Some 60% of banks’ digital assets sit outside the corporate firewall, exposing the organizations to unnecessary external risk, according to new research.
Security firm RiskIQ assessed 35 top banks and discovered a staggering 260,000 public-facing digital assets, ranging from mobile apps to websites and pages on social media.
That equates to 7500 for each financial institution.
Some 94% of these assets featured code from one or more third-party tracking or analytics services and the same proportion incorporated code from one or more third-party JavaScript libraries.
RiskIQ said 70% were running their own digital ads using third-party ad-serving technology and dropping third-party beacons.
The use of third-party components increases the risk surface for organizations, according to Elias Manousos, CEO of RiskIQ.
“Today’s ‘digital approach’ to business brings with it more digital exposure and therefore digital risk,” he told Infosecurity. “In response, organizations need to treat external threat as a core competency of their overall security program and increase their situational awareness outside the firewall.”
Further, RiskIQ said it found 1777 mobile apps in total, or 51 per bank. Of these, only 5% were located on official app stores like Google Play, with the remaining 95% on unregulated third-party platforms.
The ability of the banking industry to withstand sophisticated targeted attacks has been called into question recently by several incidents.
Most notably, it emerged in February that a cybercrime group managed to steal up to $1bn from banks worldwide in a two-year campaign using Carbanak malware.
Then just this week HSBC admitted to its mortgage customers that their account information had been “inadvertently exposed” online.
The data breach, which has affected an undisclosed number of customers, occurred sometime towards the end of last year and was discovered on 27 March.
Customer names, account numbers, Social Security numbers, and old account information including some telephone numbers were among the exposed data.