Banks and other financial organisations are often the bullseye on a cybercriminal’s dartboard. The riches stored within their databases make for a very appealing prize, and attackers will stop at nothing to get their hands on it.
Years of experience have shown us that exploiting vulnerabilities is a leading initial access vector for threat actors and ransomware-based attacks. An example of this is the recent Log4j vulnerability which scored 10 on the CVSS , 10 being the maximum score under the CVSS system. So it is critical that financial organisations are aware of any vulnerabilities they may be exposed to and how to remediate and manage them. This need has only intensified in recent years as businesses have extended their digital systems beyond the existing perimeter and into home offices, opening the network to hundreds of thousands more potential weaknesses.
And unfortunately, rather than it being a case of ‘innocent until proven guilty’, it is more ‘vulnerable until proven secure.’ There is no scenario where an organisation can assume they have perfect security because they’re ticking all the boxes – this is almost always never the case. But how do financial organisations uncover and monitor any hidden vulnerabilities when their infrastructure is so vast?
Launching a vulnerability assessment
A vulnerability assessment does exactly what it says on the tin: it scans the infrastructure for known and unknown weaknesses and delivers a comprehensive report of risk to the company. Checks can cover up-to-date patching, vulnerable endpoints, legacy technology and outdated systems that may not be compatible with modern updates. These exercises are essentially the bedrock for all good information assurance when it comes to cybersecurity and should be carried out on a frequent regular bases as a minimum activity across all financial institutions.
To be as effective as possible, assessments should be broad and regularly conducted. Scheduling a one-off assessment every year or so will not deliver comprehensive results. Technology and business infrastructure is changing at a rapid pace, so assessments often become outdated after a couple of months. Not to mention the hoard of threats being developed each day, all designed to test the boundaries of business networks. When we see an organisation suffer from ransomware or malware attacks, a common contributing reason is because they haven’t engaged in regular vulnerability assessments.
One of the most challenging elements of these scans is that the result is always bad news. After all, who wants a list of everything wrong with their security laid out in front of them. What organisations need to remember is that good will come from facing the truth. The question is, how do you convince the rest of the organisation to conduct these assessments knowing that any results will be bad news and require additional work and resource? The answer: show them the impact of what happens if they don’t.
The never-ending list of threats
The rapid advancement and evolution in technology means new threats are emerging each day. Outdated services and unpatched parts of the network are low hanging fruit that will greatly aid an attacker’s attempts to breach the perimeter. With the average total cost of ransomware standing at $4.62 million, financial organisations cannot afford to stick their heads in the sand.
No company would willingly leave known vulnerabilities in their network, but at the end of the day, you cannot secure the things you don’t know about. Visibility is therefore critical when it comes to vulnerability management, and risk assessments can deliver the necessary insight.
For banks and other financial organisations, the major digital shift over the past few years and the transition to remote working has added to the existing security burden. The network boundaries have been stretched across the country, with hundreds more devices and services requiring different levels of security. One unpatched server or unprotected laptop could become the business’ wrecking ball.
Learn from past mistakes
Over the years, organisations have found legitimate reasons for not committing to regular assessments. As understandable as they may be, financial businesses do not have the luxury of adopting a laissez faire attitude when it comes to cybersecurity.
Rapid changes to business mean deadlines pile up, employees become rushed off their feet, and everything gets bumped to priority one. But this is when mistakes happen. Add on the impact of the COVID pandemic and ongoing digital transformation, and distractions get worse. Before you know it, a dozen new systems have been launched without appropriate security, older servers are left unpatched, and weak, reused passwords are adopted across the company. All in all, it’s a security nightmare.
Another common reasoning is that security teams lack the funding to act on any vulnerabilities discovered. It is extremely challenging to quantify security risks or determine ROI until something goes wrong, at which point, it’s already too late. Opting to launch a security strategy knowing that there isn’t money or resources available to solve any problems can be a difficult choice to make, and so often we find that organisations elect to do nothing. However, this is the worst possible outcome. Instead, teams should consider the value of using reported vulnerabilities from an assessment to negotiate larger budget and resource allocation with the board. While they may not be able to act on the problems immediately, they can build a stronger case for the future.
Achieving business-wide awareness
Overall, we have noticed an increase in the number of organisations adopting vulnerability assessments, but there is still a lot holding some organisations back. Getting stuck in spreadsheet mayhem – drowning in risk reports and lists of problems that need remediating and or mitigating – is one of the biggest barriers for security teams within the finance industry. And even for those companies who are conducting quarterly scans, not all of them are formulating a plan to solve the root cause of the issue.
Nevertheless, there are several options for businesses who choose to launch assessments but struggle to deploy immediate action. Having a log of vulnerability findings to show the board will help build a case for bigger budgets and resource allocation. In the time before a breach, security budgets are often very restricted, however this all changes when a host or person becomes compromised. Suddenly, the ROI of security preparations becomes obvious, but it’s too late. Making the entire organisation aware of the risks ahead of time could save the business millions.
Vulnerability assessments must not be viewed as a tick box exercise. While there are certain criteria to meet industry regulations – like the FCA – teams should look beyond the bare minimum and dedicate their efforts to finding the root cause.
Risk management needs to be carried out – and it needs to be carried out properly. Financial organisations and their security teams should not shy away from the bad news in an assessment, they must look beyond the report and see the improved security stance waiting further down the road.