How cyber risks change as financial institutions grow

One of the catchphrases of modern parenting is “little kids, little problems; big kids, big problems” – meaning that as kids grow, the scope of the challenges they face also typically intensifies.

You could make a similar statement about cyber risk for financial institutions: Small companies tend to face smallish cybersecurity risks, while larger financial services businesses face bigger threats.

The caveat, of course, is that some types of cyber risks affect financial businesses of all sizes. It’s not as if cyber risks change entirely as financial institutions grow, or companies of certain sizes are immune to certain risks.

In fact, recently ransomware groups have been increasingly focused on SMBs, rather than enterprises.

Nonetheless, understanding how risks evolve (or don’t) as a financial organization increases in size is an important step toward optimizing security. This is a fact we know well at Cyberint because we often begin working with financial organizations when they are small, then continue to support them over time as they grow. The issues they encounter at different points in their growth vary significantly, and awareness of those changes informs how we approach cybersecurity in the financial sector.

The state of cybersecurity in the financial sector

Before diving into details of how cyber risks change based on financial institution size, let’s make one thing clear: Cybersecurity threats against financial institutions are prolific. Over the past two decades, this sector has experienced more than 20,000 attacks, which have caused a total loss of 12 billion dollars.

It’s easy enough to understand why attackers love to target financial institutions: As the International Monetary Fund puts it, “financial firms—given the large amounts of sensitive data and transactions they handle—are often targeted by criminals seeking to steal money or disrupt economic activity.” The IMF adds that nearly one-fifth of all cyberattacks focus on the finance industry.

Cyber risks for financial institutions of all sizes

To a degree, financial institution cyber risks are consistent across companies of all sizes. Key examples of attack and threat types that don’t vary significantly based on company size include:

• Leaked credentials and infostealers: Virtually all financial institutions face attempts by threat actors to exfiltrate credentials via techniques like infostealers. Large institutions tend to be targeted more frequently simply because they have more data to steal; however, they also usually have stronger defenses, so there is not much variation in how much of a threat this type of risk poses to companies of varying sizes.
• DDoS attacks: Similarly, larger organizations tend to be the subject of Distributed Denial-of-Service (DDoS) attacks on a more frequent basis, but they are also more adept at defending against them. Plus, smaller companies are often more prone to website crashes caused by other factors (like lack of sufficient IT personnel to troubleshoot issues or backup infrastructure). In that sense, DDoS attacks have a less serious overall impact: If your website already crashes from time to time, you are more accustomed to working through shutdowns.

This isn’t to say that financial institutions should ignore cyber risks like these. Nor are we implying that if you’re a small company, you should accept DDoS attacks (and other causes of website shutdowns) as a fact of life. On the contrary, every organization should strive to mitigate these risks to the extent possible.

For instance, in the case of DDoS, even small companies should deploy and properly configure DDoS mitigation solutions and train their staff to respond effectively to DDoS attacks. They should also avoid assuming that just because they have a service provider managing their network, they are immune to DDoS risks.

Still, the reality is that the overall impact that these threats have doesn’t vary in a major way based on how large a financial institution is. Organizations should endeavor to protect against these risks, but they shouldn’t assume they’re particularly prone to them based on their size.

Financial cyber risks that affect large companies most often

On the other hand, there are certain types of financial cyber risks to which larger organizations are more prone.

Phishing

The more prominent your company is, and the larger your customer base, the more likely it is to be the target of a phishing attack. After all, if a bank controls a large share of the market – for instance, if 20 percent of all consumers in a given location have accounts with that bank – threat actors know they can send out phishing messages that target the bank indiscriminately because a significant portion of their targets are customers of the bank.

Executive impersonation

In a similar vein, larger banks are more often targeted with executive impersonation, meaning attacks where threat actors pose as company leaders in an effort to steal sensitive information from employees or customers. Smaller financial organizations with less prominent executives are not as lucrative a target for this type of attack.

As Carrie Pallardy writes for InformationWeek, “This type of attack is particularly pernicious because “threat actors who impersonate executives are preying on employees’ willingness to follow directions from superiors and their reluctance to question those directions.” Employees are less likely to take the bait when they receive a phishing email from someone they don’t know, but they may feel more pressure to respond when they think their manager or CEO is the one asking them to hand over a password, for example. 

Compliance fines

Although compliance laws designed to protect personally identifiable information (PII) don’t necessarily impose stricter fines for larger companies, fine amounts are often tied to revenue – so the larger your business, the more you should expect to pay if you leak PII. For example, Equifax, the U.S. credit reporting agency, agreed to pay at least $575 Million in a settlement with the FTC for the breach it experienced in 2017.

Compromised customer credentials

The more customers you have, the more credentials you manage– of both employees and customers– that threat actors could potentially steal. Thus, while there’s nothing that makes larger institutions more susceptible to stolen credentials, they do have to work harder to manage credentials.

This becomes all the more true in large companies that operate multiple divisions, or that have acquired or merged with other businesses (and their IT estates) over the years. These factors can lead to siloed credential management systems that are harder to monitor and secure.

For financial services cybersecurity, size matters

Virtually all types of cyber risk can affect financial services companies of all sizes. But the fact is that some types of risks affect larger organizations in this sector more often than smaller ones.

That’s why, at Cyberint, we tailor our threat intelligence and attack surface management solutions to the sizes of clients in the financial industry. We’re prepared to support businesses big, small and in between, across all sectors – but we know that every client faces unique threats and requires unique solutions.

Schedule a demo to learn more about how we customize our solutions for each customer.