In mid-2015, executives at a bank in Russia awoke one morning to discover that the institution had lost millions of rubles overnight through a series of unauthorised withdrawals made through the automated teller machines of other banks.

Earlier in the year, the Russian ruble experienced a volatile 14-minute long swing in the exchange rate that resulted in one financial institution’s reported loss of $3.2 million due to trades.¹

Another well-coordinated attack in 2013 resulted in a loss of $45 million taken from ATM locations around the world when hackers eliminated the cash-withdrawal limits for 12 debit card accounts.²

Such attacks are not limited to Russian banks; hackers and other cyber criminals are threatening the security of financial institutions around the world. The rise in advance persistent threats puts a spotlight on the vulnerability of the IT systems at many financial institutions—and intensifies the need to implement more robust security procedures to protect institutional assets.

A comprehensive assessment of an institution’s cybersecurity environment would have gone a long way towards establishing appropriate technology governance and protecting the assets of those Russian banks.

Targeting the weakest link

The most common and effective form of cyberattack is through social engineering—that is, through contacting personnel by email or phone and duping them into disclosing confidential information that can subsequently be used to gain access to systems and data. Alternatively, emails can be opened by employees who unwittingly release customised and often quite sophisticated malware (the software used by hackers to infiltrate IT systems).

Financial institutions are clearly not immune to such attacks and the opportunities and attempts for unauthorised access have increased. Yet some security mechanisms such as firewalls are no longer enough to protect an institution from modern threats. Although in some cases they require hackers to be physically present to complete their illegal monetary transactions, outdated banking processes and systems are commonly the weak link exploited in these scenarios.

Implement a risk-based approach

Most banks would claim they have a rich risk-assessment process, and to an extent this may be true. But the focus is often primarily on business risk, not cybersecurity, and therein lies the issue. As a result, areas of weakness such as interconnection to ATMs may be overlooked. In addition, most banks have limited personnel and IT security resources dedicated to IT so, despite being attacked virtually every day, they cannot react to all alerts.  Moreover, a bank’s internal enterprise risk management group may not be familiar with current risks or trained to respond to advanced threats.

IT investments will be based in part on whether or not the institution has been compromised historically; if management thinks a breach won’t happen, they probably won’t invest heavily in cybersecurity. Larger banks may have the resources to absorb the costs caused by a cyber security attack, but that is not true for all financial institutions.

There are a number of steps that financial institutions can take in order to mitigate IT security risks:

• User awareness training: One of the most the most effective actions that any organisation can take to reduce the risk of successful security attacks is user education. Strong end-user awareness and education processes are critical actions to take to minimize the risks that social engineering poses. Training will differ, depending on the roles and responsibilities of the users, but an educated workforce is a strong defense against attack.
• Review and apply controls using a risk-based approach: To be truly effective, a risk assessment must get down into the weeds. A robust compliance program will evaluate—and periodically re-evaluate—threats in the entire universe of the banking system.
• Identify weaknesses: If the bank doesn’t examine the weaknesses in their systems, the hackers will. There is a reason why the hackers used the ATMs owned by one bank to steal money from another institution—they knew that most systems would give them a few hours’ lead time before their withdrawals were reported. Understanding this weakness and implementing mitigating controls such as alerts could have at least minimised the damage inflicted by such an attack.
• Add controls: Management must develop and implement controls that are designed to keep incidents from occurring and serve as a deterrent against unauthorised access. That said, it should also be assumed that these controls will eventually fail at some point. Therefore, detective controls will help to monitor and alert an organisation of any malicious or unauthorised activity, including malicious activity—taken knowingly or not—by employees. In addition, corrective controls can help limit the scope of an incident and contain unauthorised activity.

With so much at stake—potential financial losses, compromised brand reputations, access to operational capital and possible regulatory violations—taking action is a business imperative.

¹ Rudnitsky, J. “Russian Hackers Moved Ruble Rate With Malware, Group-IB Says” (2/8/2016) Bloomberg Business

² Cluckey, S. “ATM Networks at risk of cyber attack, FFIEC warn

This article was written by Loras Even, Tauseef Ghazi and David Llorens of RSM US, and first published here.