Pub. 10 2020-2021 Issue 6

O V E R A C E N T U R Y : B U I L D I N G B E T T E R B A N K S — H E L P I N G C O L O R A D A N S R E A L I Z E D R E A M S March • April 2021 11 ransomware are growing — along with the maliciousness and so- phistication of attacks. • I ncreased Surface Area for Attacks: Due to the size of today’s remote workforce, attackers are targeting home networks — which are typically much weaker than in-office networks — to gain access to corporate data. Employees’ personal devices are also often tar- geted, providing attackers with a base to operate from within home networks and allowing them to monitor or intercept secure traffic. • C redential Stuffing Attacks: In this type of attack, botnets conduct brute-force password attacks using compiled lists of stolen credentials against login interfaces. Recently, the FBI reported that credential stuffing accounted for 41% of financial sector cyberattacks. • P oint of Sale (POS) Skim Attacks: POS skim attacks occur when a criminal copies card payment information using POS processing devices, which are used everywhere from ATMs to gas station pumps. Despite the massive transition to e-commerce during the pandemic, these types of attacks have continued as criminals use digital skimmers to steal payment information from e-commerce websites. Emerging Cybercrime Trends for 2021 Although the threats discussed above indeed pose a risk to financial institutions and other organizations, there are several emerging cyber threats to consider as well. Institutions must stay vigilant, especially as many employees continue working remotely. • S upply Chain Attacks: This attack occurs when a bad ac- tor targets a software vendor to deliver malicious code through seemingly legitimate products or updates. The recent SolarWinds breach is an example of a supply chain attack, which is becoming an increasingly popular method to distribute malware. • V irtual Private Network (VPN) Attacks: As remote work becomes the norm for many organizations, cybercriminals will likely continue VPN attacks in an attempt to gain access to corpo- rate networks and data. Many home networks do not have strong passwords set up or lack security protocols, presenting vulnerabili- ties for criminals to target. • C loud-Based Attacks: Many organizations are migrating more of their infrastructure to the cloud, prompting cybercriminals to shift more of their efforts to cloud- based attacks. Institutions must ensure their cloud infrastructure is securely configured to prevent harmful breaches. Strengthening Security for Your Institution Financial institutions should consider the following strategies to protect their networks and customers while strengthening their cybersecu- rity posture. • Create Stronger Passwords: Institutions should enforce stronger password requirements for employees and customers to prevent unauthorized account access. Many organizations previ- ously recommended 8-character, frequently changed passwords, but current best practices dictate using passwords consisting of 14 char- acters or more and changing them once per year or as needed. • Utilize Multi-Factor Authenti- cation (MFA): True MFA — not just double passwords — should be used whenever possible. With MFA, multiple authentication factors are required to verify a user’s identity. This verification strengthens resiliency and pre- vents fraudsters from accessing an account solely by obtaining or cracking a password. • E nhance Employee Educa- tion: Your institution should enhance employee and customer education efforts. Instead of one annual training, provide frequent information that delivers basic se- curity principles and news about timely issues. Focused trainings are also recommended based upon an employee’s responsibili- ties and access rights. Employee education will also reinforce proper online conduct and nor- malize communicating with IT after encountering a potentially malicious link or other risks. • S ecure Internet Access: It is critical to ensure proper network security for employee VPNs and their home networks. Encourage employees to use high-quali- ty routers with strong network passwords, run current security protocols and install up-to-date virus and malware protection on personal and corporate devices. Your institution should also review your VPN access and removal policies, acceptable use of business devices, and any other relevant corporate policies. Facing Future Cyber Threats As your institution navigates this new landscape, ensure the proper se- curity controls are in place to enhance your risk mitigation and stay one step ahead of emerging cyber threats. n Ty ler Leet ser ves as di rec tor of Ri sk and Compl iance Ser - v i c e s f o r C S I ’ s Regu l a t o r y Compl iance Group.