What makes midsize banks such likely targets of payment hackers? It’s easy to assume that the rewards for hackers targeting smaller banks are also equally much smaller.
But this is only true if we consider the bank itself. A midsize bank may be holding millions of dollars, where as a larger bank will have holdings in the billions of dollars. However, if we look at the average customer of both, we’ll find that the value of their accounts is rather similar. Midsize banks attract customers with the same level of wealth as larger banks. This makes them an attractive aim for cybercriminals.
There are many regulations for any bank to adhere to; requirements of multiple card brands, additional standards such as PCI DSS, and that at least two banks are involved in any transaction. The result is that smaller banks are often trying to mitigate risk by shifting liability. This is only part of the picture. Midsize banks have much smaller security budgets, less mature security programs and less robust controls than their bigger counterparts.
This results in the incapacity to recruit a high level of security expertise or employ external security testing such as bug bounty programs. Midsize banks can’t often afford their own development teams, which means relying on prepackaged software and hardware solutions. Being reliant on third party technologies comes with its own risk. Ready-made products require security testing to assess risk. Without this, banks are introducing more vulnerabilities into their environment.
Despite all these issues, there are steps a midsize bank can take to improve its security. First, let’s examine the main ways in which cyberattacks on banks take place.
Phishing emails containing malicious links or files are the most common point of entry into the banking environment for cybercriminals. Due to poor network segmentation and controls, attackers frequently remain in the banking environment undetected for months or even years. Once inside the network perimeter, an attacker has many advantages over the bank.
They have plenty of time and resources. They can target internal systems such as the bank’s local Swift network. Phishing and social engineering are also common techniques employed by attackers to target banking customers, which can provide even bigger financial rewards than the bank itself.
Implementing a user awareness program is an effective way to combat these types of attacks and it doesn’t have to cost an arm and leg. User awareness programs can bolster the bank against phishing campaigns and social engineering attempts. They are also a highly effective way to educate customers about account security, and how to remain vigilant online.
With smaller security budgets and fewer controls, attackers see fewer obstacles to compromising midsize banks. These challenges are not limited to banks, but in fact apply to many different companies of this size. Social engineering is one of the oldest techniques used by criminals to infiltrate an organization.
