BITS, a financial services industry trade group has published a guide to malicious software and cyber crime that finds many industry attempts to fight the problem haven’t worked. The report calls on financial services firms to cooperate more in fighting malware.
The Malware Risks and Mitigation Report was written to help financial services firms understand malicious software and how to fight it. The report warns financial services firms to be on the lookout for stealthy programs and insider threats, and to develop detailed plans to respond to such outbreaks.
BITS is a division of the public policy group the Financial Services Roundtable. BITS is made up of C-level executives from member institutions, as well as specialists in fraud, compliance and vendor management.
The new report, which was released on Thursday, provides a comprehensive overview of prominent types of malicious code, including key loggers, trojans and bots, the functioning of malware as well as the underlying cyber crime marketplace in which personal information, software exploits and botnets all have a price.
The report is designed to help banks and financial services institutions with practical guidance to protect themselves and their customers from attack. But it also takes aim at previous attempts to combat malware, which have not been entirely successful. Financial services firms, facts suggest, “host a good deal of malware,” while efforts to prevent infection, such as software that alerts users to possible malicious activity haven’t been effective at stopping infections.
“Unless a (financial institution) can develop accurate guidance on how to tell the difference between false positives and malware, most security advice will seems like a poor cost-benefit tradeoff to users, and so will be rationally rejected,” the report concludes.
Increasingly, financial services firms are also the target of advanced persistent threats (APTs) that use targeted attacks and custom malware to maintain a permanent foothold on target networks.
Financial services firms need staff who understand the security threats from a wide range of devices – both business and personal – and who can grasp the complexity of employee- and partner portals that are often an avenue of attack on financial services networks. Moreover, financial services firms need to continue re-evaluating their security posture and develop situational awareness, the report concludes.
Among other things, financial services firms need to begin working with their counterparts through groups like the financial services information sharing and analysis center (FS-ISAC) to share information on threats, attacks and strategies to prevent them.