"As email remains the most common threat vector and its volume and sophistication of attacks is expected to increase, financial firms need to layer multiple security technologies to protect their email systems."
Financial services firms have recently seen a major rise in digital transactions, mobile banking and overall email volume, driving them to add more scalable cloud-based systems to their core legacy systems — especially for email.
As a result of this, the research finds the potential for cybersecurity breaches has risen. 62% of financial services organisations believe it’s likely, extremely likely, or inevitable that their company will experience negative business impact from an email-borne attack during 2021.
Email volume increased last year in 81% of finance organisations, leading to an increase of email-borne attacks on the sector. 60% of respondents saw increases in phishing with malicious links or attachments over the past year (including 24% who said the increases were “large”) and 42% noted increases in misuse of their brands via both email and spoofed cloned web domains. On top of this, 42% of respondents saw an increase in their brand’s misuse in cloned websites and 11% saw large increases in emails that misappropriated their brands.
This has led to a real fear amongst financial services organisations that they will experience a breach in the future. 57% of respondents expect the volume of attacks to be among their biggest email security challenges of 2021 and 64% also name increasingly sophisticated threats among their biggest email security challenges. Ransomware attacks are pervasive within financial services, with more than half (53%) of the surveyed companies indicating that a ransomware attack somewhat or significantly impacted their business within the last 12 months. This has led to 30% of financial services companies having between one and four weeks of downtime from a ransomware attack, forcing 44% to have paid a ransom (compared to an average of 27% across other industries).
Despite this increased threat, many financial services organisations have not put the necessary protections in place. Only 44% of financial companies provide security awareness training on a monthly basis or greater frequency, compared with 46% of companies across all industries. The largest concentration of finance companies — 37% — provide only quarterly training. On top of this, 47% of finance firms surveyed do not have a cyber resilience strategy already in place.
Johan Dreyer, cybersecurity expert at Mimecast, said: “The use of digital and mobile in the financial services industry is only set to increase further, so we are definitely going to witness an increase in the rate and sophistication of cyberattacks on finance firms and their customers. As email remains the most common threat vector and its volume and sophistication of attacks is expected to increase, financial firms need to layer multiple security technologies to protect their email systems. This will ensure any active threat can be dealt with as quickly and efficiently as possible. Such multi-layered defences complement and backstop one another - if a given attack sidesteps one defence, there are others in place that can stop the threat.
"The threat of ransomware in particular and its potential costs all continue to increase. While most of these attacks are email-borne and layered defences can help, protecting data with rigorous backup and retention policies — that include off-network repositories — are important solutions for mitigating permanent loss of data for financial firms. The biggest potential difference can be made shoring up cybersecurity’s weakest links: the people. Financial firms need to extend their leading security awareness training practices with more personalized/individualized training and greater frequency. Preserving customer trust and reputation are critical to a financial firm’s business success.”
