Security Experts:

Money is Everywhere, Should We Think More Like Banks?

Other Industries Should Look to Intelligence Teams in the Financial Sector for Guidance and Lessons Learned

Why do thieves rob banks? Because, that’s where the money is. Whether this question was actually asked to the infamous bank robber Willie Sutton is debatable, but it’s well documented that for centuries, thieves have targeted financial institutions.

In the digital age, where virtually all business is now conducted online, cybercriminals could be asked why they steal data, run business email compromise campaigns (BEC), and spread ransomware? To which they could just as easily answer, “because, that’s where the money is.”

Indeed, it is.

The Rise of an Industry

When businesses began their journeys into the online world, relatively few foresaw how lucrative and costly the cybercrime industry would become. Some cybercrime watchers estimate that the cybercrime industry is now worth $1.5 trillion, which is roughly equivalent to the value of Apple and Facebook combined. The FBI reports that in 2019, BEC scams cost businesses $26 billion. By some accounts, last year perpetrators used ransomware to rake in $6 billion. Following the Equifax mega breach several years ago, it became impossible to estimate how much the black market for stolen personal data grew to be worth, but we did just learn that underground criminal forums now contain as many as 15 billion credentials

Without question, cybercrime is where the money is.

How do Banks Think About Security?

From the beginning, banks have been keenly aware of the threats to their businesses posed by criminals. So, for banks, investments in security are a cultural norm. As most of the business world moved online, it is surely not coincidental that financial services organizations were some of the first to seriously consider threats in cyberspace as well. By some accounts, they spend the equivalent of $3,000 per employee annually on cybersecurity alone. One report reveals that banks like J.P. Morgan Chase spend up to $600 million every year on cybersecurity while maintaining a support staff of as many as 3,000 dedicated personnel.

What’s important to understand is that financial institutions recognize that money (and anything that can be quickly turned into currency) is constantly sought after. This is an outlook that all businesses should adopt regarding the data they are protecting. Because, in an online world of cybercrime and espionage, currency can also be measured in how much data can be stolen, how far ransomware can be spread, and how easily users can be fooled.  

We could speculate endlessly about why non-financial industries aren’t as sound from a security perspective. It may be that the length of time that other industries have been victimized, in conjunction with fewer regulations, hasn’t yet pushed them to shift to a bank-like security mindset. Talent shortages and restrained budgets may also play a role in security postures that, when compared to the banking industry, are not as effective. Whatever the reasons, we can’t ignore that, when it comes to digital protection, many industries would benefit from thinking more like financial institutions.

Can They Catch Up?

Prior to going online, doctors’ offices, retailers, business services, and other industries likely did not anticipate how difficult it would be to secure their data and systems in the digital world.

For instance, when doctors’ offices started digitizing patient records they likely didn’t know they’d become commodities on the Dark Web. When online retailers configured shopping carts and credit card payment fields, they didn’t anticipate how easy it would be for criminals to execute man-in-the-middle attacks. When a group of hackers known as the Cult of the Dead Cow released “back orifice,” not many anticipated that zero days would spur an entirely new market. When ransomware showed up, few anticipated that threat actors would be able to turn that technique into a multi-billion dollar criminal business model. Cryptomining, one of the most recent and growing concerns, was unimaginable when Bitcoin was first invented in 2009.

Fortunately, cybersecurity concerns like these have been helped into the mainstream by the sheer number of attacks and data breaches that have transpired. Rampant news coverage about these events, and genuine desires to protect bottom lines and jobs at the highest levels, continue to drive increased investments in security in industries other than banking.

Despite COVID19-related slowdowns, Gartner predicts that global security spending will remain positive for the remainder of the year. Other reports show that investments in security remain on the upswing. There are also signs that, across the board, organizations are becoming savvier about a wider range of essential solutions and practices that transcend the traditional.

According to one top analyst firm, things like threat intelligence — once thought of as the exclusive domain of ultra-geeky security-focused organizations — are beginning to gain a foothold across more industries. The same group noted that while banks continue to show the most interest in threat intelligence, over the past 12 months healthcare organizations have doubled their research into it, manufacturers have increased their interest in threat intelligence more than 50%, and energy and utilities are asking about it 30 percent more frequently, as is the services sector.

Can the rest of the world catch up to the same level of security effectiveness that banks have achieved? Data showing that more sectors are diving deeper into security is a promising sign. If the above trends continue, I’d say the answer is no longer about “if” these industries will catch up, but just how long it will take. 

Remain Innovative

CISOs and their counterparts working to build secure infrastructures and systems will always encounter roadblocks, especially when it comes to changing how people think.

Bank employees instinctively understand that money appeals to everyone, so it is logical that they understand the threats to their business. But, when will doctors recognize that patient records can be used in blackmail schemes and as part of “fulz” credential assembly? When will engineers internalize the concern that their digital designs are the key intellectual property that underpins the value of their companies? And, will government agencies ever accept that they are not immune to ransomware because their people are as susceptible to human error as anyone?

If you aren’t defending a financial institution, chances are that most of the non-security employees in your organization don’t enthusiastically embrace security, as they don’t fully grasp the reality of the threats you are defending against. Security to them is just an inconvenience. In fact, the majority of employees in your workplace are very likely making decisions every day that place ease of use ahead of security. Because we can’t expect doctors, engineers, or agency administrators to think like bankers, cybersecurity professionals need to continually educate our workforces while simultaneously creating innovations that seamlessly integrate innovations like intelligence into security. For too long, modern advances like intelligence have been “bolt-on” items. Industries need to start integrating  innovations like intelligence into security operations, data storage solutions, application development, and more. 

Less than 10 years ago, a healthcare agency or manufacturer using threat intelligence to reduce risk was novel. Today, both of those industries (and many more) are embracing intelligence-driven security and expanding investments in intelligence and other areas. They aren’t on par with the financial sector yet, but most are trending in the right direction.

Intelligence is one of a few vital security concepts that industries are increasing their investments in as they recognize the documented value of proactive security, and financial institutions have been leading the way. So, as other industries are now working to catch up, they can and should look to the most successful intelligence teams in the financial sector for guidance and lessons learned. Frankly, if I were in another industry looking to build or mature my security practices, I wouldn’t hesitate to ask myself, “How would a bank think?”

view counter
AJ Nash is Director of Cyber Intelligence Strategy at Anomali. He has more than two decades of experience in intelligence collection, analysis, reporting, briefing, process improvement, and leadership. Prior to Anomali, he was a Senior Manager of Cyber Threat Intelligence at Capital One, Global Head of Cyber Intelligence at Symantec, and a guest lecturer at several universities. His background includes time spent in the United States Air Force, the National Security Agency, and the United States Cyber Command.