YOUNGSTOWN, Ohio – Cyberattacks, for any business, are a near certainty. This year alone, nearly every sector – from meat processing plants to oil pipelines to the NBA to automaker Kia – has had its systems breached.
But rarely in the headlines are financial institutions. For good reason. The strength of their security measures stems from the kinds of data financial institutions deal with.
In 2017, cybercriminals attacked a third-party vendor to gain access to the payment information used by hundreds of thousands of customers of several retail giants, including Best Buy and Sears.
More recently, hackers locked down the systems of Colonial Pipeline Co. in April and demanded a ransom, leaving the oil company unable to move its product, sending shockwaves through the industry and causing prices to rise at the pump.
But financial institutions are different and have data on a much larger scale. They not only have personal information such as Social Security numbers and credit card numbers, but all of the entire financial information for an individual or business.
“That same kind of attack on the systems here would affect an individual’s commerce. They may not have access to savings and checking accounts, to their finances. That would create big consequences as they try to go about their daily lives,” says Michael Kurish, CEO of Associated School Employees Credit Union. “There’s such a dependency on electronic transactions – from debit cards and credit cards to apps for transferring money – that if there’s no access to account information, all that traffic stops. It would without a doubt be a significant hardship.”
In its most recent Data Breach Incidents Report highlighting nearly 30,000 data breaches, Verizon reported 721 security incidents – resulting in 467 successful breaches – against businesses in the financial industry in 2020, on par with retailers (725 incidents, 165 breaches) and health care (655 incidents, 472 breaches).
Within the financial sector, almost half of the breaches, 44%, resulted from internal errors, most frequently sending information to the wrong person. For external cyberattacks, the most common methods for breaching a system involved using a person’s login credentials.
“One [change] that we have seen over the last few years has been a convergence of internal actors and their associated actions with the more famous and nefarious external varieties,” the report states about the financial industry.
Locally, the institutions say they haven’t had data compromised by cyberattacks. But, there have been attempts. At ASECU, Kurish says the company that the credit union contracts with to monitor its network earlier this year reported an attack targeting the email system of the credit union.
“There have been attempts to use old or unpatched systems to get through network security,” he says. “Some of these attacks, one in early spring, had actors overseas trying to use old email servers. For companies who haven’t patched and updated their email systems, they’re vulnerable.”
To defend against breaches, local financial institutions combine practices mandated by state and federal regulators with cutting-edge techniques and in-house training.
“We have to be continually vigilant with that data. We do a lot with ongoing analysis around threats,” says Tina Shaver, Premier Bank’s chief risk officer. “We’re very proactive and looking for ways to make sure our system is up to date or watching industry trends.”
At Premier, most conversations focus on mitigating ransomware attacks, as well as how to deter phishing attacks that look to catch employees unawares.
“The main goal is to stop it before it gets to an employee. You want your system, on the back end, to be able to detect it,” she continues. “We plan for an attack. We’re always looking. We talk about cybersecurity on a daily basis because you never know who’s trying to get into your system.”
Phishing attempts involve emails aimed at getting recipients to pass along sensitive information such as passwords and personal information or to get them to click a link that installs malware. They are the “constant threat,” says Brian Jackson, vice president and chief information officer at Farmers National Bank.
“What makes it so effective is that it’s so easy to do. If you just lose focus at any moment, anyone can be susceptible to phishing. It can just be clicking on a link that gives a cyber criminal access to a network and once they have access, that’s where ransomware and keyloggers come in,” Jackson says.
Because banks have such robust security on their networks, attempting a “brute force” hack is costly and time-consuming, which is often a deterrent, he continues.
“Criminals go for the easiest target that will give them the most bang. With the regulatory requirements and the oversight, I think banks are more difficult targets,” he says. “There are easier places to attack. But that doesn’t mean we aren’t susceptible to these attacks. We have to stay diligent with training, policy and technologies to keep up with emerging threats.”
Among the safety measures used to keep systems secure are employee training sessions using “what if?” scenarios and installing the newest security technologies available. The technology often is more than what’s required by states – in Ohio, the Division of Financial Institutions – and federal regulators, such as those at the National Credit Union Administration and Federal Deposit Insurance Corp.
“To take some defenses even further, we’ve segmented our network so that at any time, the entire network isn’t at risk. We try to segment it so there aren’t a lot of exposures. Right now, we’re looking at the next generation of cyber defenses: a methodology called ‘zero trust,’” says Brian Boettcher, vice president of innovation and IT at 717 Credit Union.
In that system, the network of the credit union will operate on the assumption that every piece of information across the network is coming from a cybercriminal and work to verify it before allowing it to move freely. That method applies to both external information – say, a customer sending an email to a lending agent – and internal information.
“The reason for that is simple: We have to be successful in our defenses 100% of the time and the bad guy just has to be successful once,” Boettcher says. “We’re talking about people’s money and their livelihoods. … The last thing we want is something negative happening.”
Beyond their own systems, financial institutions also have to help customers with their own issues around cybersecurity. If a customer’s information is compromised in a massive cyberattack such as those affecting Best Buy, Sears and Delta Airlines, then banks work with customers to minimize the damage.
“There’s still debit card fraud that happens or identity theft. That affects banks,” says Farmers’ Jackson. “When someone like Target or Best Buy is breached, that affects banks because our customers have our debit cards. … You may not see a bank hit by ransomware, but we’re still dealing with other cybersecurity issues.”
Pictured at top: Nearly half of breaches at financial institutions were caused by internal errors, according to Verizon’s 2021 data breach report.