Prashant Ketkar, CTO at Parallels (part of Alludo).
Not too long ago, an acquaintance of mine, let’s call him Dave, received an email from the HR department of the bank he works at: “Our compliance policies have been updated; please acknowledge them by June 30.” This friend, who had been through numerous cybersecurity trainings in his career and considered himself to be pretty tech-savvy, did a quick check to ensure the legitimacy of the sender’s address, the email’s look and the link. Everything looked good, so he clicked on the link to review the updated policies.
He’d been phished.
Let’s discuss how this situation is simply one that many in the banking sector may have found themselves in, as cyberattacks have surged exponentially. In the first half of 2021, there was an over 1,300% increase in ransomware incidents in the banking sector, according to company Trend Micro.
Luckily for Dave, the phishing attempt was part of his security team’s quarterly awareness testing, so nothing devastating happened other than him kicking himself for failing the evaluation. But given that everything in the email passed his thorough check, how could he have been fooled?
Imagine the shock of realizing a cyberattack just hit your bank—your funds are safe for now, but what about your personal information? Cybercriminals aren’t just after money: They target sensitive data too, which they can weaponize for future attacks or use as leverage for extortion. The fallout from such a breach can be catastrophic, leading to financial ruin for individuals and a tarnished reputation for financial institutions.
Ransomware, phishing and advanced persistent threats (APTs) are the cybercriminals’ weapons of choice, and they use them to target millions of customers’ financial assets and confidential data. Unfortunately, these criminals are getting smarter, constantly evolving and learning how to make it harder for people to recognize their tactics.
Banking On Security
While the banking sector is not alone in facing a surge in cyberattacks, recent incidents have revealed systemic flaws in the banking sector’s cybersecurity approach, including the continued reliance on older and disjointed technologies that lack agility in responding to evolving threats.
When Dave shared his story with me, it sparked a bigger conversation about these flaws.
“It’s not just the legacy systems we’re using,” he told me. “It’s also the slow adoption of cloud services. Regulations make banks cautious, but this caution leaves us exposed.”
Outdated firewalls, inadequate endpoint detection, and insufficient employee training on cyber hygiene are significant vulnerabilities. Phishing emails often serve as the primary vector for installing ransomware on bank networks. Once inside, hackers escalate privileges, encrypting critical data and demanding ransoms for its release.
The conversation I had with Dave reflects an aspect of what we at my company work on every single day. To address vulnerabilities like the ones Dave’s story pointed out, the banking sector must embrace a proactive and comprehensive cybersecurity posture. Implementing a zero-trust framework—where trust is never assumed, even within the organization—can significantly enhance security. By verifying every user, device and application, regardless of location, banks can fortify their defenses against cyber threats.
In addition to zero trust, leveraging advanced tools like remote browser isolation (RBI) can provide an extra layer of protection. RBI ensures that web content is executed in a secure environment, preventing potential malware from reaching users’ devices. These combined strategies form the essential toolbox the banking sector must revisit to bolster its defenses against evolving cyber threats.
The banking sector must adapt by implementing innovative solutions and ensuring employees are well-trained to keep up with evolving threats. This is essential to protect customers’ financial assets and confidential data from relentless cyberattacks.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
