Cybersecurity: Prepare For The Year Ahead
The cyber landscape is changing fast. Every year, organizations face new threats and tactics from threat actors who want to capitalize on the security shortfalls of financial institutions. The financial services industry remains a top target for threat actors. The sector experienced 194 data compromises that affected more than 25,000,000 victims in the first three quarters of 2022 alone.
With the new year ahead, it is time to reflect, learn and prepare for what’s to come. 2022 was game-changing regarding evolving threats, regulation and mitigation measures, but one thing remained clear – sometimes it is best to go back to basics.
Threats & Vulnerabilities
Over the past year, hackers regularly exploited vulnerabilities within internal company systems to execute attacks. In January, Crypto.com suffered a breach that resulted in around $34 million of stolen cryptocurrencies. Hackers gained access to the funds by exploiting a vulnerability that allowed them to bypass the mandatory multi-factor authentication (MFA).
The attack demonstrated MFA is not always foolproof - businesses must constantly evaluate their systems for vulnerabilities and quickly remediate identified vulnerabilities.
But not all attacks this year used sophisticated tactics. Phishing and Ransomware remained the top attack vectors in 2022 with 343 and 194 respective incidents reported. In the Medibank incident, threat actors executed a ransomware attack and posted personal health information on the Dark Web after the company refused to pay the ransom. The Dark Web remains a key forum for cybercriminals to expose sensitive information they gain access to through cyberattacks. Sometimes this data is personal information, other times it is login credentials. The Dark Web looks set to remain an asset for cybercriminals in 2023.
This year, we also saw cybercriminals taking new approaches to their phishing attacks with typosquatting.
This is when cybercriminals spoof a company domain with a slight, and potentially easily missed, misspelling that may lead a user to believe it was from a trusted party if they do not carefully check the email address. The criminal may then request access to critical company data or a wire transfer as the impersonated trusted party. This year several cases also popped up where cybercriminals would clone an entire company website with a typosquatted domain. These cloned websites are designed to lead users to click on malicious links or disclose sensitive information. More of these types of attacks have occurred recently and will likely continue into 2023.
Compliance Evolves
2022 was a notable year for financial services cybersecurity regulations, with the SEC taking a more prescriptive approach to requirements. The 2022 US SEC Division of Examinations priorities included private funds; ESG; operational resiliency and information security/cybersecurity. The priorities cover an extensive range of potential investor risks that firms should consider as they review and bolster their cybersecurity; business continuity and compliance programs. The Division also reviews the practices of broker-dealers; RIAs and other registrants to prevent interruptions to mission-critical services and protect investor information; records and assets.
Further, the SEC proposed a comprehensive rule change to solidify the expectations of a firm to achieve compliance with SEC cybersecurity requirements. The proposed rule marks the beginning of a revolutionary approach to cybersecurity. If the rule is successfully enacted, it would mean many firms would need to overhaul their cybersecurity strategy.
The heightened focus on cybersecurity also extended to enforcement over the past year. The New York Department of Financial Services imposed fines throughout the year for non-compliance with cybersecurity regulations, including Carnival ($5M), Robinhood ($30M) and Eyemed ($4.5M).
Regulators have made it clear that they are serious about cybersecurity and are actively monitoring compliance. Those who opt to violate regulations will pay a high cost for non-compliance.
In 2023, regulators will likely continue enacting new cybersecurity regulations and enforcing existing rules. Fines for non-compliance are expected to continue to grow as regulators use them as strong encouragement for other companies to strengthen their defenses.
Ongoing Focus: Back To Basics
Cybercriminals continue to look for the route of least resistance to enter company systems and access critical data. While this is the case, many firms still do not have basic cybersecurity controls and processes. An excellent place to start is examining the CISA bad practices guide, which highlights three exceptionally risky cyber practices, including the use of unsupported (or end-of-life) software; the use of known/fixed/default passwords and the use of single-factor authentication. Firms can ensure they have baseline protections in place by avoiding these practices.
Staff training is another necessary component of successful pro-active cybersecurity preparedness. Increasingly, businesses are realizing that pre-recorded classes once a year are simply not enough.
Staff are the first line of defense to stop a cyberattack and generic training sessions cannot touch on risks and vulnerabilities specific to an organization.
In 2023, organizations will likely take a more prescriptive approach to assess vendor cyber risk. As cyberattacks in the software supply chain increase, businesses can no longer afford to receive cybersecurity information from ‘enough’ of their vendors – anything short of all vendors leaves companies at a disadvantage. Leaders are increasingly making the realization but need to act swiftly on it.
On The Horizon
In 2023, cybercriminals will continue evolving their tactics to remain a step ahead of cybersecurity protections. Supply chain cyberattacks will remain prevalent and a single attack on a widely used vendor in the financial services industry can result in a widespread outage. The 2020 SolarWinds attack is a prime example of what this can look like, but firms cannot let their guard down simply because the attack happened two years ago – cyberattacks often happen when least expected.
But as cyber risks evolve, so will cybersecurity systems. Extended detection and response (XDR) systems are increasingly becoming a valuable tool for firms to assess their cyber risks across the entire organization by creating continuity across siloed systems and applications. XDR combines the power of endpoint detect and response services with other traditional network security controls to provide a better overall picture of abnormal activity from more than one data point. The technology continues a trend in cybersecurity where technologies communicate for better security coverage.
Cybersecurity systems, however, are only as good as the threats they defend against. To ensure a firm’s cyber program is prepared to defend against new or prevalent threats, access to real time threat intelligence is critical. In 2023, we will likely see forums and platforms expanding to share threat intelligence across the industry.
Avoid The Same Mistake Twice
Cybersecurity should not be an all-or-nothing tick-box exercise to satisfy regulators or shareholders. Rather, it should be an ongoing continuous journey to strengthen defenses against evolving threats with updated systems and processes.
Firms can take proactive steps today to learn from 2022 - either through their own experience or those of others - to prepare for 2023. Although cybersecurity threats and regulation will inevitably evolve in the next year, many aspects will remain the same; regulators will still be watching; threat actors will still seek out the path of least resistance and basic cyber protections will still be effective.
Firms shouldn’t wait until regulators force their hand into compliance. Just as threat actors aim to remain a step ahead so should firms aim to be a step ahead of the cybercriminals, and the best time to start is today.
Simon Eyre is CISO at Drawbridge
You Might Also Read:
Ransom: Prepare For The Worst:
If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.
- Individual £5 per month or £50 per year. Sign Up
- Multi-User, Corporate & Library Accounts Available on Request
- Inquires: Contact Cyber Security Intelligence
Cyber Security Intelligence: Captured Organised & Accessible