Insights from the Verizon Data Breach Investigations Report

By Stephen Lawton, Contributing Writer

According to the most recent Verizon Data Breach Investigations Report (DBIR), system intrusions have surpassed both miscellaneous errors and fundamental web application attacks, becoming the leading threats to the financial services and insurance industries. Effectively, the report says, attacks on enterprises in these segments reflect the "shift toward more complex attacks, accompanied by a rise in Social Engineering." It goes on to say system intrusion attacks, which fell from dominance in the segment in 2018, are once again leading all others. Social engineering, which was the leading vector in 2019, is on the rise again. Increased visibility outside of the United States confirms ransomware attacks are “alive and well” in Europe, the Middle East and Africa.

“Attackers are only getting craftier, and the financial services industry is a large target,” said Evie Manning, senior director of threat hunting and intelligence at Access Point Consulting. “ DDoS (Distributed Denial of Service) attacks are surging in the financial services industry, with powerful botnets and geopolitical motivations contributing to this increase. DDoS attacks can lead to loss of revenue, customer dissatisfaction, and damage to brand reputation. Malware and ransomware challenges, where groups like Cl0P exploit security vulnerabilities, result in leaks of customer data and personally identifiable information (PII),” she said.

“To better protect against DDoS attacks,” Manning advised, “ensure you are traffic scrubbing and deploying DDoS mitigation solutions to filter malicious traffic. Network segmentation is essential to isolate critical services from DDoS attacks.”

The insurance industry is a high-value target for cyber attackers because it holds massive amounts of PII as well as private corporate information. Cyber insurance vendors hold detailed information about corporate networks and defenses as well. Manning recommends that companies of all sizes be aware of and compliant with state data privacy laws, as well as federal and foreign privacy laws, including the Gramm-Leach-Bliley Act, also known as the Financial Services Modernization Act of 1999. Additionally, companies should hire a data protection officer who is the employee designated to oversee data protection measures and conduct risk assessments to ensure data is secured.

Collaboration, probability thinking, and risk management are crucial for CISOs to best respond to breaches, Manning said. CISOs in financial services, professional and technical services, and information technology should focus on improving security measures due to the rise of system intrusion and social engineering. In addition to the standard practice of employee training and implementing appropriate security controls, she recommends regular auditing to identify potential weaknesses before they can be exploited. She also suggests having a well-defined incident response plan to react quickly and effectively when a breach occurs––one that is tested regularly to ensure stakeholders know how to react in an emergency.

Looking back at how some cybersecurity companies fell victim to major data breaches, Manning said that it is not sufficient for enterprises to focus strictly on protecting their customers’ and partners’ data; they need to focus on their own. “How many of the organizations are applying [internally] their own recommendations, daily practices and the like as they are for customers?” she asked rhetorically. They too need to be focused on protecting their own internal processes to secure their organization, she emphasized. “Practice what you preach comes to mind,” she quipped.