Introduction. COVID-19 has significantly impacted all industries and the everyday lives of people throughout the world. The financial institution’s industry is no exception, especially in the area of information security. There has been a substantial increase in cyberattacks — successful and unsuccessful — over the past several months.
Statistics. There was an upward trend in certain cyberattacks prior to COVID-19, specifically in the area of ransomware. However, there has been a significant increase in activity during the first five months of 2020. According to the VMware Carbon Black third annual “Modern Bank Heists” report, there has been a significant increase in several areas, including ransomware, wire transfer fraud, island hopping, destructive attacks and various other items. The information was obtained from a survey of 25 leading financial institution CISOs. Some of the items noted from the report:
- From February to the end of April, there has been an increase in attacks on the financial industry sector by 238%.
- During the same time, there has been a 900% increase in ransomware attacks.
- Sixty-four percent reported an increase in wire transfer fraud over the past 12 months that represents a 17% increase over 2019.
- Thirty-three percent reported an increase in the use of island hopping. Island hopping is a term that originated during World War II related to the United States going from one island to the next on their way to Japan. In cyberattacks, if the main target has very tight security and a very good information security team to support the security infrastructure, the attacker looks to other relationships (a supply vendor, a software provider, etc.) for a security hole to exploit. The attacker then works their way to their primary target going from one relationship to the other until they reach their intended target.
- One-fourth reported they were targeted by destructive attacks over the past year.
In addition, per a Dell survey, RSA Security LLC reported that 45% of the workforce admitted to one of the following:
- Used a public Wi-Fi for business.
- Shared confidential data through personal email.
- Lost devices (laptops, phones, etc.) containing company information.
In the same survey, one in four indicated they engaged in risky behavior to get the job done.
These statistics illustrate the increase in attacks on all industries, including the financial institution industry. In addition, workforce/employee behavior can place the financial institution in a vulnerable situation.
Risks/Threats. As a result, there has been an increase in attempts to compromise financial institution systems. These risks/threats include many of what has been experienced previously, such as:
- Phishing attacks
- Negligent and malicious insiders
- Zero-day attacks
- Software vulnerabilities
- Social engineering
The threats have increased due to the COVID-19 environment with employees working remotely where the security at an employee’s home is not as robust as what is present at the financial institution.
Ransomware. As indicated previously, ransomware is on the rise at a very high rate (i.e., 900%). Ransomware has been discussed in detail over the past few years, but there have been some changes in the behavior of the fraudsters/bad actors. A summary of the ransomware follows:
- Ransomware prevents users from accessing their systems and data/files. The first variant of ransomware occurred in the 1980s.
- The bad actor demands payment to regain access to the victim’s systems and data/files.
- There have been three types of ransomware over
The first type of ransomware was scareware that was more of a nuisance, where the victim received popups claiming malware and demanded payments to remove the popups. There were no real threats to the files.
The second type of ransomware was screen lockers that locked the victim’s screen and claimed that the victim conducted illegal activity. The bad actor typically claimed to be the FBI and wanted a payment to unlock the screen. The FBI does not operate in this manner, and as more of the victims realized that, the threat was reduced. The victims did not pay the ransom as they became more informed of the way the FBI operated.
The third type of ransomware is encrypting ransomware. This type of ransomware can be devastating to the victim. With encrypting ransomware, the victim’s files/data are encrypted by the fraudster/bad actor preventing the victim’s financial institution from having access to their files. Of course, without access to their files, the financial institution encounters significant issues with providing timely customer service. The fraudster/bad actor demands payment, or ransom, for the decryption key to gain access to the files/data.
When ransomware was in the headlines a few years back, the amount of the ransom typically ranged from a few hundred dollars to a few thousand dollars. Things have changed significantly in the ransom demands. Ransom demands can reach six figures now, and in one case, $14 million was demanded from an IT company in Wisconsin that services 110 companies that, in turn, have 2,400 nursing homes. The fraudsters/bad actors can identify their victims and then assess what the victim’s data is worth to them. Another change in the behavior of the fraudsters/bad actors is their willingness to implement destructive behavior. In the past, if your financial institution had good controls to combat the attack, they would typically move on to another target and possibly attempt to compromise the financial institution another day. Today, they are willing to engage in destructive behavior by destroying data files, downloading and publishing sensitive and confidential information, etc.
Should you pay the ransom? The FBI recommends not to pay ransoms, as there is no guarantee that the decryption key will be provided. Also, the ransom money could be used to fund terrorist activity, fund nation-states activities (i.e., North Korea), fund cybercriminals, etc.
Controls. The best way to combat cyber events is through the implementation of sound controls. Most of these are back-to-basic controls such as a regular and ongoing patch management program, next-generation anti-virus solution, next-generation firewall solutions, engaging security testers to conduct penetration testing and vulnerability assessments, ongoing employee training/education, etc. In the area of ransomware, a good backup solution that includes an offline backup component is a strong way to reduce the impact. In the case of the IT vendor supporting multiple nursing homes, the company had a good backup solution, so they did not pay the ransom (the CEO/Owner also indicated they could not afford to pay the ransom). The IT vendor did encounter significant issues as their clients could not access their data for treatment plans, billings, etc. until the systems were brought back online. In addition, there was evidence that the cybercriminal was on their system for 14 months prior to executing the attack, leaving doubt as to how much information the cybercriminal was able to obtain.
Conclusion. COVID-19 has permanently changed the way financial institutions work, operate and how they serve their customers. With the changes comes increased and new risks/threats. Staying proactive with information security and cybersecurity programs is increasingly important and should be part of the financial institution’s daily operations.
Chris Joseph is a partner of Arnett Carbis Toothman LLP, located in the Charleston, West Virginia office. A certified public accountant, certified information system auditor, certified in risk and information systems control and certified information technology professional, Mr. Joseph has over 35 years of experience in information technology audit and security services in the financial institutions industry. Mr. Joseph can be contacted at 800-642-3601 or through email: firstname.lastname@example.org.