Protecting your customers: Mitigating cyber-threats in the financial sector

By Thorsten Stremlau, Co-Chair of the TCG Marketing Workgroup

Ransomware attacks on the financial sector continue to grow. In 2021, more than half (55%) of organizations within the industry were victims of at least one ransomware attack. For banks and other financial institutions, a cyber-attack is more of a question of when, not if. Therefore, the need for up-to-date, appropriate security systems to ensure the protection of customers and their data has never been greater. With the number of people using internet banking services estimated to reach 2.5 billion by 2024, financial institutions must also be able to trust the standards and technologies found within the general ecosystem to protect their customers’ personal devices.

Threats against online banking

Since the COVID-19 pandemic rocked the world over two years ago, a rapid rate of digitalization within banking has taken place. Whilst online banking services were already playing a major part of people’s daily lives, the last 24 months has seen a big shift in customer behaviour towards digital experiences across many sectors including financial services. There has been a 72% rise in the use of fintech apps in Europe, and up to 80% of people now prefer online banking rather than visiting their bank.

The continual adoption of online banking comes as no surprise. The speed and convenience it enables allows users to access their accounts, view their statements, make transactions, and pay bills both in the home and on the go. However, this creates distinct challenges when it comes to cybersecurity.

Cyber-attacks against personal devices continue to grow in number and complexity. Hackers often deploy Trojans – a malicious code or software that takes on the appearance of a legitimate application – to take control of a user’s device. Once the malware is installed, hackers can then steal money from bank accounts linked to the device as well as other sensitive data. As more and more users access banking systems through their personal mobiles and laptops, banks and other financial institutions are becoming increasingly reliant on organizations such as the Trusted Computing Group (TCG) to develop standards and specifications that ensure the safety of devices, as well as the overall supply chain.

Securing the supply chain

Attacks on the supply chain also occur when a victim is breached through a compromised third-party vendor in the network. The attacker can then use the third-party vendor to circumvent security controls by creating avenues to sensitive resources. This is possible as vendors often do not take cybersecurity as seriously as their clients. In order to successfully mitigate any vulnerabilities, each phase of a product’s lifecycle – whether it’s the design, manufacturing, transport, utilization or decommission stage – needs to be reviewed to recognize any significant risks.

Unfortunately, this is not easily achieved, with no single entity having end-to-end control of the modern supply chain. It is therefore crucial that all organizations work together to ensure that security standards for the industry are correctly defined, implemented, and adhere to security guidance measures. Banks may already have strong cybersecurity measures in place, however these become effectively useless if the vendor’s measures are not up to the same standard. Third-party risk assessments on a regular basis – especially when there are changes to a bank’s digital infrastructure – ensure that the vendor’s cybersecurity is aligned with the banks.

Staying up-to-date with education and technology

Employees and customers are also one of the biggest threats to exposing a specific organization or supply chain to a potential attack. In September 2022, 50,000 users of the Revolut financial app within the United Kingdom had their data exposed, leaving them at a greater risk of identity theft and fraud. Social engineering was identified as the main cause of the breach, meaning it was likely the initial cause was due to an employee sharing login details through the use of a phishing scam.

As employees continue working from home and access banking systems online, it is vital that systems are secure against threats and have the ability to recover from a potential attack. To ensure this, financial institutions should insist that their employees and customers leverage devices with Cyber Resilient Technology (CyRes) built in, which establishes a new layer of protection against these threats. Doing so enables users and vendors to develop a solid foundation built on cyber resilience, protecting both the customer’s assets and the reputation of the financial institutions they rely on. The CyRes specification allows for the detection of malware and the recovery of a device if it has become compromised. This makes cyber resilience accessible to the average user and provides assurance to financial organizations that their systems are protected.

A Cyber Resilient Module (CRM) also gives further protection and recovery of connected devices. The module can be integrated into different architecture components of devices in order to provide protection, detection and recovery solutions. The CRM can be implemented as part of a system on a chip within the main hardware of a device. This can recover successive software layers and components found within a device, with the servicing of code and configuration potentially required for multiple layers sequentially. Banks would therefore feel safe in the knowledge that the servers they rely on would be able to recover after a successful attack.

But to avoid an attack completely, employees must still be educated against phishing emails and other threats to their digital infrastructure in order to build operational resilience for financial institutions.

A secure ecosystem

Unlike most enterprises, banks are unique in that they must rely on the security of their customers’ devices when they access banking systems. They must feel assured that the overall security ecosystem is secure in order to prevent or mitigate the damage caused by cyber-attacks within the industry. Stringent security measures and software must be made readily available and common within devices in order to ensure banks are adequately covered against threats. Specifications like CyRes are essential in the ongoing fight against malicious activity, not only for individual devices but for the technology supply chain as a whole.