In the medieval times, vigilance meant posting guards at gates and lookouts on watchtowers — perpetually looking for armies on the march. Today it means setting up
virtual security gates and digital monitoring systems that raise the alarm when an
attack is under way.
There are two primary categories of cybersecurity threat that community financial
institutions must contend with in 2020: attacker-to-business (A2B) and attacker-to
consumer (A2C). In each case, attackers seek vulnerabilities, either structural or
psychological.
The global pandemic has put the world into a state of fear, anxiety, and uncertainty. This translates into “mental degradation” that creates new opportunities. People are
responding to suspicious communication that targets their worries and fears — which have only increased since March.
Here are the top five security threats that we have been advising institutions on in 2020, and what you can do to protect your institution:
1. Insider threat
This could be attributed to disgruntled employees or careless employees. Remember the old adage of “trust but verify.” It’s important to create systems that reinforce the behaviors that you want and discourage the ones you don’t want.
What you can do: Encourage your employees to see themselves as key contributors to the safety of your institution and the security of your account holders.
2. Ransomware
Cheap toolkits that are highly effective at holding data hostage. Employees and companies are stuck between a rock and a hard place. If they do not pay the ransom, the data is forever lost and encrypted (and only the hacker has the decryption key). If they do pay the ransom, it conveys to the hacker that they should become a repeat target because if they paid once, they will likely pay again.
What you can do: Smart data redundancy is a straightforward way to protect yourself against this type of attack.
3. Internet of Things (IoT)
No one spends time upgrading the firmware/software on their new “smart” refrigerators, washer/dryer, and microwaves. These devices get compromised and enlisted in botnet armies that can wreak havoc in large-scale (Distributed Denial of Service) DDoS attacks.
What you can do: Work with your technology vendors to put contingency plans in place to deal with these attacks when they happen.
4. Public cloud computing
Players such as Amazon Web Services (AWS) have been around since 2006, and have come a long way in terms of maturity. As on-premise compute workloads continue their cloud migration journeys, attackers’ due diligence will surely amplify to keep pace. Anytime that large amounts of money get spent managing or storing data you can expect that attackers will spend energy trying to compromise the system and monetize the data.
What you can do: While cloud computing may feel unfamiliar and extremely high risk, the providers (such as Amazon, Microsoft, Google, etc.) are spending many millions of dollars building cutting-edge security into the systems. Your best bet is to ask hard questions and insist on non-dismissive answers about the technology and the security. Due diligence is the name of the game, not isolation or self-sufficiency.
5. Human trickery
Phishing and social engineering attacks have been around for a quarter century with nefarious actors posing in chatrooms to solicit credit card numbers Over the years, popular phishing attacks were the “Nigerian Prince” or “419 scams; others looked like winning lottery tickets or employment job offers. These days, during the COVID-19 pandemic, attackers continue preying on people’s mental and emotional vulnerabilities in the form of fake loans and free money.
What you can do: Help protect your account holders by educating them on the different forms that this attack can take and providing rapid support for individuals who may have fallen victim to a phishing attack, including employees and account holders alike.
Although attackers are constantly seeking new high-value targets to exploit, you can do a lot to protect yourself by implementing security best practices and continually educating your team on the latest threats.