CFOtech New Zealand logo
Technology news for Kiwi CFOs and financial decision-makers
Story image

What are the top five threats to financial services orgs? Imperva investigates

By Catherine Knowles
Mon 23 Aug 2021

Between January and May 2021, web application attacks on the financial services sector increased 38%, thanks in part to the impact of the COVID-19 pandemic.

This is according to new research from Imperva Research Labs, which finds that financial services holds the title of ‘most breached sector’, accounting for 35% of all data breaches.

The pandemic has driven large scale growth in online banking, dramatically increasing the volume of sensitive customer data that’s available to steal, Imperva states.

According to the company's recent research, there are five stand out security threats for the financial services sector.

Sensitive data breaches

The surge in online banking and wider digitalisation within the financial services sector has resulted in most organisations needing to manage dramatically higher volumes and greater complexity of data, Imperva states.

This, along with the prospect of stricter data privacy laws on the horizon, is making sensitive data protection an unprecedented challenge.

The speed of change in this industry imperils security controls being applied to all data stores, which exposes many financial services organisations to increased risk and vulnerability to a data breach. Cybercriminals know this.

Attacks on sensitive data are escalating at high rate. Imperva Research Labs reported that more than 870 million records had been compromised in January 2021 alone. This is more than the total number of compromised records in all of 2017.

DDoS attacks

Layer 7, or application layer, DDoS attacks target the top layer or the application layer of the OSI model which helps facilitate connections over internet protocol.

Imperva states, the goal is to overwhelm server resources by flooding a server with so much traffic in the form of requests to connect until it is no longer capable of responding. The higher the number of requests per second (RPS) the more intense the attack.

Imperva's Digital Banking Report found that “improving the customer experience in banking” should be the first goal for financial service providers.

Those that invest in mitigating attacks that degrade the customer experience have higher rates of recommendation, greater wallet share, and are more likely to up-sell or cross-sell products and services to existing customers, the researchers state.

On the other hand, when customers are denied access to their online banking services the reaction is one of indignation; often resulting in them complaining on social media platforms, switching to a different provider, and damaging the bank’s brand.

Imperva Research Labs finds that the number of requests per second (RPS) in Layer 7 DDoS attacks targeting financial services tripled since April 2021.

RDoS threats

In late 2020, Imperva noted a considerable increase in the number of serious Ransom Denial of Service (RDoS) threats, targeting thousands of large commercial organisations globally including many in financial services.

RDoS campaigns are extortion-based Distributed Denial of Service (DDoS) threats motivated by financial gain.

The extortionists often leverage the names of well-known threat actor groups in their extortion emails to demand payment in bitcoin currency to prevent a DDoS attack on the target’s network.

In the first six months of 2021, Imperva Research Labs noticed these threats were rising.

According to Imperva, the attack patterns this year are very similar to those in 2020 where:

  1. The extortionist sends an email, sometimes accompanied by a sample attack (that often takes the company offline for a short period of time).
  2. The target is given a week's notice to get the payment in order.
  3. The extortionist threatens to return with a massive attack at a scheduled time.

Client-side attacks

As highlighted by Imperva, client-side attacks happen when a website user downloads malicious content and enables a bad actor to exploit the website by intercepting user sessions, inserting hostile content, and conducting phishing attacks, for instance.

In financial services, these attacks focus on the skimming of payment information by exploiting third-party scripts used by thousands of websites across many industries.

Financial websites are relying more on third-party scripts to provide better services for their customers, but due to the high volume of digital transactions processing financial assets and other sensitive data, they are a rich target for client-side attacks.

Once credit card details are stolen, the data may be used immediately by cybercriminals to acquire goods or sold to other criminals for later exploitation. In either case, this poses a serious risk. Consumers and their financial services providers don’t find out until it is too late, Imperva states.

Supply chain attacks

Since 1999, the Common Vulnerabilities and Exposures (CVE) system has reported more than 150,000 CVEs (zero-day vulnerabilities) in commonly used software applications and components, according to Imperva.

Of these, more than 11,500 of them are characterised as critical-severity though it is commonly understood that the vast majority of software vulnerabilities remain unreported.

The front-to-back processing for all financial services integrates a complex set of software applications that involve back office, middle office, risk management, business developers, finance, and IT.

Application Programmable Interfaces (APIs) are at the core of these applications, enabling them to communicate with one another.

APIs often self-document information, such as their implementation and internal structure, which can be used as intelligence to attack the software supply chain.

Additional factors such as weak authentication, lack of encryption, business logic flaws and insecure endpoints make APIs even more vulnerable to attack.

As financial services organisations partner with other companies to deliver and receive services, the supply chain attack surface grows and elevates the attack risk.

An under-protected supply chain makes an organisation an easy target for cybercriminals who know that vulnerabilities in software applications and APIs are a way for them to infiltrate and compromise a business.

As most of an organisation’s software these days is not proprietary, attackers will find ways to exploit the many different types of software applications a company may be using.

Since the Sunburst attack in late 2020 and others following it, one would naturally expect the priority of supply chain security to increase within organisations, but it hasn't. This has led regulatory bodies to take aim at the issue, Imperva states.

A closer look at the data being stolen and how to protect it

Imperva Research Labs finds that 74% of the data stolen in the past several years is personal data. This is generally defined as information that can be used on its own or with other information to identify, contact or locate a single person, or to identify an individual in context.

The widespread theft of personal data is a strong indication that many organisations are not putting enough protection into place to secure it, Imperva states.

In many instances, personal data theft from financial institutions is made easier because it is regularly shared between systems, people, and suppliers to complete transactions.

As regulations governing data privacy become more stringent, it will be critical for every organisation to have the capacity to discover, identify and classify personal data across their data estate.

Only when an organisation knows where personal data is hosted and what applications and users are accessing it, will it be able to extend the security controls that protect it.

Imperva states the best way to mitigate risk is to ensure the internal team can see the data first, then they can protect it and all paths to it.

This means protecting the organisation’s websites, mobile applications, and APIs from automated attacks without affecting the flow of business-critical traffic. It must also defend against DDoS injections and account takeovers outside the network core.

It also means providing business applications with full-function defence-in-depth with web application firewalls (WAFs), bot management, and runtime and API protection.

Most importantly, Imperva states it means having the capacity to discover and tag sensitive personal data as well as enrich and correlate the data to provide accurate behavioural analysis for threat prevention and mitigation.

This enables teams to automate the extension of security controls to all of data - on-premises and cloud-based, current and archived - to ensure continued compliance reporting, governance, and security for all data sources.

Related stories
Top stories
Story image
Martech experts reveal the “buzz” on personalisation
In the digital age, innovative technology must be leveraged to power an efficient and effective relationship marketing strategy.
Story image
Robotic Process Automation / RPA
Salesforce announces latest generation of MuleSoft
Salesforce has introduced the next generation of MuleSoft, a unified solution for automation, integration and APIs to automate any workflow.
Story image
Hybrid workforce
How organisations can prepare for a post-pandemic workforce
The so-called 'new normal' office looks different to how it did pre-pandemic, and organisations need to take steps to better manage their post-pandemic workforce. 
Story image
Great Resignation
New SAP study uncovers impact of 'the great resignation'
Coined in 2021, the phrase 'the great resignation' refers to millions of employees globally leaving their jobs. The phenomenon is real and impacting SMEs.
Story image
Overcoming hybrid and multi-cloud challenges to drive innovation
Driven by improvements in technology, financial services companies have advanced both internal and external systems and processes, with the likes of digitisation, personalisation and risk management redefining the industry.
Story image
Contact Centre
Customer service agents don't want to return to contact centres
A new report has revealed that 85% of customer service agents want to work full-time at home and not return to contact centre offices.
Story image
Cyclone selected as NZ MOE software licensing partner
Following a recent Request for Proposal (RFP), Christchurch-based company Cyclone Computer Company Ltd (Cyclone) has been selected as The Ministry of Education’s software licensing partner.
Story image
Commerce Commission
ComCom puts electronics sector on notice over resale price maintenance
The Commerce Commission has concluded an investigation into allegations that television manufacturers were engaging in illegal resale price maintenance.
Story image
New Relic
How to tackle the great brain drain in the tech industry
Attracting and retaining tech talent in Australia and New Zealand is becoming increasingly challenging, with the 2022 Hays Salary Guide showing a startling 91% of employers facing a skills shortage.
Story image
Global investment in data centers more than doubled in 2021
DLA Piper's latest global survey finds the total investment in data center infrastructure worldwide rose from USD $24.4 billion in 2020 to USD $53.8 billion in 2021.
Story image
Sealord partners with Infor to improve sustainability
Sealord has chosen Infor as a strategic partner to implement an operational cloud-based platform that provides day-one functionality and sustainability gains.
Story image
The link between cybersecurity, extremist threat and misinformation online in Aotearoa
Long story short, it's often the case that misinformation, threat and extremism link closely to cybersecurity issues and cyber harm.
Story image
Honeywell launches new carbon energy management software for buildings
The new Carbon & Energy Management service allows building owners to track and optimise energy performance against carbon reduction goals, down to a device or asset level.
Story image
How TruSens air purifiers can create healthier workspaces
The pandemic has heightened our awareness of our own and others’ health, and made us all much more conscious of the environments we work in.
Story image
IT and security team collaboration crucial to data security
Many IT and security decision makers are not collaborating as effectively as possible to address growing cyber threats.
Story image
TO THE NEW unveils A/NZ Managed Services for Microsoft Azure
TO THE NEW has released Managed Services for Microsoft Azure to meet the growing demand in the A/NZ market and globally.
Story image
NOWPayments launches new service to analyse cryptocurrency fees
NOWPayments has launched a new network fee optimisation solution that analyses current network fees and picks the most profitable option out of the client's payout wallets.
Story image
Artificial Intelligence
Accenture shares the benefits of supply chain visibility
It's clear that gaining better visibility into the supply chain will help organisations avoid excess costs, inefficiencies, and complexity to ultimately improve their bottom line.
The Access Group
Health and social care organisations are currently under significant financial pressure. Find out how financial transformation can help provide an effective route forward.
Link image
Story image
DigiCert acquires DNS Made Easy and affiliated brands
Greg Clark comments, says, "This combination enhances the security of certificate validation and enables the automation of future validations."
Story image
Cloudflare outage in 19 data centers worldwide due to own error
Cloudflare says its outage for 19 of its data centers yesterday was because of a change in a long-running project to increase resilience in its busiest locations.
Story image
Dark web
Cybercrime in Aotearoa: How does New Zealand law define it?
‘Cybercrime’ is a term we hear all the time, but what exactly is it, and how does New Zealand define it in legal terms?
Story image
Canstar finds Flick Electric NZ’s favourite provider
Canstar’s annual research to find New Zealand’s favourite electricity provider reveals Flick Electric has come out on top.
Story image
Datacom announces revenue of $1.45 billion, fall in profit
Growing market pressures and border closures saw Datacom place increased focus on talent development initiatives for both existing and future employees.
Story image
Artificial Intelligence
Salesforce harnesses automated solutions with new developments
Salesforce has launched Sales Cloud Unlimited, a new feature to help accelerate productivity with AI and automation.
Story image
How Airwallex helps businesses achieve globalisation success
As markets continue to shift, businesses need to be able to provide the same quality of service for customers regardless of where they are located around the world.
Story image
Video: 10 Minute IT Jams - An update from Tricentis
Tricentis provides software testing automation, and software quality assurance products for enterprise software.
Story image
Vulnerable APIs costing businesses billions every year
Large companies are particularly vulnerable to the security risks associated with exposed or unprotected APIs as they accelerate digital transformation.  
Story image
Data ownership
Brands must reclaim trust by empowering data ownership
According to Twilio's new State of Personalisation Report 2022, 62% of consumers expect personalisation from brands, and yet only 40% trust brands to use their data responsibly and keep it safe.
Story image
Gartner's top recommendations for security leaders
"Leaders now recognise that major disruption is only one crisis away. We can’t control it, but we can evolve our thinking, philosophy, program and architecture.”
The Access Group
Struggling to understand which transformative technologies will help your business? The Access Group provides a look into key opportunities and impacts for finance.
Link image
Story image
Tech job moves
Tech job moves - ActiveCampaign, Arcserve, LogRhythm & Qlik
We round up all job appointments from June 17-22, 2022, in one place to keep you updated with the latest from across the tech industries.
The Access Group
Increasing headcount isn't always the best way to grow. A good financial strategy can help solve many issues, and The Access Group shares the secret to success.
Link image
Story image
Web Development
Whitecliffe fosters careers for the future of tech
Do you want a career in Information Technology, Networking, Web Development, Software Development, or are you looking to upskill?
Story image
The best ways to attract young talent during labour shortages
New research from Citrix reveals hybrid working and ventures into the metaverse are top of mind for Gen Z workers.
Story image
Why is NZ lagging behind the world in cybersecurity?
A recent report by TUANZ has revealed that we are ranked 56th in the world when it comes to cybersecurity - a look into why we're so behind and what needs to be done.
Story image
Workday winning on culture and family focus
This family-first approach sees all employees receive access to family-wide private healthcare cover, as well as income protection and life insurance policies.
Story image
Digital Transformation
Stax and Consegna partner to accelerate modernisation
According to a statement, the new alliance will help both companies expand their reach across the region and realise joint goals.
Story image
Industry-first comprehensive risk-based API security enhances protection
Application Programming Interfaces (APIs) have become a crucial part of operating web and mobile application businesses and are causing significant economic growth in the digital sector.
Story image
Hybrid workforce
Why hybrid working is here to stay and how to ace it
Citrix's new report reveals hybrid workers are more productive and engaged at work than their office and completely remote counterparts.
Story image
Airwallex launches global payment services in New Zealand
The launch will enable businesses in New Zealand to tap into Airwallex's global payments services, offering an alternative to traditional banks.
Story image
Video: 10 Minute IT Jams - An update from CrowdStrike
Scott Jarkoff joins us today to discuss current trends in the cyber threat landscape, and the reporting work CrowdStrike is doing to prevent further cyber harm.
Story image
Monitors are an excellent incentive for getting employees back
The pandemic has taught us that hybrid working is a lot easier than we would’ve thought, so how can the office be made to feel as comfortable as home? The answer could be staring you in the face right now.
Story image
Public Cloud
Public cloud services revenues top $400 billion in 2021
"For the next several years, leading cloud providers will play a critical role in helping enterprises navigate the current storms of disruption."