There’s a simple but powerful dynamic driving cyber risk for most financial services organizations today. The more they invest in digital infrastructure and tooling to drive sustainable growth, the more they may expose themselves to attack.
We know these firms play a unique role in society, which makes them an attractive target for ransomware. As providers of critical national infrastructure (CNI) and keepers of highly regulated personal and financial information, there is tremendous pressure to ensure any service disruptions are avoided or kept to an absolute minimum.
Financial institutions around the globe have been finding out the hard way that the sector is increasingly in the crosshairs of a growing group of cyber activity. But how high are awareness levels? And is this translating into stronger security posture?
To find out more, Trend Micro commissioned Sapio Research to poll financial services IT and business leaders from Canada and across the globe.
In the crosshairs
Nearly three-quarters (72%) of global financial services firms have been compromised by ransomware at least once over the past three years, according to our research. Most (92%) also had operations impacted by the compromise, which took days (53%) or weeks (21%) to fully resolve. With 79% of respondents arguing financial services is a more popular target than other verticals, the research showed it is much higher than the 67% average across sectors. Moreover, majority (87%) think they’re a target going forward, more than any other sector.
In Canada, among organizations who have been hit by ransomware in the past three years, 77% had their data encrypted by the attack. In addition, 60% had their data leaked after being stolen by the attackers.
The research also found just over a half (52%) of those organizations hit by ransomware contact their customers and/or partners about their data breach.
A false sense of security
While most (96%) of Canadian organizations regularly update security patches to externally exposed servers and VPN equipment and half (50%) use EDR (endpoint detection and response) to monitor potential attacks, three-quarters (72%) of organizations feel they could be the target of ransomware attacks.
However, for financial services firms across the globe, the majority of financial service leaders (75%) believe their organization is already adequately protected. That’s the most of any vertical polled for this study and significantly higher than the average (63%) across sectors.
Is this confidence justified? In some respects, yes. Financial services respondents seem to be following best practices to mitigate risk across the main threat vectors for ransomware: phishing, vulnerability exploitation and RDP compromise. To that end, most say they regularly patch externally facing servers, have controls in place restricting email attachments and protect remote desktop protocol (RDP) endpoints.
However, in other respects, security strategy is still lacking. Whilst high, use of network and endpoint detection and response (NDR/EDR) and extended detection and response (XDR) tooling is certainly not ubiquitous. Under half of respondents don’t use XDR, don’t have NDR in place and haven’t deployed EDR. That’s a major oversight in a world in which threat actors are increasingly capable of breaching perimeter defenses or outsourcing the work completely to initial access brokers (IABs).
The number of respondents capable of detecting data exfiltration, initial access and lateral movement is also disappointingly low.
Tackling supply chain risk
Over one third (38%) of Canadian organizations have had an organization in their supply chain become victim to ransomware, of which (54%) were business partners.
Financial services firms are no exception. They have also been exposed by their third-party business relationships. Over half say a supplier has been compromised by ransomware in the past, most of which were partners and subsidiaries. A similar number also say their customers and suppliers make them a more attractive target. The risk of threat actors “island hopping” from these third parties into financial service providers’ networks is real.
An additional concern is that most respondents have a “significant” number of suppliers that are SMBs, who may have fewer resources to spend on cybersecurity. They could improve the security posture of the entire ecosystem by sharing more threat intelligence with these parties, but many don’t do so with partners or suppliers.
It’s clear that financial services organizations are on the right track to improving resilience against ransomware. But many lack the critical detection and response capabilities that sound the alarm about suspicious behaviour inside the network. With such tools in place, organizations would be able to get ahead of cyber criminals and contain risk before it spreads. Even better, they’d also have the intelligence to share with and improve the security of the entire supply chain.
Antoine Saikaley is Technical Director at Trend Micro Canada.