When the hacker group Scattered Spider breached MGM Casino and Resorts’ computer systems on September 11, 2023, the corporate gaming giant – with more than two dozen locations and an online sports betting operation – suffered significant material losses.
In the aftermath of the breach, MGM scrambled to provide guests with hand-written receipts of casino winnings and physical hotel room keys. The attack impacted everything from the company’s slot machines to its digital key cards, taking ten days to resolve. As MGM’s stock price plunged, more victims of the attack emerged, as Okta, a San Francisco-based firm that offers cloud-based identity management software, admitted that five other companies, including Caesars Entertainment, had also been affected.
Scattered Spider, a loose network of cybercriminals allied with other hacker groups, has been described as sociopathic, moving from terrorizing individual citizens online to using ransomware to extort money from corporate institutions. With the attack on MGM and Caesars, institutions of every size understand the devastation of cybercrime.
While MGM and other corporations impacted by these recent attacks sort through the wreckage, financial institutions need to be aware of emerging cyber threats in their industry.
As banking leaders and cybersecurity experts already know, financial institutions are frequently targeted by cybercriminals. In May 2023, the ransomware group CIOp exploited a zero-day vulnerability in MoveIt, a managed file transfer software product from Progress Software, to access consumers' names, birthdays, addresses, and Social Security numbers at 10 community banks and credit unions.
While some cyberattacks occur due to insufficient security configurations or developers' mistakes, most happen by exposing the weakest link in the chain – people.
Three-quarters (74%) of breaches involve human missteps, including social engineering attacks like phishing, according to Verizon’s 2023 Breach Investigations report. For financial institutions, these scams are directed at consumers, employees, and FI’s third-party service providers. Through emails and text messages, cybercriminals gain access to sensitive data that allows them to penetrate systems by masquerading as someone else.
With all the information available online through social media and other channels, gaining the confidence of unsuspecting targets through spoofed personalization is relatively easy. Thousands of individuals fall victim to phishing attacks every day.
“Vishing” combines the words “phishing” and “voice.” Scattered Spider hacked Okta through a vishing scam, calling up the company and impersonating an employee. Vishing is much more effective than traditional phishing scams by email or text because cybercriminals can create a false sense of urgency on calls, and organizations have not focused enough attention on identification control processes that occur over phones.
With the proliferation of AI and its ability to artificially mimic voices, organizations will need to establish better protocols for verifying the identity and credentials of callers.
Financial institutions must cover many cybersecurity bases, from network segmentation to patching to firewalls. But they can’t sleep on making their people aware that criminals see them as the most accessible entry point into their systems. Training your people on social engineering scams – phishing and vishing – may be the most effective way of preventing a cyber breach.
Related: 5 Tips for Enhancing Your Financial Institution’s Cyber Resiliency
The biggest takeaway for FIs from the MGM debacle is that they must remain vigilant in managing and monitoring cyber risks from third-party vendors.
Thousands of financial institutions experience data breaches every year and the average cost to undo the damage is $5.9 million per breach, according to the IBM Cost of a Data Breach Report 2023. Community banks and credit unions have it worst of all – not only do many struggle to monitor their critical vendors, the relative cost of repairing the damage of a breach is greater for them compared to larger institutions.
So what can community banks and credit unions do to protect themselves and consumers from criminals intent on doing them harm through breaching third-party systems?
They need a dedicated vendor management solution capable of monitoring third-party cybersecurity controls and detecting vulnerabilities before a data breach occurs. FIs must have insight into how their critical vendors train staff to identify socially engineered cyberattacks.
Many financial institutions believe that having an annual SOC report is all they need to manage cyber risk effectively. Make no mistake about it: SOC 2 reports are incredibly valuable in ensuring that your critical third-party vendors have the appropriate controls in place for protecting your FI’s data.
But you need to avoid this critical SOC 2 mistake: service providers must offer more than an assurance that their data center is secure. As we can see from the example above, Okta was not hacked because it lacked firewalls and timely software patches. MGM, Caesars, and other companies lost millions because an Okta employee willingly gave credentials to a hacker over the phone.
Cybercriminals today look for inroads into systems mainly through social engineering. For this reason, when you’re performing due diligence in onboarding a critical vendor, you need to ask the following questions:
Who will have access to your data?
Access to your financial institution’s data should be as limited as possible. The greater the number of third-party employees with access to your data, the greater the cybersecurity risk for your financial institution.
Are your third-party’s employees trained in cybersecurity best practices?
You need to know that your critical vendors train their employees on social engineering scams that could jeopardize your data security. The ground is constantly shifting when it comes to the methods cybercriminals use to penetrate systems. Is your vendor keeping up to date with phishing and vishing tactics?
How is access to your data and system managed following an employee departure?
Does your critical vendor effectively handle employee access to your data following a departure? What is their process for restricting access to your data after an employee has moved on? On the flip side, you’ll want insight into their onboarding process to ensure that new employees receive appropriate training.
How will your vendor handle a breach or incident?
You should have expectations that critical vendors will notify you in the event of a cybersecurity breach or other critical incident. Your contract with a third-party service provider should spell out the process for their plan following a breach.
Section 3 of a SOC 2 report provides your financial institution with a narrative that explains, among other key considerations, your vendor’s process of issuing credentials to new external and internal users.
But you need to ask your vendor for its employee cybersecurity training policies. You also need to ensure that the controls in the SOC report align with what you discover through ongoing cyber monitoring.
When you receive a SOC report attesting that a critical vendor has cybersecurity controls, the only thing that you know for sure is that they had those internal controls in place at the time of their SSAE 18 audit.
That is, you have a report about your vendor’s past controls, not their present ones. To avoid the fate of MGM or any of the hundreds of banks that experience a cybersecurity breach every year due to a failure on the part of a third-party vendor, you need continuous real-time vendor cybersecurity monitoring.
With a vendor management solution that enables you to monitor and analyze your vendor’s controls in real-time you can compare your internal reports with your vendor’s self-reports and external audits.
Only You Can Prevent a Cyber Breach. Protect Your Financial Institution with Nvendor for Third-Party Cyber Risk Management.