When it comes to cybersecurity, the first priority of financial professionals — and their cybersecurity experts — is to prevent hackers and other ill-intentioned individuals from stealing investors' funds and transferring them to shady accounts, often overseas. However, outright theft is far from the only risk.
Consider ransomware, a malicious software that encrypts users' data and then prevents them from accessing these data. The "hacker" then extorts the user by asking for a "ransom" to decrypt the data. (The victim generally initiates the encryption process himself, by inadvertently clicking on "bait" text or icons.)
Ransomware was just one of the increasing numbers of drivers of cyberattacks last year in which the considerations were other than outright theft. Here's a closer look at some of the other causes:
The streets have always been the first place that protesters go to express their frustrations. But with current rapid advances in technology, why go outside during winter when you can wreak havoc from the comfort of your own home? Remember the Occupy movement that started in 2011? We shouldn't be surprised if one day similar protest movements target the digital assets of the symbols of capitalism.
For example, the hacktivist group Anonymous took down the Bank of Greece's website a year ago. Although, to the best of my knowledge, hacktivists have yet to target a governmental financial authority or Canadian financial services institution, protest hacks are far from unprecedented here.
Case in point: Anonymous Quebec took down the Montreal police's website in 2015 in the wake of accusations of brutality during student demonstrations taking place at the time. It's not that far of a stretch to think that activists could one day turn their attentions to the financial sphere.
> Ideologically driven insiders
We often think about hacktivism as being an external threat, but this isn't always the case. For example, the Panama Papers' data breach on Panamanian law firm Mossack Fonseca, which helped investors place money abroad, was an inside job.
The whistleblower in the attack, which was one of the biggest breaches of data security last year, released the confidential documents because he was fed up about (his perception of) worldwide income inequality, according to reports. The leaker's identity remains (officially) unknown to this date.
Canada wasn't spared in this cybersecurity break. Both Prime Minister Justin Trudeau and Royal Bank of Canada (RBC) had to issue statements about the matter, with RBC denying any wrongdoing associated with the more than 370 clients it had referred to Mossack Fonseca.
> Intelligence gathering
Financial services institutions, by their very nature, are key targets for anyone looking to collect strategic or economic intelligence on a rival nation. Last summer, Kaspersky Lab identified a new cyberespionage group by the name of Dropping Elephant. The group collected seemingly innocuous information from high-profile diplomatic and economic targets, such as the types of browsers and devices they used, their IP addresses and location data. The group then forwarded all this information to other attackers, who planned more targeted initiatives. Although these attacks have not resulted in direct financial losses for financial services institutions, they could weaken Canada's global economic position on the international scene.
Canada's relatively favourable history and tolerant culture doesn't generally lead us to suspect that we might have enemies. However, the Canadian Security Intelligence Service issued a warning this past November that Canada is a target of cyberespionage from foreign countries such as Russia and China. PwC confirmed this a few weeks ago in a study about a specific advanced threat that targeted managed service providers all across the world, including Canada, which could impact banks. The scariest part is that the primary initial attack vectors consist of low-tech methods, such as spear-phishing (phishing attempts that target specific individuals with personalized information), which are used to get a foot inside your security perimeter.
Although these scenarios may sound scary, basic information security best practices and controls — covering both the technical and administrative aspects — can reduce the risk to a manageable level. As such, financial services firms should be encouraged to take the following steps:
- Have a security awareness program in place to educate users about general security best practices, including social engineering.
- Implement a strong network architecture that includes modern firewalls and intrusion detection system technologies
- On the margins, when possible, update your corporate and social responsibility profile to keep out of the bad guys' lines of sight.
Although your firm will never be able to eliminate the threat of cyberbreaches, taking such steps can make hackers' jobs much more difficult.
Read: It's 2016 all over again