Cybersecurity: Prepare For The Year Ahead

The cyber landscape is changing fast. Every year, organizations face new threats and tactics from threat actors who want to capitalize on the security shortfalls of financial institutions. The financial services industry remains a top target for threat actors. The sector experienced 194 data compromises that affected more than 25,000,000 victims in the first three quarters of 2022 alone. 

With the new year ahead, it is time to reflect, learn and prepare for what’s to come. 2022 was game-changing regarding evolving threats, regulation and mitigation measures, but one thing remained clear – sometimes it is best to go back to basics.

Threats & Vulnerabilities 

Over the past year, hackers regularly exploited vulnerabilities within internal company systems to execute attacks. In January, Crypto.com suffered a breach that resulted in around $34 million of stolen cryptocurrencies. Hackers gained access to the funds by exploiting a vulnerability that allowed them to bypass the mandatory multi-factor authentication (MFA).

The attack demonstrated MFA is not always foolproof - businesses must constantly evaluate their systems for vulnerabilities and quickly remediate identified vulnerabilities.  

But not all attacks this year used sophisticated tactics. Phishing and Ransomware remained the top attack vectors in 2022 with 343 and 194 respective incidents reported. In the Medibank incident, threat actors executed a ransomware attack and posted personal health information on the Dark Web after the company refused to pay the ransom. The Dark Web remains a key forum for cybercriminals to expose sensitive information they gain access to through cyberattacks. Sometimes this data is personal information, other times it is login credentials. The Dark Web looks set to remain an asset for cybercriminals in 2023. 

This year, we also saw cybercriminals taking new approaches to their phishing attacks with typosquatting.

This is when cybercriminals spoof a company domain with a slight, and potentially easily missed, misspelling that may lead a user to believe it was from a trusted party if they do not carefully check the email address. The criminal may then request access to critical company data or a wire transfer as the impersonated trusted party. This year several cases also popped up where cybercriminals would clone an entire company website with a typosquatted domain. These cloned websites are designed to lead users to click on malicious links or disclose sensitive information. More of these types of attacks have occurred recently and will likely continue into 2023.

Compliance Evolves

2022 was a notable year for financial services cybersecurity regulations, with the SEC taking a more prescriptive approach to requirements. The 2022 US SEC Division of Examinations priorities included private funds; ESG; operational resiliency and information security/cybersecurity. The priorities cover an extensive range of potential investor risks that firms should consider as they review and bolster their cybersecurity; business continuity and compliance programs. The Division also reviews the practices of broker-dealers; RIAs and other registrants to prevent interruptions to mission-critical services and protect investor information; records and assets.

Further, the SEC proposed a comprehensive rule change to solidify the expectations of a firm to achieve compliance with SEC cybersecurity requirements. The proposed rule marks the beginning of a revolutionary approach to cybersecurity. If the rule is successfully enacted, it would mean many firms would need to overhaul their cybersecurity strategy.  

The heightened focus on cybersecurity also extended to enforcement over the past year. The New York Department of Financial Services imposed fines throughout the year for non-compliance with cybersecurity regulations, including Carnival ($5M), Robinhood ($30M) and Eyemed ($4.5M).

Regulators have made it clear that they are serious about cybersecurity and are actively monitoring compliance. Those who opt to violate regulations will pay a high cost for non-compliance.

In 2023, regulators will likely continue enacting new cybersecurity regulations and enforcing existing rules. Fines for non-compliance are expected to continue to grow as regulators use them as strong encouragement for other companies to strengthen their defenses.

Ongoing Focus: Back To Basics

Cybercriminals continue to look for the route of least resistance to enter company systems and access critical data. While this is the case, many firms still do not have basic cybersecurity controls and processes. An excellent place to start is examining the CISA bad practices guide, which highlights three exceptionally risky cyber practices, including the use of unsupported (or end-of-life) software; the use of known/fixed/default passwords and the use of single-factor authentication. Firms can ensure they have baseline protections in place by avoiding these practices.
Staff training is another necessary component of successful pro-active cybersecurity preparedness. Increasingly, businesses are realizing that pre-recorded classes once a year are simply not enough.

Staff are the first line of defense to stop a cyberattack and generic training sessions cannot touch on risks and vulnerabilities specific to an organization.

In 2023, organizations will likely take a more prescriptive approach to assess vendor cyber risk. As cyberattacks in the software supply chain increase, businesses can no longer afford to receive cybersecurity information from ‘enough’ of their vendors – anything short of all vendors leaves companies at a disadvantage. Leaders are increasingly making the realization but need to act swiftly on it.

On The Horizon 

In 2023, cybercriminals will continue evolving their tactics to remain a step ahead of cybersecurity protections. Supply chain cyberattacks will remain prevalent and a single attack on a widely used vendor in the financial services industry can result in a widespread outage. The 2020 SolarWinds attack is a prime example of what this can look like, but firms cannot let their guard down simply because the attack happened two years ago – cyberattacks often happen when least expected.

But as cyber risks evolve, so will cybersecurity systems. Extended detection and response (XDR) systems are increasingly becoming a valuable tool for firms to assess their cyber risks across the entire organization by creating continuity across siloed systems and applications. XDR combines the power of endpoint detect and response services with other traditional network security controls to provide a better overall picture of abnormal activity from more than one data point. The technology continues a trend in cybersecurity where technologies communicate for better security coverage. 

Cybersecurity systems, however, are only as good as the threats they defend against. To ensure a firm’s cyber program is prepared to defend against new or prevalent threats, access to real time threat intelligence is critical. In 2023, we will likely see forums and platforms expanding to share threat intelligence across the industry.

Avoid The Same Mistake Twice

Cybersecurity should not be an all-or-nothing tick-box exercise to satisfy regulators or shareholders. Rather, it should be an ongoing continuous journey to strengthen defenses against evolving threats with updated systems and processes.

Firms can take proactive steps today to learn from 2022 - either through their own experience or those of others - to prepare for 2023. Although cybersecurity threats and regulation will inevitably evolve in the next year, many aspects will remain the same; regulators will still be watching; threat actors will still seek out the path of least resistance and basic cyber protections will still be effective.

Firms shouldn’t wait until regulators force their hand into compliance. Just as threat actors aim to remain a step ahead so should firms aim to be a step ahead of the cybercriminals, and the best time to start is today.

Simon Eyre is CISO at Drawbridge

You Might Also Read: 

Ransom: Prepare For The Worst:


If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« Web Browser Attacks & How To Combat Them
Spying On Mobile Phone Calls »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Continuity Shop

Continuity Shop

Continuity Shop provides training and consultancy in Business Continuity and Information Security to some of the world's biggest organisations.

Virtual Security

Virtual Security

Virtual Security provides solutions in the field of managed security services, network security, secure remote work, responsible internet, application security, encryption, BYOD and compliance.

Cyber adAPT

Cyber adAPT

Cyber adAPT offers a leading network threat detection platform (NTD) to the enterprise and ODM/OEM markets.

Rohde & Schwarz Cybersecurity

Rohde & Schwarz Cybersecurity

Rohde & Schwarz Cybersecurity provide solutions for Secure Networks, Secure Communications, Network Analysis, and Endpoint Security.

IntSights

IntSights

IntSights is an intelligence driven security provider offering rapid, accurate cyberthreat intelligence and incident mitigation in real time

Critical Infrastructures for Information and Cybersecurity (ICIC)

Critical Infrastructures for Information and Cybersecurity (ICIC)

ICIC addresses the demand for cybersecurity for National Public Sector organizations and civil and private sector organizations in Argentina.

Sysdig

Sysdig

With Sysdig teams find and prioritize software vulnerabilities, detect and respond to threats, and manage cloud configurations, permissions and compliance.

Maximus Consulting (MX)

Maximus Consulting (MX)

Maximus designs and delivers corporate-wide information security management system with our full-time IRCA Accredited consulting team.

Cyber Risk Institute (CRI)

Cyber Risk Institute (CRI)

CRI is a not-for-profit coalition of financial institutions and trade associations working to protect the global economy by enhancing cybersecurity and resiliency through standardization.

Mjenzi Cloud

Mjenzi Cloud

Mjenzi Cloud is a provider of cloud IaaS solutions including managed backup services, affordable & secure cloud virtual compute/storage/compute services, bare-metal services and cloud security.

ProofID

ProofID

ProofID is a specialist provider of Identity Access Management (IAM) solutions. We focus on the solving the complex needs of the modern enterprise.

TryHackMe

TryHackMe

TryHackMe is an online platform that teaches cyber security through short, gamified real-world labs. We have content for both complete beginners and seasoned hackers.

Noname Security

Noname Security

Noname Security detects and resolves API vulnerabilities and misconfigurations before they are exploited.

Superus Careers - Cyber Career Exchange

Superus Careers - Cyber Career Exchange

The Cyber Career Exchange is a specialized recruiting platform focused specifically on cybersecurity.

The PenTesting Company

The PenTesting Company

The PenTesting Company is owned and operated by offensive security professionals. Penetration Testing is essentially all we do.

Lavabit

Lavabit

Lavabit's Dark Internet Mail Environment is a secure, open-source, secure end-to-end communications platform for asynchronous messaging across the internet.