Since the early 2010s, the banking industry has been adopting digital technologies to improve customer services and increase efficiency in back-end operations. However, leveraging emerging technologies can expose banks and financial institutions to new vulnerabilities that plague the digital landscape - namely, cyber threats.
Digital banking - no longer an expectation
Today, almost everyone with a bank account can access 24/7 digital banking apps. It is expected that banks and financial institutions will provide their consumers with instant services and a smooth omnichannel experience. According to a Cornerstone Advisors study, "by the end of 2022, just 11% of US banks and 4% of credit unions will not have launched a digital transformation strategy" [1a]. Especially after the COVID-19 pandemic, digital banking has witnessed a spike in consumer usage. For instance, Wells Fargo – the fourth largest bank in the US - saw a 35% increase in remote check deposits and a 50% growth in online wire transfers in 2021 compared to a year ago [2]. These numbers prove that implementing a digital strategy can help banks get closer to their customers and tap into new revenue and business models that promise to yield long-lasting benefits.
A double-edged sword
However, adopting digital transformation comes with its own challenges, such as heightening concerns for cyber security. Compared to traditional banking, online banking is increasingly vulnerable to cyber-attacks as customer data is available online across multiple channels and platforms. In fact, Cornerstone reports that 33% of attempted breaches against financial services and insurance companies in the US are successful. For instance, a data breach involving 7 million consumers' personal information occurred in 2021 at the online stock trading platform Robinhood [1b]. A cyber-attack can present a threat to both all internal and external stakeholders of banks, including customers, investors, auditors, ITs, and even the bank clerk.
The most common types of cyber-attacks against financial institutions include, but not limited to:
1. Phishing
Phishing emails, where an email posing as legitimate communication is sent to victims, are one of the most common attack vectors for cybercrime because they are becoming more and more difficult to spot. It is estimated that phishing attacks are the origin of over 90% of all successful cyberattacks. Among the 15 billion spam/phishing emails that are sent daily, nearly half of them are directed at or impersonate financial organizations. For instance, a hacker pretended to be the CEO of the Belgian bank Crelan and persuaded someone in the finance department to move money overseas, costing the bank to lose €70 million ($75.8 million) [3].
2. Ransomware
When a victim fails to pay the attacker's ransom demand, the attacker may threaten to publish or sell the victim's private information. This is known as ransomware. For example, the Darkside - a gang of cyber attackers came for the UK-based insurance company One Call with ransomware in May 2021, demanded £15 million, and threatened to leak the company's data, including client information such as passwords and bank details [4]. A recent study found that ransomware assaults against the financial sector rose by 1,318% in 2021 [5]. According to Trellix, 22% of all ransomware assaults in Q3 2021 were in the banking and financial sector [6], suggesting that the sector has become one major target of ransomware attacks.
3. Distributed Denial of Service (DDoS) Attacks
DDoS attacks are deployed by attackers to flood and crash a target website by overflowing it with traffic. Consequently, DDoS attacks disrupt corporate operations, cause the victim to suffer large financial losses, and pose a serious risk to financial institutions. The total number of DDoS assaults in the financial services industry surged by 110% in 2020 compared to the prior year, according to Akamai [7]. Recent incidents include a DDoS attack in September 2021 that forced the closure of the websites of major New Zealand financial organizations, including Kiwibank and the national postal service [8]. Fiducia & GAD IT, a German company that manages technology for the nation's cooperative banks, was also the victim of a DDoS attack in June 2021, which had an effect on over 800 financial institutions across the nation [9].
Making digital banking safer
As cyber threats become increasingly sophisticated, there is a pressing need to upgrade security systems and implement intelligent threat monitoring and protection solutions. GlobalData predicts that the banking sector's global security investment will climb from $7.9 billion in 2019 to $9.8 billion in 2024 as a result of the growing need for cybersecurity [10].
Here are some approaches that can help curb the threat of cybercriminals in digital banking.
Enabling Multifactor Authentication (MFA) method
Multifactor authentication makes it difficult for fraudsters to gain access to users' accounts because it demands multiple credentials to confirm a user's identity. Users are prompted by the system to confirm their identity a second time by providing a PIN, responding to a security question, or using biometric authentication. Banks can offer members authentication options to match their changing demands and eliminate the risk of using weak passwords by using MFA. Microsoft claims that MFA can help stop more than 99% of account attacks, making it one of the best ways to strengthen cybersecurity defenses [11].
Migrating to the Cloud
There is often a misconception that the Cloud exposes one’s data to open access. Instead, one might consider storing his data in an on-premise data center, locked and guarded, as more secure. But here are some of the reasons why the Cloud offers higher security:
- Restricted access: Cloud service providers (CSP) implement strict access to their data centers. For example, Google implements six layers of identification to recognize authorized staff, with the utilization of biometric authentication and comprehensive camera coverage [12].
- Disaster recovery: CSPs, such as Google, store their clients' data across multiple devices and in numerous locations. The data is also chunked, replicated, named randomly, and made unreadable by humans. Such measures help back up lost data.
- Deep security expertise: CSPs often have a large, experienced team of security experts. For example, Microsoft Azure employs more than 3,500 security experts. Such a team size is sometimes as big as an entire organization's workforce [13].
- Heavy investment in security: CSP has the needed resources to invest in security improvement. Microsoft, for example, has spent $1 billion to secure its Azure cloud platform, allowing it to protect against a reported seven trillion potential cybersecurity events every day [14].
For the above reasons, the Cloud has become a trusted source for data storing. Indeed, government institutions have plans for heavy investment in the Cloud. For example, the Pentagon plans to set aside US$10 billion for developing cloud services, and the US Department of Defense wants to move its whole infrastructure to the cloud in the next ten years [15]. The banking and financial sector has also expressed growing interest in the technology. In fact, a survey by Accenture found that 20% of international banks have already committed investment funds to the development of cloud banking [16].
In conclusion
So far, banks and financial institutions are generally satisfied with the impacts of digital banking. The Gartner survey found that 87% of corporate directors acknowledge the transformational role of digital banking in addressing strategic business priorities, 67% are willing to increase their budget in technology investment [17]. For this reason, it is high time that banks consider putting in place the best cybersecurity practices to keep their stay safe against cybersecurity attacks. As digital banks particularly require the use of sensitive data to perform financial transactions, they should become well aware of the challenges they face by operating online, and come up with strong cybersecurity strategies to protect their data and avoid significant financial and reputational losses