Financial organizations in general, and banks in particular, are about as far down the cybersecurity maturity curve as any industry. That should come as no surprise. Financial organizations have been dealing with threats against their assets back to when the Pinkertons were protecting stage coaches.
If anyone knows about cyber threats, it’s a financial organization. Unlike other industries, that tend to have a variety of assets to protect, financial institutions have only one kind of asset to protect: money (and information related to that money).
Logically, these same organizations are the earliest and widest adopters of threat modeling. The old guard institutions in the financial industry do not need to be sold on the idea of threat modeling because they are already doing it.
State of the Financial Industry
Financial institutions’ assets are so appealing, it remains the most targeted industry for cyber criminals. According to a cybersecurity report by Boston Consulting Group “banking and financial institutes are 300 times more at risk of cyberattack than other companies.” And unfortunately, those efforts by cybercriminals are paying off.
According to recent statistics, the “cost of cyberattacks is highest in the banking industry, reaching $18.3 million annually per company. Recent data breach statistics showed a massive increase in the number of cyberattacks, which is why the financial industry is spending record amounts on security measures. Successful attacks on banks and financial institutions are the most costly of all, not only because of the financial losses, but also because these breaches erode user trust.”
So, if financial institutions are the best at cybersecurity, with the widest adoption of threat modeling as a practice, why all the successful breaches? Well, one of the reasons is third-party apps.
Third-party Apps Present a Security Risk
Smartphone-based apps rule the financial ecosystem, but not all financial organizations have the time or wherewithal to develop these apps, and that can be a problem according to Cybriant.
“Third-party apps promise a shortcut for financial institutions that don’t have the time or money to develop their app, but there is a safety risk here. In the race to keep up with the competition, some banks are adopting apps that may not be up to security standards. The short-term attempt to stand out can backfire big when apps are penetrated.”
A Strategy to Prevent Breaches
Two things seem to be true with regard to the financial industry when it comes to threat modeling their assets. First, threat modeling must include the entire ecosystem—including all third-party apps—not just their own systems. That may not be easy to do if they don’t have access to the app’s architecture.
Second, it appears that in the financial industry, threat modeling is necessary, but not sufficient, as a strategy for protecting assets. Other best practices for securing financial institutions include implementing multi-factor authentication, using hardware security modules, conducting security assessments and limiting access to data.
One way to speed up the threat modeling portion of securing financial assets is to automate as much of it as possible. And if you’re not sure how to do that, we suggest you check out ThreatModeler. ThreatModeler is a collaborative, threat modeling platform that comes as close to one-click threat modeling as there is.