The Rising Cybersecurity Risks That Will Plague Banking in 2023

Hackers, social engineering fraudsters, human error and customers who are just plain careless with credentials are all security threats that banks and credit unions must take into account. Prevention requires an in-depth, multiyear strategic plan, not a short-term, quarter-to-quarter focus that leads only to reactive, merely tactical solutions.

Security breaches have become one of the biggest threats to financial institutions. Remote working, cloud computing and the current geopolitical climate have all played a part, but older forms of infiltration also continue. For example, recent years have seen a sixfold increase in malicious emails designed to trick people into giving away login credentials, a type of attack known as “social engineering.”

Banks should be the safest place for people’s money. Indeed, they have a fiduciary responsibility to proactively mitigate and manage risk for account holders. Unfortunately, bank and credit union executives often don’t understand how severe the problem is. Data at risk leads to identity theft and funds stolen electronically. Ultimately, reputations erode.

Outlined here are some of the top threats that lie ahead and what approaches we’re seeing to address this.

How Cybercrime Is Hitting Banking Today

We believe financial institutions will place a heavy emphasis on implementing passwordless solutions with a requirement of multi-factor authentication (MFA). A 2021 Forrester survey noted that 67% of corporate leaders were in the process of adopting passwordless authentication for their employees and partners, a trend we think will—and should—continue in banking.

With the adoption of cloud computing and hybrid environments, we will see an urgent need to implement Secure Access Service Edge (SASE) solutions.  Tech improvement breeds exposure, because most companies started with on-premise equipment and have moved apps, workloads and storage to the cloud, the attack surface has increased exponentially.

This in turn has created less visibility into the internet environment, eliminating the “secure perimeter,” creating more complexity, and requiring the purchase and configuration of additional forms of protection.

The more complex an environment, the more human error we see. Put simply, SASE methods push security onto the cloud.

Tech Improvement Breeds Exposure:
Because most companies started with on-premise equipment and have moved apps, workloads and storage to the cloud, the attack surface has increased exponentially.

In the coming years, artificial intelligence and machine learning will continue to be a major factor in cybersecurity for the financial services industry and industries abroad. We’ve started to see this already in some cutting-edge security products that are coming to market – “good bots” pitted against “bad bots,” for example.

Automation is another big factor—both as risk and benefit—as companies move to automate everything they can. We will start to see more low-code and codeless platforms which aim to make organizations more efficient while cutting down on human error.

Where Cyberthreats to Banks and Credit Unions Arise

How can financial institutions do more to prevent cybercrime? First, they need to be aware that this is a long-haul process — and must plan for it. Improving cybersecurity is a journey, not a sprint. An in-depth, multiyear strategic plan is called for, not a short-term, quarter-to-quarter focus that leads only to reactive, merely tactical solutions. Budget Cutbacks Undermine Cybersecurity: Even when strategic plans are developed, they are often undercut by midyear budget cuts and executive churn that stymie progress.

Firms need to understand and assess the range of risks they face, starting with internal threats. Errors and mistakes that compromise security happen frequently, and steps need to be taken to better safeguard against them. Whether they take place in the office or remotely, malicious acts by employees and contractors are also a significant risk.  

External threats come from a mix of technology and people. Human hackers and automated bots alike constantly probe systems looking for vulnerabilities. Customers are essentially the external counterpart to employee error; customers represent the riskiest component in the entire threat ecosystem because their inadvertent lack of care and precaution introduce significant vulnerabilities by doing things like logging on through open internet connections, using predictable passwords, and failing to update their security credentials.

Budget Cutbacks Undermine Cybersecurity:
Even when strategic plans are developed, they are often undercut by midyear budget cuts and executive churn that stymie progress.

Social engineeringcontinues to represent a significant security threat. Cybercriminals rely increasingly on psychological manipulation, rather than technology, and they target both employees and customers.

Phishing emails, which employ psychological manipulation techniques to fool the recipient of the email to open a link or attachment that contains malicious software, are one example of a tried-and-true social engineering scam. Some prey on people’s fears, anxieties, or emotions, causing them to lower their defenses and let a hacker into their system. Others invoke a sense of scarcity or urgency to goad a victim into acting quickly without thinking.

A Broad Plan of Attack on Cyberthreats

Financial services organizations need to improve their processes, engineering and technology to protect against these risks. Systems reliability engineering needs to be improved, if only because— despite the many concerns about hackers and other nefarious actors — only 6% of all failures at major banks are caused by external forces. Most system availability problems occur because of bad change processes, poor software, deployment issues, incorrect specifications, and other issues.

Security can be improved through several means, but multiple layers of protection are called for. Passwordless logins that use biometrics and tokenization provide login protection that is more secure than passwords.

Behavioral analysis and pattern recognition are also powerful tools to improve cybersecurity — building customer profiles makes aberrant or fraudulent behavior easier to detect so that, for example, credit card charges that are outside the cardholder’s usual activity can be declined.

About the Author

John Carey_Leadeship Headshot

About the Author

John is a highly experienced Managing Director responsible for leading AArete’s Technology Solutions group, advising clients on technology strategy, development and implementation with a focus on profitability improvement, cost reduction and increased operational efficiencies. With experience working cross-sector as a CIO / CTO for high profile organizations such as HSBC, Lloyds Banking Group, Harrods and Barclays, he gained a track record of creating key change capabilities for complex business demands through technology solution delivery. Prior to joining AArete, he founded technology consultancies and spent 10+ years directing his company’s technical management and product development strategies. John is a graduate of Sheffield Hallam University, where he completed Master programmes in Enterprise Systems Management and IT Management and is a member of the IET and IEEE.