By Lewis Duke, Sales Engineer at Trend Micro

The global financial sector is highly regulated. Organisations are typically well insured and relatively profitable. Their services are considered a critical part of national infrastructure. And among businesses analysed by the UK government this year, it was judged the sector most likely to hold personal data on customers. For ransomware actors on the hunt for prospective targets, this ticks just about every box. Yet still many business leaders ignore the threat to their organisation. A recent Bank of England study found just 37% expect the risk of cyber-attacks to materialise.

Banking sector CISOs know better. They understand that the attacking team has the advantage in this high-stakes game. And that regaining the initiative will need budget not only to get the basics right, but to go beyond—with enhanced visibility to rapidly respond to breaking incidents.

The ransomware threat

This is not security vendor hyperbole. Ransomware has been described many times by the UK’s National Cyber Security Centre as the number one threat facing SMBs and enterprises. The cybercrime underground has evolved over the past decade to provide budding threat actors with all the tools and know-how they need to launch sophisticated attacks. Specialised hackers known as initial access brokers do much of the first-stage heavy lifting, gaining a foothold into networks and then selling this on to ransomware groups. “As-a-service” packaged offerings advertised on underground sites take yet more of the strain, allowing a broad range of criminal groups to participate.

Typically, they’ll steal data before attempting to encrypt it, thus providing two opportunities for extortion. Many go further, threatening the victim organisation with DDoS attacks, calling up customers and partners to tell them about the incident, and even defacing the victim’s corporate websites with a ransom note. But whatever happens, the end result is usually the same: significant financial and reputational damage for the victim organisation which goes way beyond the cost of the ransom. It could result in regulatory action, class action lawsuits, productivity losses, customer churn and significant IT consulting costs, among other things. That should put the focus for financial sector leaders firmly on preventing and containing incidents.

Firms under fire

A recent Trend Micro poll of business and IT leaders from global financial sector firms at least revealed that most understand the scale of the problem. Some 79% agree that the sector is a more attractive target than others, and 87% believe they’ll be a target going forward, which is more than any other sector we studied.

This mindset is partly informed by recent history. We found that around three-quarters (72%) of global financial services firms have been compromised by ransomware at least once over the past three years. Most had data encrypted and then leaked. And the vast majority (92%) said operations were impacted, taking days (53%) or weeks (21%) to resolve. That’s time and money which could otherwise be spent on digital transformation and other high-value growth projects.

Where the smart money goes

Yet despite high levels of awareness and previous experience of being a ransomware victim, most (75%) financial services firms choose to believe that they are now adequately protected. That figure is higher than in any other sector, by quite some way. It fails to acknowledge two critical facts about the current threat landscape: that attackers only need to get lucky once to cause significant damage, and that what might be “secure enough” today may be woefully inadequate tomorrow.

Financial sector firms may have bigger budgets than most. But it will be for naught if the money is not directed to the right areas. It’s also worth remembering that ransomware groups themselves often have deep pockets. A data leak at the infamous Conti group earlier this year revealed it spent $6m annually on salaries, tools and services.

So where should security budgets be focused? Cyber-hygiene is important. We found that most financial services firms are getting the basics right, by enhancing security to prevent threats to emails, remote working infrastructure and software vulnerabilities. These are the top three ways threat actors begin to gain a foothold into organisations. But many are still lacking critical detection and response tools which alert teams when hackers have already got inside the network. Given that its impossible to 100% prevent an attacker from doing so, these solutions are vital to providing an early warning system so that action can be taken to contain the threat before any damage can be done. Perhaps as a result of this cybersecurity gap, fewer than half of respondents say they can detect initial access (44%) of their systems or malicious attempts to traverse their networks (33%).

Building a more resilient sector

Financial services firms are also exposed by their business partnerships. Over half (56%) say a supplier has been compromised by ransomware in the past, and a similar number believe their suppliers make them a more attractive target. They could be right. A majority admit that a significant number of suppliers are SMBs, which often spend less on security and therefore could be compromised en route to their partners.

An additional concern is that most (52%) respondents have a “significant” number of suppliers that are SMBs, which often have fewer resources to spend on cybersecurity. Financial services firms could improve the security posture of this ecosystem by sharing more ransomware intelligence with these third parties, but many don’t do so. It could be that they’re concerned about spilling business secrets, or that the information is not being collected in the first place.

The bottom line is this: as long as there are security gaps to exploit, victims prepared to pay and hostile states happy to shelter the criminals, there’s no end in sight to ransomware. Getting the security basics right is important. But this must be complemented by real-time insight into threat activity. With the agility and visibility to react rapidly to emerging breaches, financial firms can contain risk before it spreads, and help to build a more resilient sector.