Cybersecurity: Prepare For The Year Ahead

The cyber landscape is changing fast. Every year, organizations face new threats and tactics from threat actors who want to capitalize on the security shortfalls of financial institutions. The financial services industry remains a top target for threat actors. The sector experienced 194 data compromises that affected more than 25,000,000 victims in the first three quarters of 2022 alone. 

With the new year ahead, it is time to reflect, learn and prepare for what’s to come. 2022 was game-changing regarding evolving threats, regulation and mitigation measures, but one thing remained clear – sometimes it is best to go back to basics.

Threats & Vulnerabilities 

Over the past year, hackers regularly exploited vulnerabilities within internal company systems to execute attacks. In January, Crypto.com suffered a breach that resulted in around $34 million of stolen cryptocurrencies. Hackers gained access to the funds by exploiting a vulnerability that allowed them to bypass the mandatory multi-factor authentication (MFA).

The attack demonstrated MFA is not always foolproof - businesses must constantly evaluate their systems for vulnerabilities and quickly remediate identified vulnerabilities.  

But not all attacks this year used sophisticated tactics. Phishing and Ransomware remained the top attack vectors in 2022 with 343 and 194 respective incidents reported. In the Medibank incident, threat actors executed a ransomware attack and posted personal health information on the Dark Web after the company refused to pay the ransom. The Dark Web remains a key forum for cybercriminals to expose sensitive information they gain access to through cyberattacks. Sometimes this data is personal information, other times it is login credentials. The Dark Web looks set to remain an asset for cybercriminals in 2023. 

This year, we also saw cybercriminals taking new approaches to their phishing attacks with typosquatting.

This is when cybercriminals spoof a company domain with a slight, and potentially easily missed, misspelling that may lead a user to believe it was from a trusted party if they do not carefully check the email address. The criminal may then request access to critical company data or a wire transfer as the impersonated trusted party. This year several cases also popped up where cybercriminals would clone an entire company website with a typosquatted domain. These cloned websites are designed to lead users to click on malicious links or disclose sensitive information. More of these types of attacks have occurred recently and will likely continue into 2023.

Compliance Evolves

2022 was a notable year for financial services cybersecurity regulations, with the SEC taking a more prescriptive approach to requirements. The 2022 US SEC Division of Examinations priorities included private funds; ESG; operational resiliency and information security/cybersecurity. The priorities cover an extensive range of potential investor risks that firms should consider as they review and bolster their cybersecurity; business continuity and compliance programs. The Division also reviews the practices of broker-dealers; RIAs and other registrants to prevent interruptions to mission-critical services and protect investor information; records and assets.

Further, the SEC proposed a comprehensive rule change to solidify the expectations of a firm to achieve compliance with SEC cybersecurity requirements. The proposed rule marks the beginning of a revolutionary approach to cybersecurity. If the rule is successfully enacted, it would mean many firms would need to overhaul their cybersecurity strategy.  

The heightened focus on cybersecurity also extended to enforcement over the past year. The New York Department of Financial Services imposed fines throughout the year for non-compliance with cybersecurity regulations, including Carnival ($5M), Robinhood ($30M) and Eyemed ($4.5M).

Regulators have made it clear that they are serious about cybersecurity and are actively monitoring compliance. Those who opt to violate regulations will pay a high cost for non-compliance.

In 2023, regulators will likely continue enacting new cybersecurity regulations and enforcing existing rules. Fines for non-compliance are expected to continue to grow as regulators use them as strong encouragement for other companies to strengthen their defenses.

Ongoing Focus: Back To Basics

Cybercriminals continue to look for the route of least resistance to enter company systems and access critical data. While this is the case, many firms still do not have basic cybersecurity controls and processes. An excellent place to start is examining the CISA bad practices guide, which highlights three exceptionally risky cyber practices, including the use of unsupported (or end-of-life) software; the use of known/fixed/default passwords and the use of single-factor authentication. Firms can ensure they have baseline protections in place by avoiding these practices.
Staff training is another necessary component of successful pro-active cybersecurity preparedness. Increasingly, businesses are realizing that pre-recorded classes once a year are simply not enough.

Staff are the first line of defense to stop a cyberattack and generic training sessions cannot touch on risks and vulnerabilities specific to an organization.

In 2023, organizations will likely take a more prescriptive approach to assess vendor cyber risk. As cyberattacks in the software supply chain increase, businesses can no longer afford to receive cybersecurity information from ‘enough’ of their vendors – anything short of all vendors leaves companies at a disadvantage. Leaders are increasingly making the realization but need to act swiftly on it.

On The Horizon 

In 2023, cybercriminals will continue evolving their tactics to remain a step ahead of cybersecurity protections. Supply chain cyberattacks will remain prevalent and a single attack on a widely used vendor in the financial services industry can result in a widespread outage. The 2020 SolarWinds attack is a prime example of what this can look like, but firms cannot let their guard down simply because the attack happened two years ago – cyberattacks often happen when least expected.

But as cyber risks evolve, so will cybersecurity systems. Extended detection and response (XDR) systems are increasingly becoming a valuable tool for firms to assess their cyber risks across the entire organization by creating continuity across siloed systems and applications. XDR combines the power of endpoint detect and response services with other traditional network security controls to provide a better overall picture of abnormal activity from more than one data point. The technology continues a trend in cybersecurity where technologies communicate for better security coverage. 

Cybersecurity systems, however, are only as good as the threats they defend against. To ensure a firm’s cyber program is prepared to defend against new or prevalent threats, access to real time threat intelligence is critical. In 2023, we will likely see forums and platforms expanding to share threat intelligence across the industry.

Avoid The Same Mistake Twice

Cybersecurity should not be an all-or-nothing tick-box exercise to satisfy regulators or shareholders. Rather, it should be an ongoing continuous journey to strengthen defenses against evolving threats with updated systems and processes.

Firms can take proactive steps today to learn from 2022 - either through their own experience or those of others - to prepare for 2023. Although cybersecurity threats and regulation will inevitably evolve in the next year, many aspects will remain the same; regulators will still be watching; threat actors will still seek out the path of least resistance and basic cyber protections will still be effective.

Firms shouldn’t wait until regulators force their hand into compliance. Just as threat actors aim to remain a step ahead so should firms aim to be a step ahead of the cybercriminals, and the best time to start is today.

Simon Eyre is CISO at Drawbridge

You Might Also Read: 

Ransom: Prepare For The Worst:


If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« Web Browser Attacks & How To Combat Them
Spying On Mobile Phone Calls »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Cambray Solutions

Cambray Solutions

Cambray Solutions specializes in locating and securing technical professionals, managers, and executives.

Ciklum

Ciklum

Ciklum provide specialist software QA and testing services including Security QA and Performance QA, QA Automation and Manual QA.

Verint Systems

Verint Systems

Verint is a leader in Actionable Intelligence with a focus on customer engagement optimisation, security intelligence, fraud, risk and compliance.

VerifyMe

VerifyMe

VerifyMe is a global technology solutions company delivering brand protection offerings to mitigate counterfeiting, product diversion, and illicit trade.

FedRAMP

FedRAMP

FedRAMP, is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.

Phew

Phew

Phew are New Zealand cyber security specialists with expertise and experience forged in global financial markets, IT&T, management consulting and SME business management.

CYQUEO

CYQUEO

CYQUEO is your professional partner and system integrator. We secure your organization against advanced cyber threats.

TES

TES

TES is a provider of IT Lifecycle Services, offering bespoke solutions that help customers manage the commissioning, deployment and retirement of Information Technology assets.

New Enterprise Associates (NEA)

New Enterprise Associates (NEA)

As one of the world’s largest and most active venture capital firms, NEA has developed deep domain expertise and insight into our industries of focus - technology and healthcare.

Right-Hand Cybersecurity

Right-Hand Cybersecurity

Right-Hand Cybersecurity empowers businesses to monitor, measure and mitigate employee induced cyber risks in real-time.

PixelPlex

PixelPlex

PixelPlex is a blockchain and custom software development company with offices and developers in New York, Geneva, and Seoul.

C3i Hub

C3i Hub

C3i Hub aims to address the issue of cyber security of cyber physical systems in its entirety, from analysing security vulnerabilities to developing tools and technologies.

Dataprise

Dataprise

Dataprise is a leading IT managed services provider offering IT Management and Help Desk Support Services, Cloud Services, Information Security Solution, IT Strategy and Consulting.

Cyber Tzar

Cyber Tzar

Cyber Tzar is a new approach at dealing with an old problem; assessing and managing risks to your IT estate.

WillJam Ventures

WillJam Ventures

WillJam Ventures are a private equity firm focused on investing in world-class cybersecurity companies that will become the next generation of leaders in protecting the world’s digital assets.

CyberForceHQ

CyberForceHQ

CyberForce helps cyber security professionals take real-world tests, get ranked and get paid better. It's that simple.