Financial services firms in particular are “lucrative targets for online criminals,” according to Cisco’s 2017 Midyear Cybersecurity Report. Malware authors are specifically targeting financial firms with malware like Dridex and the Zeus Trojan, according to the report.

Meanwhile financial firms are trying to integrate new technology with legacy systems using disparate vendors and products. Cisco found almost 60% of financial firms are using at least six different technology vendors, and two-thirds are using six different security products. However, the report also found it was “common” to see one firm using as many as 30 different vendors.

(Related: Cybersecurity Still Top Compliance Concern for Advisors: Poll)

Their obligation to be compliant as well as secure adds another layer of pressure on financial firms. “In various heavily regulated industries, there’s a tendency to believe that meeting compliance requirements will resolve security issues,” according to Cisco. However, regulations “are only part of the solution for stopping security breaches and providing threat analysis.”

Less than two-thirds of firms have a formal security strategy in place, Cisco found, and less than half are following a standardized cybersecurity practice. Furthermore, despite regulators stated interest in firms’ analysis of their vendors’ cybersecurity protocols, just 37% said they require third parties to employ the ISO 27001 security standard.

Here are six threats to beware of, according to the report:

Exploit Kits

1. Exploit Kits

Cisco found use of exploit kits, which look for vulnerabilities in networks, have declined dramatically since January 2016. However, the report warned that one of the leading kits, Neutrino, still surfaces from time to time. Another kit, RIG, targets Adobe Flask, Microsoft Silverlight and Microsoft Internet Explorer, according to the report.

Automatic security updates have helped keep threats from exploit kits at bay, and hackers are turning back to that old exploit stalwart, email, to deliver malicious code.

Malware, Spyware and Ransomware

2. Malware, Spyware and Ransomware

In the first half of 2017, Cisco found, malware is increasingly being delivered in ways that require users to take an action in order to circumvent malware detection software. Ransomware is being created using open source or as a service, making it easy and cheap for attackers to initiate campaigns.

Cisco called modern advertising software “spyware,” noting that vendors may try to sell it as a legitimate tool with end-user license agreements, but “no matter how they try to spin it, spyware is nothing more than malware.” Cisco found that between November 2016 and March 2017, about 20% of companies were infected with three spyware families: DNS Unlocker/DNSChanger, Hola and RelevantKnowledge.

While spyware products may look like legitimate products, and aren’t “typically considered a significant security risk,” Cisco noted that their true purpose — to gather and track information on users — makes them inherently dangerous. “Spyware companies are known to sell or provide access to the data they collect, allowing third parties to harvest information with relative anonymity. That information can be used to identify critical assets, map internal infrastructures in organizations, and orchestrate targeted attacks,” according to the report.  

Business Email Compromise or Spear Phishing

3. Business Email Compromise or Spear Phishing

Although ransomware has gotten more attention than business email compromise lately, Cisco found an average $1.7 billion was stolen annually through BEC schemes between October 2013 and December 2016, compared to $1 billion stolen in ransomware schemes last year. Victims include big firms that should ostensibly know better, like Facebook and Google.

BEC schemes use social engineering to send emails that appear to be from a manager to an employee and compel them to wire money.

Slow Detection Times

4. Slow Detection Times

Cisco found the median time for firms to detect an intrusion is 3.5 hours. However, some malware families evolve rapidly and can go undetected for weeks. One way they do that is through domain-generation algorithms, which generate multiple domains with slightly different names. The report found that in the last five years, DGA domain life spans have increase from an average three days to 40.

Supply Chain Attack

5. Supply Chain Attack

The Securities and Exchange Commission and the Financial Industry Regulatory Authority are asking firms to look closely at their vendors’ cybersecurity programs, and with good reason. Cisco noted that like any business looking to grow, cyberattackers are looking for ways to “make their operations more efficient.” Attacking a firm in the supply chain gives them entry to multiple firms.

Because the attack happens outside their firm, it can be especially hard for businesses to address this threat. Cisco suggested real-time monitoring as one way to detect suspicious activity, as well as endpoint security, “as it can alert security teams that one piece of software is communicating with another one.”

Internet of Things

6. Internet of Things

Is there any doubt that cyberattackers are watching the increasing number of objects and devices connected to each other with anything other than delight? Cisco found botnets targeting the IoT networks can spread to 100,000 devices within 24 hours. Malicious code is saved in a device’s memory and wiped when it’s restarted, making it hard to detect.

Increasingly, the types of devices being connected to the IoT network, like thermostats and cameras, aren’t necessarily built with security in mind, according to the report. Cisco recommended that firms that use IoT devices protect themselves by keeping old signatures active, closely monitoring network traffic, tracking which devices are touching the network and at what point and, of course, keeping up with security patches. 

— Related on ThinkAdvisor: