the collection of trade data. It’s this area of data collection that poses the greatest challenge from a cybersecurity perspective | barriernetworks.co.uk
- MiFID II also requires firms to undertake annual penetration tests and vulnerability scans. This is to safeguard against cyberattacks, restrict access to systems and ensure traceability at all times | dlapiper.com
- The European Commissions supplementing Directive PDF makes several references to the risk and effective IT security management | europa.eu
- Payments Service Directive PSD recommends payment services providers establish and implement a testing framework that validates the robustness and effectiveness of security measures and ensures that the testing framework is adapted to consider new threats and vulnerabilities, identified through risk-monitoring activities. | europa.eu
- Separately, the finance Industry recently published a set of principles to harmonize the growing regulatory demand for penetration testing and red-teaming:
- Provide regulators the ability to guide penetration testing and red teaming to meet supervisory objectives through the use of scenarios based on current risks that drive scheduling and scoping of testing activities
- Provide regulators with a high degree of confidence that testing is conducted by trained, certified, and qualified personnel with sophisticated tools that can accurately emulate adversaries, as required
- Provide regulators transparency into the testing process and results for both regulator-driven and firm-driven testing as well as assurance that firm governance identifies and properly addresses weaknesses
- Ensure testing activities are conducted in a manner that minimizes operational risks and ensures data security by including strict protocols for distributing test data and results | gfma.org
Take the next step to securing your network
Unfortunately, cyberattacks are nearly impossible to stop. But, the good news is there are some steps you can take today.
First and foremost, be proactive. Don’t think it can’t happen to you, it can.
- Identify the areas of your system that are vulnerable
- Put practices in place to effectively monitor your attack surface
- Implement a security-first approach throughout your organization