As the new year approaches, it is a good time to take stock of the challenges that cybersecurity teams will be facing in 2020. It’s not all new either because some well-established attack formats are perennially successful. Our focus here is on the threats that are most relevant to our core Wholesale Finance clientele.
1. Targeting the C-Suite
Email delivers more than 90% of malware and even though the proportion of malicious emails is falling, the targeting and persuasiveness is becoming more sophisticated. An area of growth here is the targeting of the C-Suite either by contacting or impersonating the executive.
In the first variant, time poor executives are targeted with well-researched and tailored phishing attacks that either invite them to view something the criminals know will interest them, or, to perform some seemingly innocuous bit of housekeeping. In the second, the executive’s email is convincingly impersonated and sent to a subordinate who is typically asked to perform an action, either providing information to a third party or paying a fake invoice that is just small enough not to raise suspicions or trigger protocols. The fake invoice has been a trend in itself over recent years based on a model of small but high-volume payments.
2. Ransomware and Cyber-Insurance
Ransomware attacks were down in the first half of 2019, but they became more targeted, with the net result being an increase in attacks on enterprise and on public institutions. Sophistication has also seen the number of reported ransomware mutations increasing at a much higher rate than at this time last year. One reason for the new focus is the growth of cyber-insurance, especially in the US. Cyber-insurance provides protection that reduces the risk of complete disaster while increasing the chance of some damage or disruption. Insurance is based on calculations so as long as the cyber-criminals keep the ransom levels cheaper than the cost of either recovering data or paying for loss of earnings due to downtime – and they do – then insurers tend to payout, despite the repeated advice not to from security agencies like the FBI. The result is that the hackers are specifically targeting companies and public institutions like schools, healthcare and local government with cyber-insurance in place. This trend is likely to continue as the global cyber-insurance market is forecast to grow to $14B by 2022 with Financial Services being a key vertical.
3. 5G and the Internet of Things
5G is the facilitator that the Internet of Things [IoT] has been waiting for. 10mbp mobile download speeds and 1ms latency on mobile devices is a game changer, pushing the processing of data out to the locations where it is collected and making huge changes to user experience in many contexts. Although devices haven’t been connected at the exponential rates of early predictions, there will still be in the order of 10 billion (excluding phones and laptops) by the end of 2020 and 5G will catalyze the adoption rate. 5G will have profound implications for consumer finance, insurance and banking. It remains to be seen how it will directly affect wholesale finance operations but there will certainly be security implications.
In non-consumer finance, a 5G enabled IoT will affect four main areas, that are currently at differing levels of maturity:
- Generic – employee and company assets including mobiles, wearables, wireless printers and peripherals etc.
- Asset – real-time monitoring of client and company assets for a. usage behavior, especially vehicles and buildings and b. security for facility access and for assets in transit.
- Automation – of trading and investment activity based on market surveillance and AI pricing engines.
- Compliance – as FinTech seeks to address issues of market manipulation, live surveillance also monitors the traders.
IoT attacks are already well established and more connections means more risk from botnets, DDoS, RFID spoofing, Trojan viruses, malware, and malicious scripts. With smart consumer gadgets there is a tendency to overlook encryption and limit firmware updates in favor of minimizing cost and weight. It is important to develop policy around these and to monitor what tech, and associated threats, is connected to the company’s networks. FinTechs must focus on security as a core aspect of their offerings with relevant expertise applied through development stages. Any applicable hardware needs to have the processing power to accommodate regular updates and achieve an appropriate level of protection. On the plus side, 5G could facilitate a higher level of security if harnessed wisely.
4. Biometric Complacency
Biometric enabled security is an IoT feature. At the end of 2018, security commentators were warning firms not to become too complacent about biometric security. Its adoption has been accelerated by convenience, but industry insiders feared it may be inferior to multifactor authentication in an enterprise setting. It must have been a sobering moment for some when, in March, we discovered that the facial recognition algorithm in the Samsung S10 cell phone could be unlocked by almost any face. A lack of regulation in biometric technologies means that some solutions are bound to be inferior, but it’s hard to know which until it’s too late. Real world criminals wouldn’t exploit the systems using the glue fingerprints or laser-etched contact lenses we’ve seen in Mission Impossible and Charlie Angels. They’d be seeking access to the biometric database where the information exists to gain almost unhindered access. So, even for a strong biometric system it is essential that the stored data is encrypted and protected to the highest possible standards. To avoid an unauthorized individual walking through the front door it is critical that any authentication token associated with the system is diligently protected.
5. Counterfeits and Clones
High global demand for electronics is driving increased production of new devices, infrastructure and spare parts. The use of scarce resources in modern electronics pressurizes the supply chain which in turn increases the opportunities for counterfeit components to find a way into the market and gives threat actors a practical distribution method for malicious hardware. This means that secure, end-to-end supply chain management, including physical inspections, has to be demonstrated for any devices that an organization uses or that are used by any vendors with access to sensitive production or private data. As long ago as 2008 the annual value of seized counterfeit electrics was estimated as high as $100B so this is a pervasive problem.
6. Shadow IT
Some estimates attribute as many as 33% of corporate IT security breaches to vulnerabilities exposed in Shadow IT. The term refers to IT systems that have been set up without the authorization and control of an organization’s central IT department. One familiar example is people using resources such as DropBox or Google Drive for collaboration and storage; others include the sourcing of code from sharing platforms or the use of personal devices to access secured enterprise resources. These problems aren’t new but then 99% of breaches in 2020 will be down to known threats and recognized vulnerabilities. A more recent trend is the adoption of PaaS and IaaS solutions, especially in development scenarios.
To those in charge of security, these may seem like irritating acts of rebellion but they’re also consistent with people trying to get work done quickly. So, rather than banning the use of third-party infrastructure altogether it is better to bring this activity in line with company-wide policies without sacrificing the opportunities for efficiency. A software, micro-segmentation solution can be useful in driving a consistent policy when multiple Cloud environments are being used.
Any new tools and applications need to be added to the company IT environment at some point and this should be able to happen without disruption. To achieve this, security and compliance guidelines should be strongly communicated and enforced such that any new developments take place within a clearly defined security framework. Any new apps, tools or services created in a Shadow IT environment should then be fully compliant when they emerge into the glare of company scrutiny before going live.
Regulations are not a direct security threat; however, a data breach is likely to flag up a breach in compliance, the fines for which are potentially just as damaging. The General Data Protection Regulation [GDPR] was introduced by the EU in 2016 and is applicable to any company controlling or processing the data of EU residents. It demands privacy be respected and gives individuals control over the use and custody of their personal data. California is applying its equivalent CCPA on 1/1/2020, other US states have already taken similar action. GDPR enforcement ramped up in July when the UK Information Commissioner’s Office [ICO] flexed its muscles and applied landmark fines to British Airways and Marriot Hotels. The British Airways fine of £183m, for allowing the theft of data from 500,000 website users, was equivalent to 1.5% of global turnover, GDPR allows fines up to 4%.
MiFID II, also a European regulatory standard, applies to European capital markets and affects counterparties worldwide. Where GDPR demands privacy, this regulatory platform demands transparency so that conversations leading up to a trade can be reconstructed in order to investigate suspicious behavior. Not only is failure to adhere to the regulation punishable but companies can also be punished for failing to demonstrate the technical ability to comply. MiFID II builds on MiFID and various national level regulations. As well as capturing data, record-keeping and reporting are key aspects. Although MiFID II fines haven’t ramped up yet, there have been fines applied on both sides of the Atlantic for record-keeping breaches. For example, Goldman Sachs was fined £23m by the FCA in March 2019 and a further $1m by the CFTC in November for exactly this kind of failure. We can expect to see this type of penalty increase substantially and the trend to even more damaging and costly criminal charges will also continue.
We will be back in January to discuss new methodologies designed to cope with evolving threats and work paradigms.