The risk of cyberattack on financial services firms cannot be overstated. Cyberattacks cost financial services firms more to address than firms in any other industry at $18 million per firm (vs. $12 million for firms across industries). Financial services firms also fall victim to cybersecurity attacks 300 times more frequently than businesses in other industries. In other words, while the typical American business is attacked 4 million times per year, the typical American financial services firm is attacked a staggering 1 billion times per year, which equates to nearly 2,000 attacks per minute or over 30 attacks per second. The rate of breaches, or theft of sensitive data, in the financial services industry has tripled over the past five years.
Among financial services firms, banks lost $16.8 billion to cybercriminals in 2017. Attacks on SWIFT—the leading global network for money and security transfers—alone cost $1.8 billion year-to-date. Costs of cybercrime also include regulatory fines, litigation, additional cybersecurity following the breach, the need to respond to negative media coverage, identity theft protection and credit monitoring services to customers affected by breach and lost business due to reputational damage. According to Ponemon Institute’s consumer sentiment study, data breaches are in the top three of incidents that affect reputation, along with poor customer service and environmental incidents.
The financial services industry is now among the top 10 sectors investing in IoT solutions. IoT is proving inordinately valuable to the financial sector as it brings increased transparency, automation of trading and investment activities, payment transaction security, and improved customer services.
The IoT Security Challenge
Unlike traditional computers that can be secured from the inside, IoT devices are black boxes, and today, enterprises using these devices are completely dependent upon the manufacturers to provide security. Even with devices that are relatively secure, the deployment of IoT networks is incredibly complex and leads to vulnerabilities. Oftentimes, networks need to be reconfigured to create special segments, access controls, VPNs, and firewall policies every time a new type of device is added. This incredible complexity and dependence upon manufacturers for security simply is not working. The statistics above illustrate that simple fact.
When you add it all up, you start to understand why IoT devices are fast becoming the preferred vector (and often the preferred target) of hackers. Despite the fact that less than 40% of attacks in 2017 involved phishing, most CISOs believe that this is the most common access technique. The reality is that advanced hacker teams and nation-state actors have been leveraging IoT devices, including network infrastructure, as their preferred attack vector for years. The reason is threefold: (1) users are becoming more aware and less susceptible to phishing attacks, increasing the chances of detection, (2) IoT attacks are simpler, stealthier, and more reliable when they are available, and (3) attackers can maintain a persistent foothold on IoT devices for months or years without being detected.
I Want a New Stack
The reason these attacks work well and go undetected for so long is because today’s enterprise security stack simply was not designed to handle myriad unmanaged, single-purpose, black-box devices. The entire industry has been designed to protect powerful, transparent, multi-function endpoints that can be monitored and inspected. Traditional endpoints have their own challenges (like humans running arbitrary software on them), so it is not a matter of one type of security being easier than the other. It is simply that IoT security is different than traditional IT security. IoT endpoints have very different behaviors and security characteristics, and thus, a new solution is needed.
Today’s security stack is fundamentally broken when it comes to IoT. Most organizations cannot even identify the devices on their networks – let alone detect and respond to attacks. Finite State is offering our partners a new security stack that is designed from the ground up to fill gaps created by black box IoT devices. Our team, including some of the best IoT hackers in the world, has compiled the largest data set of IoT risk and attack data available, and we are making that available to you in our suite of products. Stakeholders across financial services cannot depend on OEMs alone to provide security for your IoT deployments. You need real IoT security today.