By Martin Camilleri - Manager, Security Initiatives & MTCSIRT within the Information Security & Governance Department at MITA

It is undeniable and self-evident that the financial services sector has suffered and will continue to suffer from cyber-attacks for years to come. State actors and criminals are highly attracted to this sector. For state actors, attacking the financial sector will ensure rival governments’ destabilisation, thus giving them competitive edge, especially if they are at war. Organised criminals are confident that they can make a hefty quick buck by directly attacking the sector that manages and processes money.

The entry points for a cyber-attack are various, but the most common ones are phishing, malware, and vulnerabilities in the financial organisation’s systems. Phishing is the number one threat since the technique relies on the human aspect, concentrating on the fear and uncertainty of the victims. Victims are enticed to click malicious links by making them believe, for example, that their bank accounts need updating or that their CEO is in urgent need of money. This social engineering method is often successful since your security is as strong as your weakest link, and humans are indeed the weakest link in an IT system.

Another window of opportunity for an attack is having vulnerable systems. Often, IT systems are deployed and forgotten as long as they are effectively serving their purpose, but this does not mean that the system is secure. Software systems are vulnerable and any weaknesses in the software can be exploited to obtain access to the system. There are teams out there on the internet constantly scanning and researching systems to identify such weaknesses and, if found, they are eventually exploited. One example of this is the cyber-attack which the European Banking Authority suffered in March 2021 due to vulnerabilities in its email servers.

Attackers will continue to be creative and constantly update their modus operandi to ensure their attacks are successful. On the other hand, the sector needs to be prepared to counteract such attacks and always be equipped to stop these types of attacks. States need to legislate so that there is a proper legal framework to combat cybercrime. The European Union has embarked on a legislative framework such as the “Digital Operation Resilience Act” (DORA), with the intention to ensure that the financial sector in Europe is able to stay resilient through a severe operational disruption. The Act lays down requirements for the security of network and information systems of companies and organisations operating in the financial sector as well as critical third parties which provide IT-related services to them.

In addition to the regulation, it is imperative for financial companies and organisations to train their employees on cybersecurity so that possible cyber threats can be detected and prevented at the source. As the saying goes “forewarned is forearmed”. Companies and organisations are also encouraged to cooperate with each other and to share cyber threat intelligence in an effort to proactively mitigate possible cyber-attacks. Last but not least, entities within the financial sector should keep their systems regularly updated to ensure that known vulnerabilities are corrected, drastically reducing the probability of a possible exploit. Such mitigating measures will guarantee that the attack window is kept as small as possible, and as a result, threat actors will have a much harder time to try and break into systems.

It is also important to mention that in order to support cybersecurity capacity building within Europe, the European Union has mandated the setting up of a National Cybersecurity Coordination Centre (NCC) within each Member State. These Centres are tasked to bring together cybersecurity knowledge, competency, and experience, facilitating information sharing, education and promotion of cybersecurity awareness within all sectors and industries.

Organisations within the financial sector are encouraged to reach out to the Maltese NCC, hosted within the Malta Information Technology Agency (MITA), by visiting the website ncc-mita.gov.mt  and to follow the respective social media pages.