When all is said and done, cybersecurity, like politics, is local as cyber attackers are relentless in targeting multiple stages of the attack chain, from phishing to execution, and ultimately, command and control particularly when it comes to stealing sensitive, personal data.
The level of anxiety hovering over the increasingly harmful issue of cybersecurity is on the rise as a random survey of 1,000 Americans conducted by researcher Reviews.org revealed that fears that their financial accounts will be accessed for nefarious purposes is on the rise.
The survey found that 52 percent of survey respondents said that they are increasingly concerned about the security and protection of the confidential, personal information they entrust to their financial institutions.
Other research shows that their fears are not unfounded and are underscored in a highly detailed and widely circulated report – 2024 Community and Mid-Size Banks Cybersecurity Survey – released by the New Orleans-headquartered law firm of Jones Walker LLP that highlights significant vulnerabilities and areas for improvement among the nation’s community and mid-size banks.
“As big banks continue to bolster defenses with sophisticated security technologies, cybercriminals are shifting focus to community and other smaller banks,” warned Jason Loring, a partner and co-leader of Jones Walker’s privacy, data strategy, and artificial intelligence team.
Community and mid-size banks are hesitant to implement emerging technologies like artificial intelligence (AI) for cybersecurity enhancements. With large banks adopting AI, this hesitancy may make community and mid-size banks more vulnerable targets if they do not keep pace.
“AI-based tools, however, can serve as a great equalizer for smaller banks that may have more limited resources, so long as those tools are implemented responsibly,” said Loring. “This can help these banks maintain levels of fraud protection, regulatory compliance, and operational efficiency commensurate with larger institutions.”
Based on responses from 125 banking executives, including senior risk, technology, and information security leaders, the survey provides a detailed assessment of the current state of cybersecurity awareness, confidence, and preparedness, or the lack thereof, in the nation’s banking sector.
“Cyber threats are evolving rapidly, and community and mid-size banks must enhance their cybersecurity posture to protect their customers and assets,” said Andy Lee, a partner and co-leader of Jones Walker’s privacy, data strategy, and artificial intelligence team, and technology industry team.
The survey “reveals that while banks are aware of the risks, many are not taking sufficient proactive measures to prevent breaches,” he said.
There are several key takeaways from the survey which concluded that while post-incident regulatory compliance is “slowly improving,” initiative-driven prevention and preparedness are “lacking.”
The banking sector, it stated, “is highly regulated, which makes data security, data privacy, and data breach compliance a top priority for banking executives.”
However, only 42 percent of respondents felt their own bank was very prepared for cyber threats, considering that only 61 percent of banks have established specific incident response teams with clearly assigned roles and responsibilities and 37 percent fail to encrypt sensitive information.
The lack of due diligence performed on third-party vendors, the report found, is a “significant risk.” While virtually all, 99 percent, of community and mid-size banks in the U.S. rely in part or in full on the services of third-party vendors to address their cybersecurity needs, “only 71 percent hold them accountable for contractual, legal, or regulatory liability, and a mere 23 percent require vendors to indemnify them against data breaches.”
Banks “are highly regulated, but many third-party vendors are not. It is critical that banks conduct thorough due diligence on their vendors and ensure robust contractual protections are in place,” added Rob Carothers, a partner on the firm’s Banking & Financial Services Industry Team.
The November Hunting Ground
2024 saw a record number of cybersecurity breaches in other industry and business sectors with November gaining the dubious distinction of being a particularly rich hunting ground for cyber hackers.
It’s somewhat ironic that the surge in cyberattacks were in November, the previous month – October – having been deemed “Cybersecurity Awareness Month.”
That month saw a breach of U.S. telecommunications companies that was described by Sen. Mark Weaver, chairman of the Senate Intelligence Committee, as the “worst telecom hack in our nation’s history – by far.”
As reported in Cybersecurity news.com, Warner’s appraisal comes in the wake of a massive cyber espionage campaign allegedly linked to China, that involved China-linked hackers intercepting sensitive surveillance data intended for U.S. law enforcement agencies.
According to a joint statement by the FBI and the Cybersecurity and Infrastructure Security Agency (CISA), the hackers infiltrated the networks of several telecom companies, stealing U.S. customer call records and communications from individuals primarily involved in government or political activities with the hackers gaining access to both telephone conversations and text messages.
The hackers have been identified as part of a group known as “Salt Typhoon” and may have maintained access to the compromised networks for months or longer.
The month saw another major cyberattack when a critical vulnerability in the widely used MOVEit file transfer software led to one of the most extensive corporate data leaks in recent history. The security breach affected millions of employees at 25 major U.S. and international entities in a variety of business sectors from banking and insurance to retail and air travel.
According to cybersecurity analysts, the breach, attributed to a zero-day vulnerability known as CVE-2023-34362, “exposed sensitive employee information from global companies in the finance, technology, healthcare, and retail sectors.”
The breach allowed a “threat actor” operating under the alias “Nam3L3ss” to release vast datasets containing detailed employee records stolen during the MOVEit attacks in May.
The leaked data included names, email addresses, phone numbers, job titles, and, in some cases, entire organizational structures. The leaked datasets contain highly structured information, revealing not only contact details but also sensitive internal data such as cost center codes and departmental assignments.
Global online retailer Amazon was the most severely impacted with more than 2.8 million records stolen from HP, Delta Airlines, Charles Schwab, 3M, Lenovo, Canada Post, Urban Outfitters, Bristol Myers Squibb, British Telecom, McDonald’s, and others.
Cyber crooks also struck at SelectBlinds, the online retailer specializing in custom blinds and shades, exploiting a data breach that exposed the sensitive information of more than 206,000 customers.
The breach, attributed to a sophisticated cyberattack, allowed hackers to embed malicious software on the company’s website, enabling them to harvest customer data over a period of months.
According to the company, the breach was uncovered in late September 2024, but further investigation revealed that the malware had been active on its checkout page since early January.
During this period, the malicious code silently skimmed sensitive customer information, including credit card details, names, addresses, phone numbers, and login credentials. The most alarming aspect of the breach is the exposure of full payment card details, including card numbers, expiration dates, and CVV security codes.
Also in November, North Carolina-based Ahold Delhaize USA, the parent company of Stop & Shop, Hannaford, Food Lion, Giant, and several other branded supermarkets, was struck by a cyberattack that impacted pharmacy operations and deliveries of produce, meat, poultry and other products to many of its markets in Massachusetts, Connecticut, Delaware, Georgia, Kentucky, Maryland, Pennsylvania, South Carolina, Tennessee, North Carolina, Virginia, and West Virginia.
The breach also crashed Hannaford’s website and some of the companies’ systems were taken offline to “help protect them” after the cyberattack was identified, while several other key operations were disrupted, the company said.
What to Do
In 2023, business and industry advisor Deloitte issued its “2023 Global Future of Cyber Survey,” which found that there was a gradual shift in thinking among company decision-makers in industries across the board who have come to see cybersecurity as an enabler of business operations, not merely a backstop for preventing losses.
“That’s the perspective companies have to have when it comes to cybersecurity,” said Fred Rica, a partner in the advisory practice at professional services firm BPM in an interview with TechTarget. “It allows them to do things they couldn’t do before, and allows them to be more efficient, save money, and be more productive.”
While there is no “one size fits all” approach toward crafting an effective cybersecurity strategy, there are certain benchmarks that can be used to proactively mark the correct path to navigate.
Those markers, the survey concluded, should include:
- Crafting a cybersecurity plan to mesh with specific business goals;
- Determining what critical processes and assets are required;
- Realigning those assets and the personnel accordingly;
- Realistically assessing system security weaknesses to find gaps that need to be filled;
- Ensure that employees are trained and committed to adhering to security policies and procedures;
- Assuring that funding is available to create and maintain an effective security strategy; and,
- Drafting a plan to respond quickly and powerfully should an attack take place.
