- Banks generate and receive threat intelligence, but is it useful? – Major financial institutions are starting to understand that there are enormous volumes of potentially relevant information, but actionable intelligence is more difficult to identify. Fusing threat intelligence with other disciplines such as incident response and fraud is a proven method for connecting data elements to create actionable intelligence. Although 100 percent accuracy can only be a goal, an active defense is critical to protecting against threats that are exponentially smarter with each attack.
- Mobile security platform weaknesses are giving rise to new threats – The Perkele Trojan – a crimeware kit -- and other cross-platform malware have identified large gaps in mobile device security. These threats take advantage of weaknesses in mobile device platforms when information is sent to a hacker who then “owns” the device. Although Perkele has not yet spread globally, it is expected to rapidly grow beyond the Middle East during the 2013 December holiday season as consumers’ online purchases increase.
- Developing countries with growing liquidity will see more attacks on their local banks – As the saying goes, criminals go where the money is. Countries across the Middle East, Latin America and Asia Pacific are making great strides in modernizing their economic infrastructures, which puts them on sophisticated attackers’ radar. The Saudi Arabian Monetary Agency says that fraudulent operations target Saudi and GCC banks once every 14 seconds.
- Mid-tier banks and non-banking financial institutions beware – Attackers are moving from large-size banks to regional and mid-tier due to their lack of security. Unlike their larger cousins, mid-tier and regional banks, wealth management organizations, hedge funds, etc., often lack the financial, technology and manpower to introduce widespread cyber security protections. When grouped together, these organizations are like a row of dominos that, when attacked, can create a cascade of systemic risks that could impact banks of any size.
- Thwarting insider threats requires firm-wide planning and preparation – Whether an employee accidentally shares passwords or falls prey to a social engineering attack, the cyber “hygiene” challenges of today can no longer be a responsibility solely owned by IT. Banks need to develop multi-disciplinary teams that include IT, human resources, internal communications, marketing and legal to communicate to all staff the importance of being cyber risk aware and knowing what to do when a concern arises.
- The NIST framework creates challenges for financial firms while opening the door for liability protections from a growing cyber security insurance industry – The NIST cyber security framework moves financial services firms closer to a set of voluntary guidelines that would create a de facto “standard of care,” which would then make private sector enterprises liable in the event of cyber breaches in which PII or other valuable data is destroyed or taken over by attackers. While this creates liability risk for banks, it also opens the window for the insurance industry to offer policies that help firms offset this liability.
- Big data demands data-level security, while offering a broader cyber solution – Banks depend on data. As operational data is moved to the cloud, proper fine-grained security controls are necessary to ensure banks not only avoid sharing sensitive data, but also defend against adversaries moving laterally across their data sets. As part of this transition, financial institutions have the opportunity to upgrade security architectures and integrate improved controls. In addition, this new architecture can allow for the deployment of advanced analytics to deal with enormous volumes of security data to better identify trends of malicious behavior.
In order to better protect an organization’s network system, the IT leaders must collaborate with the C-Suite to develop a holistic and forward-looking program that transforms their security posture. Booz Allen executives will be participating at the February 2014 RSA Conference, and available to discuss the need for information security professionals to find their business voice – that is, how to bridge the language gap between technology, risk management, and cyber security to prepare for the new wave of cyber attacks.About Booz Allen Hamilton Booz Allen Hamilton is a leading provider of management consulting, technology, and engineering services to the U.S. government in defense, intelligence, and civil markets, and to major corporations, institutions, and not-for-profit organizations. Booz Allen is headquartered in McLean, Virginia, employs more than 23,000 people, and had revenue of $5.76 billion for the 12 months ended March 31, 2013. BAHPR-CO