Financial services firms lulled by false sense of security

Financial services firms are more confident that they are protected from ransomware than any other sector, but they are exposed by supply chain risk and sub-par detection capabilities, according to Trend Micro.

Trend Micro commissioned Sapio Research to poll over 355 financial services IT and business leaders across the globe, as part of a wider cross-industry report into ransomware.

The study found that 75% of respondents believe they are adequately protected from ransomware, far higher than the average of 63% across all sectors.

This confidence is partly justified as 99% say they regularly patch servers, 92% secure remote desktop protocol (RDP) endpoints, and 94% have rules in place to mitigate risks from email attachments.

However, 72% of respondents admitted their organisation has been compromised by ransomware in the past, and 79% see their sector as a more attractive target for threat actors than others.

This awareness of current threat levels in the financial services sector does not always translate into action.

Around two-fifths (40%) do not use network detection and response, or endpoint detection and response tools (39%), and half (49%) do not have extended detection and response (XDR) in place.

This may account for poor detection rates for activity connected with ransomware. Only a third (33%) say they can accurately spot lateral movement, and 44% initial access.

Trend Micro also uncovered significant third-party cyber risk for financial services organisations — 56% have had supplier compromised by ransomware, mostly partners (56%) and subsidiaries (29%).

Also, 54% believe their suppliers make them a more attractive target, and 52% say a significant number of their suppliers are SMBs, who may have less resource to spend on security

“Greater collaboration and information sharing with third parties could help to improve the security posture of the overall supply chain,” said Bharat Mistry, technical director at Trend Micro. 

“However, without adequate detection and response capabilities, they may not have the intelligence to hand in the first place,” said Mistry. “Financial services leaders recognise they are a top target for ransomware actors. It’s time to turn that awareness into action.”

The study also found that about a quarter (24%) of financial services firms do not share any threat information with their partners, 38% do not do so with suppliers, and even more (42%) don’t engage with the broader ecosystem.