The costs of experiencing cybercrime continue to rise. The IBM Cost of a Data Breach Report 2023 reveals that the financial sector comes in second on the global scale of cyber incident expenses, surpassed only by healthcare. Yet, with the rapid development of AI and decreasing budgets, CISOs in all industries are being challenged to do more with less.

Due to stringent compliance with regulations, the financial services industry has to maintain the highest security maturity. Yet, it remains a prime target for cybercriminals, which are becoming ever more sophisticated. In-house IT security teams cannot fight the threat of breaches on their own. In fact, between September 2022 and August 2023, NCSC received 297 reports of ransomware activity (‘tips’), with financial services being one of the most frequently reported sectors. The question emerges - why is the financial sector so susceptible to cyber threats? As Willie Sutton, the bank robber, said when asked why he robbed banks,` because that's where the money is'.

The irresistible lure of the financial industry

The financial services industry remains a gold mine for cybercriminals due to the sheer amount of valuable customer data linked directly to cash. Ransomware accounts for nearly three-quarters of all cyber-attacks, and threat actors primarily target businesses most likely to afford ransoms and those possessing data that can fetch a high price on the dark web or black market.

Unpatched vulnerabilities are a primary access point for attacks, and when you consider an organisation's unknown assets and their subsequent unpatched vulnerabilities, the risk is exacerbated. One-third of organisations observe less than 75% of their attack surface — that’s a lot of attack surface unaccounted for with potentially exploitable, undiscovered vulnerabilities. 

For example, looking at the top ten vulnerabilities reported on the HackerOne platform, improper access control is the number-one vulnerability on the list, allowing files and applications to be accessed without proper authorisation. Although most industries are seeing fewer reports for improper access control than average, the financial services industry is seeing a significant difference, with improper access control making up 16% of high and critical reports due to the sheer volume of staff members, customers, and other external users accessing financial networks.

This is further exacerbated by drastically reduced security budgets. IT teams are now understaffed and overstressed almost industry-wide but are still expected to overperform with fewer resources, according to our latest Hacker-Powered Security Report. Just last year, one-third of companies slashed their security budget, and another one-third plan to do the same in 2024.

In addition, financial organisations increasingly rely on third-party vendors, sometimes in the thousands, to maintain smooth operations. Supercharged by the pandemic, rapid digitalisation across the finance industry further heightens exposure to third-party cybersecurity risk. Widespread adoption of multi-cloud infrastructure has expanded the scope of potential targets for cybercriminals.

Turning to ethical hackers to scale security

Engaging the global community of ethical hackers is one of the best resources to keep ahead of cybercriminals. This is because ethical hackers find the most elusive and technically sophisticated vulnerabilities, which often fall beyond the scope of automated defences to ensure the safety of customer data. 

As a heavily regulated industry, financial services organisations will have requirements for pentesting that will remove a lot of the low-hanging fruit. In return, they can place additional emphasis on having ethical hackers target access controls and/or authentication mechanisms that, if exploited, could have a significant financial impact.

Hackers’ skill sets diverge markedly from that of a typical IT professional. They have the distinct advantage of a hackers' mindset - the ability to think outside the box and look at systems the same way a malicious outsider would. This enables them to spot vulnerabilities that typical cybersecurity professionals may overlook.

In fact, most of the Financial Services Industry leaders already working with ethical hackers agree that an internal security team can never replicate the creativity and man-hours being put in by ethical hackers on a bug bounty platform, who specialise in all kinds of areas. Unsurprisingly, our report confirmed that hackers' efforts had helped prevent significant security incidents for 70% of organisations. Even after running pentests, organisations still find critical vulnerabilities that weren’t found previously, creating a continuous cycle of bug-finding and patching. 

This highlights that companies must regularly assess and enhance their security measures, stay current with the latest threat intelligence, and invest in frequent evaluations by skilled security professionals, testers, and hackers. However, with budgets continuing to be tight this year, proving the Return-on-Investment is imperative. When we look at the prices for a critical bug, the median cost for a critical bug in the financial industry has increased from $3,000 to $5,000 as we have seen this industry make special efforts to ensure that awards are competitively set. However, the price for the highest payouts in the 90th percentile has reduced from $7,550 to $6,000, likely due to the increased maturity of organisations’ assets as they use bug bounty learnings to become more secure, having to pay out fewer top bounties for findings. However, this is still a tiny amount compared to $5.90 million on average that a breach can cost a financial institution.

Time-to-remediate is also a great metric to show how cybersecurity teams are becoming more adept and efficient at resolving vulnerabilities, with the financial industry significantly improving their metrics by 31% in 2023 versus 2022. In fact, financial services have one of the shortest times to remediate at 17 days, only surpassed by cryptocurrency and blockchain. As a cyber-attack is not a matter of "if" but "when", the consequences, especially in the financial industry, have a significant impact on the company’s reputation and profits. Thus, working with ethical hackers early can not only reduce the chances of an attack to save organisations time, money, and reputation in the long run but can also help create a more security-mature organisation.

As the number of cyber-attacks on financial institutions continues to rise, it’s clear that the situation is likely to worsen before it improves. However, organisations can manage the degree of severity by turning to a community of hackers who truly comprehend the malicious attackers' mentality. Financial institutions that recognise and embrace this insight will stand a much stronger chance to withstand - and possibly even evade – this year’s upcoming avalanche of cyber threats.