There is an increasing number of cyber criminals targeting financial institutions all around the globe, and it seems that cyber security is not talked about often enough to make a difference to those who may be next in line.
I spend my days talking with local businesses and organizations discussing all things IT and cyber security. Often cyber security is at the fore front of everyone’s mind. What is my risk? Am I targeted? I have anti-virus, isn’t that enough? When should I be concerned?
Cybercrime: The Forgotten Pandemic
We never hear about cyber crime and cyber security in the news. Like the flu, we have become desensitized to hearing about breaches, leaks, hacks, and other forms of cybercrime. Perhaps it is because we do not all speak tech, perhaps brilliant fruit-based tech companies have marketed to us that we are immune, or perhaps we just do not know where to start. Whatever the reason, make no mistake: this is a pandemic, and cyber security is a virus that mutates constantly.
Rob Herjavec’s business is a thought leader in cyber security and they estimate that cyber crime will reach $6 Trillion in cost in 2020. $6 Trillion!
Let’s talk about what you can do to start to understand your risk and mitigate it. First and foremost, only you can really decide how much risk you are willing to take. I consider it my job to inform you of those risks. Cyber security can be scary, but the goal of this conversation is not to drive action through fear, but rather to drive decisions through education. Know your risk, know your options, and set your course.
Frequently Asked Questions About Financial Institutions and Cyber Crime
Several questions about cyber crime and cyber security are consistently asked by financial institutions, and these may be the ones on your mind, as well.
Let me address a few of the heavy hitters.
#1. Am I Targeted?
The simple answer is yes. Is someone waking up this morning with your name in mind, wondering how they will compromise a password, or social engineer you? That is less likely, but the truth remains that because you have an email address, you are targeted.
Cyber criminals run their organizations like a business. Entry level folks start by going to the dark web (think of a digital black market where stolen goods are bought and sold) to buy lists of data. Some of that data includes emails, passwords, addresses, phone numbers, work titles, etc. You’re almost 100% guaranteed to be on a list that is for sale. These lists are built after major breaches occur. Think of the last 5 years. Huge corporations have been breached, like Target, Yahoo, Equifax, Microsoft, Google, Marriott, Capital One, Facebook, LinkedIn, Adobe, Twitter, Uber, Anthem, the list goes on and on. If you currently or have ever had an account with one of these companies, your email, passwords, addresses, or other information could have easily been stolen and sold on the dark web. I will assume you raised you hand for at least one of these companies, and if not, those were just the tip of the iceberg.
Once the entry level associate has you on a list, they start using marketing tools to send you email they think may fit your demographic. Some of these are easy to spot, like if you get an email from Google and do not have a Gmail account. However, if you do have Gmail, this email might seem very relevant. The marketing tools they use can track if you open it or if you clicked on anything. That is how they can tell the fake email they sent is relevant to you. From there, you are an official target.
#2. What is My Risk?
You are targeted. So what? What can they do with that information?
First, let’s discuss what happens in a breach where your password was included, like the 2019 Facebook hack, when a humble 540 million credentials were stolen. You may not care if your Facebook gets hacked, but how many of you have a unique password for everything you log into? How many of us use 3-5 different passwords repeatedly? The latter is much more likely. We cannot realistically memorize tens or hundreds of unique passwords. In fact, we still have trouble with the 3-5 we use. So, we use significant names and dates. Something like Alycia722 (spouse’s name and anniversary). So, let us go back to Facebook. If the password, you used for Facebook is the same or similar (Alycia722!) to a password you use for your email or your financial institutions, your risk grows.
The other possibility is that you were not part of a breach where one of your 3-5 passwords was compromised. However, we have all been trained to use significant names and dates for our passwords. Usually 7-12 characters, in alpha numeric order. Again think, Alycia722. That information is incredibly public. We post on social media on our anniversary, tag our significant others, and unknowingly share private information with the world.
Finally, the goal of buying your data and targeting you may not be to hack your passwords and see what other accounts they can hack. Instead, a threat actor/organization may use that information to send an email that introduces a virus to your machine, or to get you to follow a seemingly relevant link to lead you down the path of introducing a virus.
In all three scenarios, we are vulnerable.
#3. Is Anti-Virus Enough?
You are targeted. Your risk profile is likely high, but you pay for a solid anti-virus. Will that do the trick? I always recommend Anti-Virus. Some are better than others, and paid is better than free! That said, if your password is stolen and someone can access your account or other accounts that use the same credentials from their own computer, your anti-virus is useless. The other scenario is that you did not immediately update your anti-virus. Most AV’s reference an “allow” and “do not allow” list. However, that list of good and bad code changes faster than you could imagine. Installing updates is crucial.
When it comes to AV and security updates or patches, we want to set it and forget it. It is also common that when we are in the middle of doing something, deep in the hustle and bustle of life, we get a pop up from our AV asking if we would like to scan a potential threat or a new USB drive. More often than not, we say “no.” After all, who knows how long it will take? What if it breaks something? The point is, we buy great software and then fail to allow it to protect us or expect it to protect us from threats it isn’t capable of identifying.
How Can I Protect Myself and My Organization?
There are steps you should be taking right now to increase your security. These actions are all user-friendly and can be used across the board for all employees.
- Use a password manager: There are many to choose from, such as LastPass, Keeper, DashLane. They allow you to create, securely store, and manage hundreds of unique credentials. If a breach happens, you are only risking one password for the affected application. That also means that, following an incident, you only need to change one password. Your device and your master password become your unique keys to unlocking all the other individual credentials.
- Pay for an AV: Remember that paid AV platforms are better than free ones. It’s not enough to just buy AV software, though: make sure you run updates and scans. In fact, most software you have on any of your devices push regular updates. Yes, they sometimes break things, but they almost always include fixes to bugs or vulnerabilities that are new.
- Slow down on email, texts, and calls: Phishing emails are involved in 90% of breaches, and it is because we are so rushed. We want to consume information immediately. We want to go to sources with links and not have to type. We want to be efficient! And we are incredibly efficient. However, our urgency and efficiency are fertile ground for us to be compromised. Here are some email best practices you can start to implement to stay safe. Email Best Practices (Click Here) Or go to iconicit.com and look through our blog for email best practices.
- Trust, but verify: Dual approval or multifactor authentication is a way of independently verifying the veracity of a request, a link, or an email. If someone logs into your email account with stolen credentials, technologies like multifactor authentication will notify you and allow you to stop that breach in its tracks. When you get a link in an email, dual approval could be as simple as opening a new browser and going straight to the source rather than following links. When someone requests you reset a password, resend financial data, or switch a payment or investment method, you can verify by picking up the phone and calling to verify that request.
- Slow down: These practices all take a little more time, we may lose a bit of efficiency, but social engineering is at the heart of this cyber pandemic. Our urgent need for efficiency and our urgency for information can often play into the hands of these criminals. Train yourself to slow down when interacting with email. Give yourself permission to verify the source and if you have one red flag, look for others! Who knows? Slowing down and calling the person who sent you the email may just result in a human interaction that will be worth it!
Proactive Cyber Security
Did you know that financial institutions are the third most targeted vertical for cyber crime? It’s also proven that once is never enough; if you’ve already been targeted, chances are good that you will be targeted again.
Small to medium-sized businesses often must close their doors forever following a cyber attack, and larger corporations will spend millions trying to recover.
Having a proactive cyber security approach, starting with implementing the tips above, may be enough to decrease your risks a bit but you will still have vulnerabilities. When in doubt, don’t hesitate to call in the pros for a security assessment.
By Kyle Moore, Iconic IT
Kyle was born and raised in the mountains, where he learned to ski not long after learning to walk. Before joining Iconic IT in 2013, he was a shepherd in Australia, a missionary in Africa, and on Ski Patrol at Vail. Kyle “fell into IT” as many IT professional do, and has had a passion for how technology can help local small businesses grow, scale, and succeed. He has been married since 2012 and has four kids, Riley, Emma, Micah, and Zoey. Kyle has spent the last 7 years as the partnership development manager for Iconic IT, who is a local leader in SMB IT.