With major transition in the American capital this month, the financial services industry and its cybersecurity stakeholders, like many others, are watching what comes next. Recent federal and state efforts to set cyber risk management standards may be delayed by an incoming administration with deregulatory instincts.
Yet, as BioCatch’s Frances Zelazny argued recently in an article in The Hill, our nation’s leadership cannot ignore reality — our cybersecurity policies are not serving us well, and they need to be fixed.
The average company in the financial services industry alone experienced 83 million events in 2015, according to IBM. Just last month Yahoo announced a breach of 1 billion accounts —it’s second major hack announcement in the fourth quarter of 2016. Ongoing reports of hacks ensure that there will be pressure to continue to strengthen cybersecurity guidelines and protect consumers from fraud, identity theft, ransomware and other cybercrimes.
"Our policies need to adapt to the current fraud landscape and protect against future attacks."
Policy must adapt for better protection
Last fall, the Federal Reserve, the Office of the Comptroller of the Currency (OCC) and the Federal Deposit Insurance Corporation (FDIC) proposed new rules for enhanced cyber risk management standards. These latest standards follow existing federal legislation and regulation dating back to 1978 for risk assessment and management in the banking sector.
At the same time, the Department of Financial Services in New York is developing new rules to provide minimum requirements and deadlines for financial institutions doing business in the state.
These latest efforts are important. Current policies don’t consider the way fraudsters behave. Instead, they focus primarily on fortification and prevention, when what is needed, is to fortify resilience and real-time response. Today’s cybercriminals are sophisticated and patient. They are familiar with our prevention solutions and have figured out how to bypass them.
Threats are coming in three main forms—credential theft, remote access malware and social engineering—where oftentimes it is the human element that causes the breakdown. All the passwords, tokens and other forms of strong authentication are meaningless if a person is tricked into handing over their credentials, inadvertently installs rogue software that performs certain actions or unwittingly gives a criminal access to a machine or account.
Cybercriminals are a step ahead
A report issued last month by the FBI and Department of Homeland Security provides an example. The agencies described in detail how a spearphishing campaign distributed emails containing malware allowed hackers to compromise US democracy. At least one person activated the malware, which was able to establish further privileges, access email and active directory accounts and circumvent encrypted transmissions. In another successful attack an email fooled users into resetting their passwords through a “mirror” website setup on the hacker domain.
Today’s criminals are fighting a 21st century war, attacking our critical infrastructure and financial systems using unconventional techniques. PINs, tokens, passwords, IP verification, device authentication, physical biometrics and even multi-factor authentication can all be bypassed. The good news is that there are technologies such as behavioral biometrics that provide continuous authentication to validate who is behind a session and not just what device or passcode was used to authenticate the login.
Evolving policies need to take these capabilities into account, to combat the techniques that fraudsters are using, and to adapt to the current fraud landscape and to protect against future attacks.