By Gary Newe, Technical Director, F5 Networks

Securing organisations against an evolving range of online threats is a requirement in today’s market. But businesses in all sectors are still struggling to protect themselves from the range of potential attack vectors. In particular, financial services organisations across EMEA are increasingly exposed to and concerned about the rising menace of web fraud threats. Our insights are drawn from a survey of more than a hundred IT decision-makers at financial services organisations across EMEA with more than 250 employees[1], which revealed that almost half of those surveyed have experienced notable financial losses in the past two years due to web fraud threats.

Financial institutions have the most high-profile, high-value assets on the internet: millions of bank accounts. The global nature of the internet means that these assets attract ambitious attackers from all around the world. Web fraud is where financial services institutions have customer or financial data compromised by means across the internet, such as phishing attacks, man-in-the-middle attacks or other Trojan-based activities such as web injections. These types of threats have been in the market for a number of years now but, as customers increasingly use online and mobile applications to manage their finances, the opportunities for attacks from hackers are also on the increase.

In the report, IT decision-makers revealed how they constantly face significant financial and reputational hits due to malware, phishing, credential grabbing and session hijacking attacks. For those responsible for protecting these financial organisations, the range of threats and the speed at which they are evolving can seem like an impossible task to counter.

Damage has already been done. The survey found that 48% of organisations had experienced financial losses between £50,000 and £500,000 stemming from online fraud within the last two years. A further 9% forfeited more than £500,000 and 3% over £1m. A significant 73% cited reputational damage as the main concern for such attacks, whereas 72% feared loss of revenue and the burden of requirements to conduct extensive security audits. Certainly we’ve seen a number of high profile hacking attacks at UK and international financial organisations in recent years, with varying degrees of success, but the reality is that most consumers will simply recognise that their bank may have lost their sensitive information, undermining the relationship with reputation damage and potentially causing lost business as consumers switch providers.

Historically, enforcing web application security and compliance policies across a variety of traditional and cloud environments has meant greater complexity, security gaps, and higher costs. As a result, a number of organisations chose to sideline protection for their businesses. The reality is that this is no longer the case and businesses must prioritise their security processes to ensure that they have measures in place to protect against all forms of attack. With the introduction of security tools available as-a-service, organisations are also in a position to benefit from tools which are updated regularly, to support them against the latest wave of threats and whatever format they may take. Once a time consuming and costly task, these types of services are also now available without lengthy implementations or significant cost investment.

For those looking to protect themselves, one of the challenges historically has also been in presenting security as a priority to the wider business, not only in securing sign off for any investment required, but also in educating employees as to how to best protect the business. With recent experiences in the sector, these conversations are increasingly coming to the fore and those responsible for implementing tools to protect the business must ensure that they have the most appropriate tools in place for their workforce and customers.

Whether it is phishing attacks, Man-In-The-Middle, Man-In-The-Browser or other Trojan-based activities such as web injections, form hijackings, page modifications and transaction modifications, the dangers of web fraud are unavoidable and extensive for many organisations. More than ever before, it is vital to understand the nature of the threats and to implement solutions that eliminate attacks before they do real damage. Those that get it right will be rewarded with customer loyalty and profit. Those that don’t risk incurring the very thing that they are most concerned about: damage to their reputation and, ultimately, a negative impact on the bottom line.

[1]Survey conducted by IDG Connect (www.idgconnect.com) with more than 100 IT decision-makers at financial services organizations with more than 250 employees. The survey captures responses from the UK, France, Germany, Italy, Spain, Netherlands, Sweden, Poland, the UAE and Saudi Arabia