Cybersecurity: Prepare For The Year Ahead

The cyber landscape is changing fast. Every year, organizations face new threats and tactics from threat actors who want to capitalize on the security shortfalls of financial institutions. The financial services industry remains a top target for threat actors. The sector experienced 194 data compromises that affected more than 25,000,000 victims in the first three quarters of 2022 alone. 

With the new year ahead, it is time to reflect, learn and prepare for what’s to come. 2022 was game-changing regarding evolving threats, regulation and mitigation measures, but one thing remained clear – sometimes it is best to go back to basics.

Threats & Vulnerabilities 

Over the past year, hackers regularly exploited vulnerabilities within internal company systems to execute attacks. In January, Crypto.com suffered a breach that resulted in around $34 million of stolen cryptocurrencies. Hackers gained access to the funds by exploiting a vulnerability that allowed them to bypass the mandatory multi-factor authentication (MFA).

The attack demonstrated MFA is not always foolproof - businesses must constantly evaluate their systems for vulnerabilities and quickly remediate identified vulnerabilities.  

But not all attacks this year used sophisticated tactics. Phishing and Ransomware remained the top attack vectors in 2022 with 343 and 194 respective incidents reported. In the Medibank incident, threat actors executed a ransomware attack and posted personal health information on the Dark Web after the company refused to pay the ransom. The Dark Web remains a key forum for cybercriminals to expose sensitive information they gain access to through cyberattacks. Sometimes this data is personal information, other times it is login credentials. The Dark Web looks set to remain an asset for cybercriminals in 2023. 

This year, we also saw cybercriminals taking new approaches to their phishing attacks with typosquatting.

This is when cybercriminals spoof a company domain with a slight, and potentially easily missed, misspelling that may lead a user to believe it was from a trusted party if they do not carefully check the email address. The criminal may then request access to critical company data or a wire transfer as the impersonated trusted party. This year several cases also popped up where cybercriminals would clone an entire company website with a typosquatted domain. These cloned websites are designed to lead users to click on malicious links or disclose sensitive information. More of these types of attacks have occurred recently and will likely continue into 2023.

Compliance Evolves

2022 was a notable year for financial services cybersecurity regulations, with the SEC taking a more prescriptive approach to requirements. The 2022 US SEC Division of Examinations priorities included private funds; ESG; operational resiliency and information security/cybersecurity. The priorities cover an extensive range of potential investor risks that firms should consider as they review and bolster their cybersecurity; business continuity and compliance programs. The Division also reviews the practices of broker-dealers; RIAs and other registrants to prevent interruptions to mission-critical services and protect investor information; records and assets.

Further, the SEC proposed a comprehensive rule change to solidify the expectations of a firm to achieve compliance with SEC cybersecurity requirements. The proposed rule marks the beginning of a revolutionary approach to cybersecurity. If the rule is successfully enacted, it would mean many firms would need to overhaul their cybersecurity strategy.  

The heightened focus on cybersecurity also extended to enforcement over the past year. The New York Department of Financial Services imposed fines throughout the year for non-compliance with cybersecurity regulations, including Carnival ($5M), Robinhood ($30M) and Eyemed ($4.5M).

Regulators have made it clear that they are serious about cybersecurity and are actively monitoring compliance. Those who opt to violate regulations will pay a high cost for non-compliance.

In 2023, regulators will likely continue enacting new cybersecurity regulations and enforcing existing rules. Fines for non-compliance are expected to continue to grow as regulators use them as strong encouragement for other companies to strengthen their defenses.

Ongoing Focus: Back To Basics

Cybercriminals continue to look for the route of least resistance to enter company systems and access critical data. While this is the case, many firms still do not have basic cybersecurity controls and processes. An excellent place to start is examining the CISA bad practices guide, which highlights three exceptionally risky cyber practices, including the use of unsupported (or end-of-life) software; the use of known/fixed/default passwords and the use of single-factor authentication. Firms can ensure they have baseline protections in place by avoiding these practices.
Staff training is another necessary component of successful pro-active cybersecurity preparedness. Increasingly, businesses are realizing that pre-recorded classes once a year are simply not enough.

Staff are the first line of defense to stop a cyberattack and generic training sessions cannot touch on risks and vulnerabilities specific to an organization.

In 2023, organizations will likely take a more prescriptive approach to assess vendor cyber risk. As cyberattacks in the software supply chain increase, businesses can no longer afford to receive cybersecurity information from ‘enough’ of their vendors – anything short of all vendors leaves companies at a disadvantage. Leaders are increasingly making the realization but need to act swiftly on it.

On The Horizon 

In 2023, cybercriminals will continue evolving their tactics to remain a step ahead of cybersecurity protections. Supply chain cyberattacks will remain prevalent and a single attack on a widely used vendor in the financial services industry can result in a widespread outage. The 2020 SolarWinds attack is a prime example of what this can look like, but firms cannot let their guard down simply because the attack happened two years ago – cyberattacks often happen when least expected.

But as cyber risks evolve, so will cybersecurity systems. Extended detection and response (XDR) systems are increasingly becoming a valuable tool for firms to assess their cyber risks across the entire organization by creating continuity across siloed systems and applications. XDR combines the power of endpoint detect and response services with other traditional network security controls to provide a better overall picture of abnormal activity from more than one data point. The technology continues a trend in cybersecurity where technologies communicate for better security coverage. 

Cybersecurity systems, however, are only as good as the threats they defend against. To ensure a firm’s cyber program is prepared to defend against new or prevalent threats, access to real time threat intelligence is critical. In 2023, we will likely see forums and platforms expanding to share threat intelligence across the industry.

Avoid The Same Mistake Twice

Cybersecurity should not be an all-or-nothing tick-box exercise to satisfy regulators or shareholders. Rather, it should be an ongoing continuous journey to strengthen defenses against evolving threats with updated systems and processes.

Firms can take proactive steps today to learn from 2022 - either through their own experience or those of others - to prepare for 2023. Although cybersecurity threats and regulation will inevitably evolve in the next year, many aspects will remain the same; regulators will still be watching; threat actors will still seek out the path of least resistance and basic cyber protections will still be effective.

Firms shouldn’t wait until regulators force their hand into compliance. Just as threat actors aim to remain a step ahead so should firms aim to be a step ahead of the cybercriminals, and the best time to start is today.

Simon Eyre is CISO at Drawbridge

You Might Also Read: 

Ransom: Prepare For The Worst:


If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« Web Browser Attacks & How To Combat Them
Spying On Mobile Phone Calls »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

FT Cyber Resilience Summit: Europe

FT Cyber Resilience Summit: Europe

27 November 2024 | In-Person & Digital | 22 Bishopsgate, London. Business leaders, Innovators & Experts address evolving cybersecurity risks.

Centre for the Protection of National Infrastructure (CPNI)

Centre for the Protection of National Infrastructure (CPNI)

CPNI works with the National Cyber Security Centre (NCSC), Cabinet Office and lead Government departments and agencies to drive forward the UK's cyber security programme to counter cyber threats.

Kuratorium Sicheres Österreich (KSO)

Kuratorium Sicheres Österreich (KSO)

KSO is an independent non-profit association that has set itself the goal of making Austria safer as a national networking and information platform for topics of internal security.

ArcRan Information Technology

ArcRan Information Technology

ArcRan concentrates on developing comprehensive cybersecurity solutions for smart city applications. We believe that cybersecurity is the fundamental enabler of IoT development.

Amadeus Capital Partners

Amadeus Capital Partners

Amadeus Capital Partners offers over 20 years’ experience in technology investment. Our areas of focus include AI & machine learning and cyber security.

MassMutual Ventures

MassMutual Ventures

Mass Mutual ventures backs companies building category-defining businesses in markets including enterprise software, digital health, cybersecurity, and fintech.

InsightCyber

InsightCyber

InsightCyber is on a mission to keep the world’s critical infrastructure, supply chains, and manufacturing operations cyber-safe, helping to prevent attacks that can have catastrophic impacts.

Two Six Technologies

Two Six Technologies

Two Six Technologies delivers R&D, innovation, productization and implementation expertise in cyber, data science, mobile, microelectronics and information operations.

Cybrella

Cybrella

Cybrella offers professional cybersecurity services for small to medium sized businesses and to larger enterprises looking to expand their cybersecurity capabilities.

Park Place Technologies

Park Place Technologies

Park Place Technologies' mission is to drive uptime, performance and value for critical IT infrastructure.

Avocado Consulting

Avocado Consulting

Avocado helps clients deliver with certainty on their complex IT change, with technology services that automate, monitor and optimise.

Cygna Labs

Cygna Labs

Cygna Labs is a software developer and one of the top three global DDI (DNS, DHCP, and IP address management) vendors.

Frontal

Frontal

Frontal is a specialized unit in Blockchain and Web3.0 cybersecurity. Securing Digital Assets, Cryptocurrency, DeFi, Blockchain and Web3.0 ecosystem.

American Binary

American Binary

American Binary is a Quantum Safe Networking (TM) and post-quantum encryption company.

Hummingbird International

Hummingbird International

Hummingbird International, LLC offers services for the collection, audit, computer recycling and safe disposal of laptops, monitor/LCD, hard drives, and IT disposal.

Cork

Cork

Cork is a purpose-built cyber warranty company for managed service providers (MSPs) serving small businesses (SMBs) and the software solutions they manage.

XONA

XONA

XONA is The Zero Trust user access platform for the OT enterprise. Secure operational access to critical systems - from anywhere.

Bedrock Security

Bedrock Security

Bedrock Security is at the forefront of revolutionizing data security in the cloud and GenAI era.