2016 saw numerous security breaches, including the successful breach of the Democratic National Committee’s computer systems, where hackers were able to work for seven months, sending phishing emails that ultimately scored a huge win: the account of John Podesta, chairman of Hillary Clinton’s presidential campaign.
Financial institutions continue to battle malicious attacks from every side and even the august New York Federal Reserve proved it was vulnerable when cyber thieves walked away with $80 million in February 2016. A serious threat across the world, Lloyd’s estimated in 2015 that cyber attacks cost businesses as much as $400 billion a year, and a Forbes story from January of this year predicts that number to quadruple by 2019.
Last year, the number of data breaches in the United States reached an all-time high of 1,093, a 40% spike over the 780 reported for 2015, according to a new report from the Identity Theft Resource Center and CyberScout.
2017 isn’t shaping up to be any better. One of the first notable attacks of the year occurred shortly after New Year’s Day. On January 11, London-based Lloyds Banking Group experienced a two-day-long distributed denial of service (DDoS) attack across the group’s websites, including Halifax and Bank of Scotland.
The attack made it difficult for customers across Lloyds’ brand sites to log in to their accounts. The company initially denied it was under an attack and blamed the breakdown in services to “technical issues” but it was later revealed to be a DDoS attack, a type of intrusion where the perpetrator uses thousands of unique IP addresses to assault the bandwidth or resources of a targeted system. The end result is to deny legitimate site users access to a service or website.
The attackers did not get very far with Lloyd’s. IT security experts with the bank “geo-blocked” the source of the attack, effectively blocking the attackers over the server from launching the attacks. Unfortunately, the geo-blocking measure also prevents legitimate customer requests for that area, too. The attackers then move to another server, and the geo-blocking game begins again.
With these growing threats, it is now critical that companies in the mortgage finance space develop an information security plan, and make sure their vendors are covered too.
It’s not enough to ensure the data of one company is protected, the next step is to make sure that any third-party company involved is also serious about protecting information.
ONE COMPANY’S APPROACH
In the midst of this cyber war, one third-party vendor is taking serious measures to ensure its employees are handling sensitive information carefully, minimizing the risk the information could fall victim to an attempted hack. Black Knight Financial Services uses constant and consistent employee education to create an environment where each employee is held responsible for what they click.
Peter Hill, chief risk officer for BKFS, explained the company’s commitment to protecting consumer data. “As a premier provider of technology to the mortgage industry, we are committed to and laser focused on protecting our client’s data. Because opportunities for risk never stop, we continuously implement new and innovative ways to mitigate this risk.”
BKFS uses a variety of methods to keep employees on their toes, including phishing training to test employees on potential phishing scams. On a monthly basis, BKFS uses the PhishMe simulator to send a potential threat email to employees as a test. There’s a built-in button that users can click to alert the IT security department of the threat, or employees may open the email, alerting the company that there’s a need for more specific training. BKFS began sending the tests to limited audiences at the end of 2014 and steadily increased to 100% of employees in 2016. Since implementing monthly testing, the success rate (the rate of employees that report the email versus opening it) of the tests has improved significantly, with recent months showing more than a 100% improvement.
The simulator program received the 2016 award for Best IT-Security Related Training Program from the SC Awards, which celebrates the top performers in the information security field.
WHAT IS PHISHING?
There’s a reason BKFS decided to target emails.
The annual ITRC report breaks down the 2016 breach data by type of occurrence, and for the eighth year in a row, hacking, skimming and phishing attacks were the leading cause of security breaches, making up 55.5% of attacks, a 17.7% increase since 2015. According to ITRC, many of these were a result of CEO spear phishing attempts.
Better known as email compromise schemes, these attacks expose highly sensitive information, including Social Security numbers and business tax information. Taking advantage of users by email, these scams are known for tricking customers into giving out personal information such as credit card numbers, passwords, and bank account information.
Phishing emails are deceptive in nature. They are made to appear like a legitimate email from someone you know or are expecting to hear from. Hill explained that an employee could get an email around Halloween, for example, about a costume dress code. The email would ask the recipient to follow a link to retrieve the document and that link immediately creates an exploitable vulnerability in the system.
Malicious emails are becoming more sophisticated and more realistic every day. Emails disguised as messages from popular services like Netflix or Gmail are tempting for anyone to open at first glance, so constant and effective training is necessary to help employees recognize a potentially threatening email.
“Our employees are our first line of defense in risk and security management, which makes finding effective training and awareness techniques critical to the safety and soundness of the company,” Hill said. “Continuous education on information security is the only way to make employees aware of and teach them how to avoid the behaviors that may put a company at risk.”
Hill stressed how crucial the “tone at the top” is regarding information security, because employees are more likely to understand the gravity of the issue if they understand its importance for upper-level executives.
“The employees won’t get that impression unless they hear it from the top,” Hill said.
Financial institutions and the vendors they hire can implement different cyber defense strategies such as white hat testing, which is where an ethical hacker or cyber security expert attempts to hack, or breach, the system to find any flaws, plus data encryption, multifactor authentication and network segmentation.
The threat landscape is evolving exponentially. Data thieves are getting bigger and better and may not only have money in mind when they hack. Hacktivists and nation-state hackers may have other motives for stealing personal data and information. The hack on the Office of Personnel Management in 2015 compromised the sensitive information of 22.1 million people, but no one knows, even now, what those records have been used for.
“These are not just teens hacking into companies from the garage,” Hill said. “They don’t just break in to steal data, it’s also done to damage reputation and to damage the website.”
It’s that type of reputational damage that hurts smaller financial institutions and vendors the most. Hill explained that while smaller companies may not have the budget or resources to implement a high-tech information security plan, they also don’t have the same number of customers and may not see the same number of threats that larger companies, like JPMorgan Chase and Bank of America, do. But, larger institutions are able to afford to have fully developed IT departments to oversee security and monitor for any potential vulnerabilities or threats and implement countermeasures when threats do arise.