How Banks Can Prepare for Cyberwar

The Russia-Ukraine conflict is not a purely military confrontation but marks the beginning of a new generation of cyberattacks. The cyberwar also affects state organizations and financial institutions outside Ukraine, which need to arm themselves against any attacks in the short term.

On February 24, Russia started a war with Ukraine. At least the visible one. But there is also a war in disguise, a cyber war. Russia uses targeted cyberattacks to weaken sensitive parts of Ukraine to support military operations or to inhibit Ukrainian information dissemination. For example, Russian hackers have attacked, among other things, the satellite provider Viasat, through which Ukrainian police and the army communicate.

New Generation of Cyberattacks

The fact is: that cyberattacks have reached a new level of escalation. It is no longer (just) individual hackers (groups) who want to use them to gain money, power or prestige. The new generation of cyberattacks affects not only Ukrainian organizations and companies but all individuals, companies, organizations and states that side with the Ukrainians through arms deliveries, sanctions or public statements. Targets that are part of the critical infrastructure or have particularly sensitive data are probably at risk initially. Companies such as financial institutions would therefore be well advised to pool all available resources to strengthen their cyber resilience – i.e., robustness against cyberattacks.

Concrete Recommendations for Action for Financial Institutions

Below, I explain the four most essential starting points and concrete recommendations for action on how banks and insurers can better prepare for any cyberattacks in the short term:

READ:  What is A Bug Bounty Program?

How Banks Can Prepare for Cyberwar

1. Planning Is Important, Practice Is Essential for Survival

It is essential and right to have contingency plans (runbooks) in the drawer. However, it is even more important to regularly review these plans for relevance and completeness and, most importantly, to practically test them at least once a year. Companies should now thoroughly evaluate whether they have considered all relevant attack scenarios and whether they are up-to-date. For each threat scenario, if possible, they should have a runbook with the most important framework conditions, responsibilities, times, and processes. In doing so, they can exchange information with allies if necessary. In addition, companies should carry out simulated “attacks” (e.g., using Red Team / Blue Team or TIBER) if the last ones took place more than six months ago. Only if everyone involved knows exactly what to do, when, and how to do it in the event of an emergency can all measures work hand in hand to achieve maximum effectiveness, even in cooperation with government authorities or police departments.

2. International Standards Provide Useful Guidance

There are numerous standards, frameworks, or guidelines that are considered international standards and can provide guidance. These include, for example, the National Institute of Standards and Technology (NIST) Cybersecurity Framework, which recommends five phases – Identify, Protect, Detect, Respond and Recover – for organizations to build their cyber resilience, as well as the MITRE ATT&CK Framework with its known attack scenarios and hostile tactics. The most important standards are shown in the diagram.

3. Exploit the Potential of IT Security

The past months have shown: that many financial companies are not yet (fully) exploiting the potential of IT security. Our experience, therefore, leads to numerous recommendations for action:

READ:  Data Protection in Europe: Victory for Consumer Advocates, Wake-Up Call for Companies

Maximize the security of access to critical systems by enabling multi-factor authentication, removing unused or expired accounts, using VPN to log in, only allowing company devices (PC/notebook) into company networks, and isolating high-risk systems where appropriate.
Use anti-malware software whose licenses are still current and that they update regularly.
If possible, perform vulnerability scans for systems with Internet access and fix all, or at least major, problems. Also, ensure that your software, including patch levels, is up to date.
Establish backup processes for critical systems and make regular offline copies of essential data of business. Target specific indicators of compromise (IOCs) based on tactics, techniques, and procedures (TTPs) associated with criminal groups involved in the current conflict.

4 Cyber Security Is More Than IT

The importance of IT security is undisputed and is now embedded in many financial institutions. However, organizations need to think about cyber security beyond IT security to build sustainable cyber resilience. The two key starting points are:

Raise employee awareness: Employees impact a company’s cyber resilience that should not be underestimated. The better they are informed about relevant topics, and the faster they react to any threats, the sooner personal hacker attacks can be averted or at least their impact contained. Therefore, in special awareness training, companies should inform their workforce about the risk of phishing and fake websites around the conflict.
Identify dependencies in the network: We are currently experiencing, using the example of oil and gas supplies, how hard an (overly high) dependency on individual business partners can hit us. Companies should therefore check whether and where they depend on suppliers and other business partners from Ukraine, Russia or neighboring countries. After all, they not only need a contingency plan in case they are cut off from the supply chain, including IT integration. They should monitor network traffic with these business partners more closely, raise alerts, and make response and resilience plans.

READ:  What is a CERT?

Security as A Top Priority

That’s a lot of measures and starting points. Depending on where and to what extent companies still need optimization, they should think about temporarily enlisting the support of external experts to close as many security gaps as possible in a short time despite ongoing operations. Because one thing is clear: No one can predict how the situation will develop or if and when criminal hackers will target a company. That’s why time is not money at the moment but increased protection – especially for companies critical for Germany, such as financial institutions.

Those who shy away from the possible costs of such measures should ask themselves: What would it cost if your company was incapacitated for a few weeks? Or if sensitive company data or your customers’ data fell into criminal hands? Or if trust in your brand were to be permanently damaged and you lost customers as a result? These are not unrealistic scenarios but real consequences of cyber attacks. Therefore, my recommendation is to make security your top corporate priority – especially in the financial sector – and pool all available forces to increase your organization’s protection. Prepare yourself as best you can for the attack of the invisible enemy.