What the finance sector can learn about cyber security from the CommBank data breach

Recent cases like the Commonwealth Bank's customer-data-loss scandal have demonstrated how vulnerable financial institutions can be when it comes to cyber and other security issues. So what are the key cyber security lessons to keep in mind and what can financial institutions do to secure their networks?

Financial institutions: vulnerabilities and security concerns


In May it was revealed that CommBank had lost backup data for customer accounts spanning over 15 years, affecting nearly 20 million accounts. This data loss highlights the potential vulnerabilities and security concerns financial institutions are facing.
While the controversy was concerned with improper and unverifiable disposal of backup data rather than cyber security, the incident nevertheless underscored the risks inherent in dealing with private data. Among chief risk managers (CRM) there's growing concern about cyber security, with 77 percent of CRMs considering it as one of the most important risks, up 22 percent from 2015.

As for data-related risks, which could overlap with cyber security issues, 88 percent of banks recognise it's a top emerging risk over the next five years. Financial institutions, which collect personal data like account numbers, and transaction details, are worried about not only complying with data regulations but also with safeguarding confidentiality, availability, and integrity.

For financial institutions, channels of vulnerability and security concerns include technology platforms, systems, services, apps, and websites. While other organisations might utilise these in internal as well as customer-facing processes, financial institutions have the added risks associated with sensitive financial information.

In the CommBank case, the bank relied on a subcontractor (Fuji-Xerox) to destroy the magnetic tapes in question. So another potential vulnerability could also be working with subcontractors who might not be on the same page when it comes to safeguarding customer data.
 


Why financial institutions are an attractive target for hackers


Financial institutions are an attractive target for malicious attacks for a simple reason: they are lucrative targets with money and hackers go where the money is. As financial institutions utilise more digital channels like online banking and mobile services, hackers have more channels to penetrate their systems.
 
Recent attacks include the Silence hacking group, and the Carbanak group, which has stolen more than $1 billion from banks around the world. Other cases include the Tesco bank, HSBC, and the MoneyTaker cases.
 


4 ways hackers gain access to financial data 


1. Trojan malware 


Cyber attacks against financial institutions can use trojan malware to gain entry into networks, allowing hackers to gather credential data and steal money by transferring the money elsewhere. 


2. Phishing attacks 


Other types of attacks could originate through phishing emails that allow the attack to gain access to the network and/or execute a malware dropper or remote commands. 


3. Fake websites 


Fake websites can be set up to mislead customers, and hackers could leverage social media data to conduct social-engineering attacks to gain access to accounts. Other hackers steal data so they can sell it on the dark web. 
 

4. Poor data management 


Another way to gain access - one that's hard to detect - is through malicious, careless, or compromised users. These are partners, employees, or contractors that misuse or abuse their access to the network.
 

8 methods financial institutions can use to protect their data
 
It’s impossible to be secure 100% of the time given the constantly changing and opaque cyber-security landscape. But that doesn't mean your financial institution should do nothing.


1. Nimble recovery 


Have a plan in place to deal with incidents quickly and minimise loss. Banks should focus on have a nimble recovery plan, along with a comprehensive communications plan. Your response protocol could include consulting your legal advisers as well as IT security specialists, followed by a review to learn from the breach. These could reduce the risk of serious reputational disruption.


2. Internalise strategies 


Banks should internalise their cyber-resiliency and cyber-agility tactics. In layman’s terms, this means making cyber security a part of your entire business workflow and building it into your culture and everyday processes. This can include training staff on security practices.


3. Value information assets 


Financial institutions need to demonstrate they value information assets. They should do this by allocating more funds to protecting these assets as well as constantly staying aware of new risks and having a plan for dealing with them.
 

4. Assume breaches already happen 


Proceed as if breaches are already happening. This means your IT team will focus on the most business-critical parts of the network. It also mean you use network segmentation as a strategy, which makes it harder for a hacker to gain access to different network zones.


5. Implement an organisation-wide policy 


A clear organisation-wide policy isn't just a framework for guiding behaviour; it's a critical road map for maintaining an adaptive security infrastructure that best protects your data. It could also help you stay compliant with changing regulations. Your policy could cover everything from application security and authentication processes to authorisation processes and network management.


6. Enforcement 


Make sure you enforce your security policy because if you don't, having a policy for the sake of it won't necessarily reduce the risk of data breaches. Monitor and enforce policy changes and updates so the full benefits of your cyber security policy can be realised.


7. Zero-data process 


Aim for zero-data processes, as this means you collect the minimum amount of information you need to carry out tasks. Reduce the amount of information you keep. However, note this needs to be balanced with compliance and auditing considerations.


8. Conduct regular assessments 


Constantly assess your risks and classify your data and information assets. This you identify what you need to do to protect your data on an ongoing basis, whilst having a historical record of your work done up to date, giving you a comprehensive view of security solutions.
 


Consult Kiandra IT for your cyber security solutions


Financial institutions are typically more vulnerable to cyber and other security threats than other organisations, so it's vital to have a clear policy and a response plan in place. To learn more about security solutions for your organisation get in touch with the expert team at Kiandra IT. We can identify all the potential threats your business faces and secure your data against them. Get in touch today.