Personal information is becoming increasingly valuable. Not only to the companies who rely on it to conduct business, but also to criminals.
The financial sector is a major target for cybercrime. The Identity Theft Resource Center states that this sector was ranked third for identity theft in 2020. A quick Google search reveals just how lucrative the financial records themselves are: each individual record is worth roughly $220 versus a common credit card which will only fetch about $30 on the dark web.
Scale that to hundreds of thousands of individual records, and a singular breach can translate to a hefty payday.
While many organizations have been quick to adapt to digital lending methods, they haven’t been as vigilant about prioritizing cybersecurity and adequately assessing the risk associated with new systems.
In this article, we’ll examine the importance of cybersecurity for SME lenders today and cover some best practices that can protect your business and your customers.
Current State of Cybercrime in the Financial Services Industry
Criminals are developing more sophisticated tactics to steal data from businesses or hold their data hostage in exchange for ransom. It’s getting increasingly difficult to decipher organizational and workflow vulnerabilities. Cybersecurity is a real threat that can impact not only customers but your SME lending business’ bottom line.
Because of the potential for a massive payout due to gaining highly sensitive information, banking and financial institutions are much more susceptible to cybercrime than other industries. On average, the financial services industry faces cyber crime costs of more than 40% above other industries.
Make no mistake, as a small business lender, your business is a target. In the first half of 2021 alone, the banking industry experienced a 1,318% increase in ransomware attacks.
Digitization is part of the story when it comes to the rising threat level. The Bank for International Settlements puts it this way:
“The digital transformation of finance also introduces – or heightens – cyber risks. Cybersecurity is an issue for all sectors and for traditional financial services providers as well as fintechs and big techs. The attack surface is broadening, however, as interconnectivity increases and the disaggregation of services introduces more links to each product chain and user interface… At the same time, certain core services have become more concentrated (e.g. provision of cloud services), creating the potential that single points of failure could result in systemic disruption.”
Every digital lending business needs to be aware and prepared for cyber attacks. According to the Verizon 2021 Data Breach Investigations Report, 85% of breaches involved a human element, while 61% involved credentials.
Three Common Cybercrime Attacks
Combating cybercrime can only be successful if you know what to look for. Here are three common cyber attacks you should be aware of:
1. Phishing Attacks
Phishing attacks involve an attempt to gain login credentials for access to an internal network. Most commonly, these attacks take place via email where a message that looks legitimate is sent to a user with a link that initiates the installation of malware on the internal system.
These emails look authentic and are difficult to recognize as an attack. Phishing attacks comprise an estimated 90% of all successful cyber attacks.
2. DDoS Attacks
DDoS stands for Distributed Denial of Service. In a DDoS attack, criminals overwhelm a server with fake connection requests, forcing it to go offline. By disrupting the normal flow of web traffic, like a traffic jam, devices can be compromised and controlled remotely for nefarious purposes.
3. Ransomware Attacks
Ransomware attacks can instantly freeze an entire organization’s operations. Cyber attackers steal sensitive data and then hold it hostage, extorting the company and threatening to publish the information if a ransom isn’t paid.
The financial services industry is particularly vulnerable to ransomware attacks because of its valuable consumer information and heavy regulatory environment. Because of this, many lenders may feel pressure to comply with any demands to supposedly limit the potential damage.
Cybercrime Will Cost You
Cybersecurity is today’s version of a bank vault. Rather than a physical armed guard, today’s digital lending businesses need to reallocate their security budgets to more advanced defenses.
Waiting until it’s too late can be costly in more ways than you anticipate. There will undoubtedly be financial ramifications to deal with, not to mention the downtime/disruption and the reputational hit your lending business will take. With respect to costs incurred, one study found that the average cost associated with a cyber attack is $1.1 million.
Here are a few ways your lending business will suffer financial losses in the aftermath of cybercrime.
1. Recovering Compromised Data
First there is the cost of recovering breached data. Unfortunately, these issues can’t be resolved overnight. Attacks involving malicious insiders took financial services institutions an average of 55 days to resolve. Ransomware took over 33 days, and phishing took more than three weeks. The consequences of criminals having unfettered access to customer data for such long periods of time are dire.
2. Fines and Legal Fees
Digital lenders are being held to high standards with high stakes in the form of fines and penalties. The FTC holds companies that legally handle personal information even more accountable for how they manage such sensitive information.
These fines, penalties, and settlements can be financially devastating to a lender, as evidenced by the infamous Equifax data breach of 2017 (an estimated $575 million in settlements) and the Experian data breach of August 2020. The FTC can charge up to $46,517 in civil penalties per violation. As it was in the case of Equifax, the total assessed in fines and settlements for 2017 amounted to nearly 20% of their $3.41 billion revenue for 2018.
3. Contractual Obligations and Compliance
The regulatory environment for lenders can be complex, and this complicates matters in the event of a data breach. The FTC and your customers will pay attention to the fine print when it comes to your contractual obligations.
In most cases, the organization responsible for holding the sensitive data is liable for damages. Your contractual obligations to your client may be monetary or involve identity theft monitoring. If left unfulfilled, there could be an additional significant cost associated with every customer involved in a data breach.
Compliance failures make matters worse for lenders, contributing an increase of 51% to the average cost of a data breach. In summary? Know what your obligations are as a lender.
In addition to these examples, it’s again important to remember the stigma of a successful cyber attack on your organization is sure to raise red flags for current and future investors and customers. The industry is slow to forget negative news, and a data breach can quickly result in the decline of your lending company. Not only will you lose existing customers, but new customers will also steer clear.
5 Best Practices to Prevent Cybercrime
Your lending business is worth defending. How? Here are five actionable defensive tactics to deploy to safeguard your lending business.
1. Train Your Employees
Your staff is the gatekeeper to sensitive information. Because the nature of cyberattacks continually changes, it is important to annually conduct information security training. This training should cover things like:
- How to spot phishing and other common attacks.
- The social engineering tactics that attackers use.
- AML/KYC policy review.
Virtual learning sessions, quizzes, and even phishing tests can be powerful methods to train your employees.
Talk to them about the importance of their role in keeping customers safe. Discuss their responsibilities and set clear policies (for example, sharing passwords should never happen) regarding how data is to be handled. Be sure to limit administrative access to vital systems, and conduct regular training sessions teaching your employees to spot scams.
2. Keep Software Updated
Putting off an update on any device leaves your business vulnerable to attacks. Maintaining the latest version of software is the easiest step you can take to defend against attacks. Why?
Because software providers with a strong information security program abide by current vulnerability, threat, and patch management policies to ensure they are aware of the latest threats and can consistently patch or update software to fix vulnerabilities. Be sure to incorporate any software updates into your workplace policies as part of your cybersecurity strategy.
3. Back Up Important Data
Hackers stealing information can be problematic in more ways than one. Downtime for your organization doesn’t have to be one of them if you have regularly backed up your data. This means that at any point, your entire system can be restored to a previous point in time.
How frequently should you conduct backups? As often as possible.
For most businesses, it’s at least once a day, but several times a day will offer further insulation against potential disruption. The most secure way to back up your data is to ensure that it is done on a regular basis and is stored in a remote location, off-site and off-server. Review your data backup procedure with your IT provider to ensure your data backup is adequate for your lending business to continue to operate if files are corrupted, stolen, or lost.
4. Only Use Trusted Software and Secure Websites
Few things are more enticing than a “free” program to download that promises to quickly solve a problem. Similarly, unsecured websites can easily allow access to stored passwords or browser history. Only secure websites should be accessed on work devices.
All programs that are utilized for work purposes need to be appropriately vetted and approved. Ask your IT provider or in-house team for a list of approved software and educate your staff on website security. Most browsers will display a warning if a user is attempting to access a non-secure website (one without an SSL certificate), but this can be easily dismissed in a click or two. Give your staff examples and teach them to pay attention to these warnings and immediately exit the browser if one is displayed.
5. Deploy a Cloud-Based Lending Platform
Even with a highly trained IT department, cybersecurity is an ongoing, evolving threat. Rather than engaging in a game of whack-a-mole with every threat that pops up, be proactive in your cybersecurity efforts by deploying a cloud-based lending platform like Onyx IQ.
A cloud-based lending platform is elastic, taking much of the burden of investing in security and regular upgrades off of your shoulders – likely more than your individual lending company could do on its own.
This platform takes comprehensive measures to protect your information from loss, unauthorized access, and destruction through firewalls, encryption, access authorization controls, and secure data backups without any additional steps from your staff.
Onyx IQ Can Be Your Digital Defense
Designed for digital lenders, Onyx IQ has the cybersecurity features that alternative lenders need most. With firewall encryption, access authorization controls, and continuous security updates, your cybersecurity strategy is in good hands with Onyx IQ. For more ways to protect your lending business, download our free cybercrime checklist.
Want to see Onyx IQ in action? Schedule a demo today.
