By Ashish Gupta
Each year, financial institutions are 300 times more likely than companies in other industries to experience a cyberattack. This challenge is further compounded the more digital assets a company has. For example, in partnership with Bit Discovery, we assessed the attack surface of numerous global financial services companies in our Investment Banking and Credit Issuer State of the Attack Surface report, and found each institution had as many as 110,683 Internet-connected assets that could potentially be exploited for vulnerabilities.
As financial organizations increase in size and service offerings, their potential attack surface increases as well—inherently raising the number of potential security vulnerabilities. Taking an offensive approach is a highly effective and necessary action for financial institutions to better prepare against advanced attacks as well as mitigate risks. Vulnerability disclosure programs, penetration testing (pentesting) and leveraging the power of crowdsourced security are three ways financial services providers can proactively elevate their security posture.
Employ a vulnerability disclosure program to identify weaknesses
A vulnerability disclosure program provides a way for anyone to report potential security risks to an organization. While this can be extremely helpful for financial institutions to learn about vulnerabilities in their digital assets, they can easily become inundated and overwhelmed with reports from the well-meaning public. This is where it is helpful to leverage a partner that can provide a designated team tasked with the responsibility of triaging and prioritizing vulnerability submissions.
Lean on pentesting for comprehensive assessments
Pentesting provides an overall assessment of specific targets with the attack surface by simulating a cyberattack to identify weaknesses, strengths and potential security issues, creating a comprehensive analysis of current postures. This process is performed by ethical hackers with an organization’s consent and approval, and includes a multitude of steps to determine the security posture’s overall strength and susceptibility.
Neighborhood watch
Vulnerability disclosure programs and pentesting are also effective strategies that help financial organizations lower the risk of security incidents. These methods are powered by crowdsourced security, which has gone from a “nice-to-have” feature to a necessity for most enterprises. But, organizations should take one more key step in the proactive security process to robustly and regularly defend systems with crowdsourced security.
The X-factor for financial defense: Crowdsourced security
Crowdsourced security tasks a group of public security experts and analysts (a crowd of cyber locksmiths) to test an asset for vulnerabilities and security gaps. The number of people can range from less than a dozen to several hundred testing concurrently. The more people looking for vulnerabilities, flaws in security structures and emerging threats, the more prepared financial institutions will be for a potential attack. Because of the wide mix in technologies used today, the crowd can cover extended ground by augmenting traditional security teams, increasing the ability to identify and remediate flaws that would have been missed by smaller, resource-strapped teams.
For example, Personal Capital, a hybrid digital wealth management company, needed a way to streamline its data analysis as it worked to identify weaknesses. At the time, the organization would run a scan and send the results to engineering with little visibility on the quality of results or instructions on how to remediate. This led to the organization wasting valuable time and resources analyzing bad data.
By launching a managed vulnerability disclosure program through a partner, Personal Capital saw immediate results in the quality of vulnerability findings it discovered, and was able to integrate crowdsourced security into an ongoing and holistic security program using the most innovative technology and creative thinking available.
Western Union offers another example of how a crowdsourced approach can take a financial organization’s security strategy to the next level. Western Union began with a private, invite-only bug bounty program and scaled the company’s bug bounty program over time, becoming one of the first organizations in the financial sector to launch a public bug bounty program. Through a managed bug bounty program, Western Union’s security and development teams have been able to focus on the findings themselves, as well as other projects, while skilled researchers crowdsource information and identify valid vulnerabilities.
I remember the CISO of a major financial institution saying to me that he knew his organization would be breached one day but he wanted to be known as the person who tried various layers of security to increase the cost of attack, while minimizing the gains of such an attack. In his mind, crowdsourcing gave him that extra advantage.
Crowdsourced security is gaining traction
The global crowdsourced security market is expected to grow to $135 million by 2024, as enterprises are understanding that leaning on the public to identify vulnerabilities and threats can provide a comprehensive defense posture. Crowdsourced security also lowers security costs and operational overhead. There is no agent software on applications or clients, and no software instrumentation to support. There are no network devices or virtual appliances to install and manage. Ultimately, crowdsourced security is designed to minimize IT hassle and additional systems configurations while acting as an additional arm for your security division.
Banks are responsible for safeguarding sensitive financial information and assets, making them a top-of-the-list target for threat actors. By leveraging public, crowdsourced security to implement VDPs and pentesting, financial services organizations can significantly reduce their risk.
Ashish Gupta is CEO and president of Bugcrowd.