Cybersecurity: Prepare For The Year Ahead

The cyber landscape is changing fast. Every year, organizations face new threats and tactics from threat actors who want to capitalize on the security shortfalls of financial institutions. The financial services industry remains a top target for threat actors. The sector experienced 194 data compromises that affected more than 25,000,000 victims in the first three quarters of 2022 alone. 

With the new year ahead, it is time to reflect, learn and prepare for what’s to come. 2022 was game-changing regarding evolving threats, regulation and mitigation measures, but one thing remained clear – sometimes it is best to go back to basics.

Threats & Vulnerabilities 

Over the past year, hackers regularly exploited vulnerabilities within internal company systems to execute attacks. In January, Crypto.com suffered a breach that resulted in around $34 million of stolen cryptocurrencies. Hackers gained access to the funds by exploiting a vulnerability that allowed them to bypass the mandatory multi-factor authentication (MFA).

The attack demonstrated MFA is not always foolproof - businesses must constantly evaluate their systems for vulnerabilities and quickly remediate identified vulnerabilities.  

But not all attacks this year used sophisticated tactics. Phishing and Ransomware remained the top attack vectors in 2022 with 343 and 194 respective incidents reported. In the Medibank incident, threat actors executed a ransomware attack and posted personal health information on the Dark Web after the company refused to pay the ransom. The Dark Web remains a key forum for cybercriminals to expose sensitive information they gain access to through cyberattacks. Sometimes this data is personal information, other times it is login credentials. The Dark Web looks set to remain an asset for cybercriminals in 2023. 

This year, we also saw cybercriminals taking new approaches to their phishing attacks with typosquatting.

This is when cybercriminals spoof a company domain with a slight, and potentially easily missed, misspelling that may lead a user to believe it was from a trusted party if they do not carefully check the email address. The criminal may then request access to critical company data or a wire transfer as the impersonated trusted party. This year several cases also popped up where cybercriminals would clone an entire company website with a typosquatted domain. These cloned websites are designed to lead users to click on malicious links or disclose sensitive information. More of these types of attacks have occurred recently and will likely continue into 2023.

Compliance Evolves

2022 was a notable year for financial services cybersecurity regulations, with the SEC taking a more prescriptive approach to requirements. The 2022 US SEC Division of Examinations priorities included private funds; ESG; operational resiliency and information security/cybersecurity. The priorities cover an extensive range of potential investor risks that firms should consider as they review and bolster their cybersecurity; business continuity and compliance programs. The Division also reviews the practices of broker-dealers; RIAs and other registrants to prevent interruptions to mission-critical services and protect investor information; records and assets.

Further, the SEC proposed a comprehensive rule change to solidify the expectations of a firm to achieve compliance with SEC cybersecurity requirements. The proposed rule marks the beginning of a revolutionary approach to cybersecurity. If the rule is successfully enacted, it would mean many firms would need to overhaul their cybersecurity strategy.  

The heightened focus on cybersecurity also extended to enforcement over the past year. The New York Department of Financial Services imposed fines throughout the year for non-compliance with cybersecurity regulations, including Carnival ($5M), Robinhood ($30M) and Eyemed ($4.5M).

Regulators have made it clear that they are serious about cybersecurity and are actively monitoring compliance. Those who opt to violate regulations will pay a high cost for non-compliance.

In 2023, regulators will likely continue enacting new cybersecurity regulations and enforcing existing rules. Fines for non-compliance are expected to continue to grow as regulators use them as strong encouragement for other companies to strengthen their defenses.

Ongoing Focus: Back To Basics

Cybercriminals continue to look for the route of least resistance to enter company systems and access critical data. While this is the case, many firms still do not have basic cybersecurity controls and processes. An excellent place to start is examining the CISA bad practices guide, which highlights three exceptionally risky cyber practices, including the use of unsupported (or end-of-life) software; the use of known/fixed/default passwords and the use of single-factor authentication. Firms can ensure they have baseline protections in place by avoiding these practices.
Staff training is another necessary component of successful pro-active cybersecurity preparedness. Increasingly, businesses are realizing that pre-recorded classes once a year are simply not enough.

Staff are the first line of defense to stop a cyberattack and generic training sessions cannot touch on risks and vulnerabilities specific to an organization.

In 2023, organizations will likely take a more prescriptive approach to assess vendor cyber risk. As cyberattacks in the software supply chain increase, businesses can no longer afford to receive cybersecurity information from ‘enough’ of their vendors – anything short of all vendors leaves companies at a disadvantage. Leaders are increasingly making the realization but need to act swiftly on it.

On The Horizon 

In 2023, cybercriminals will continue evolving their tactics to remain a step ahead of cybersecurity protections. Supply chain cyberattacks will remain prevalent and a single attack on a widely used vendor in the financial services industry can result in a widespread outage. The 2020 SolarWinds attack is a prime example of what this can look like, but firms cannot let their guard down simply because the attack happened two years ago – cyberattacks often happen when least expected.

But as cyber risks evolve, so will cybersecurity systems. Extended detection and response (XDR) systems are increasingly becoming a valuable tool for firms to assess their cyber risks across the entire organization by creating continuity across siloed systems and applications. XDR combines the power of endpoint detect and response services with other traditional network security controls to provide a better overall picture of abnormal activity from more than one data point. The technology continues a trend in cybersecurity where technologies communicate for better security coverage. 

Cybersecurity systems, however, are only as good as the threats they defend against. To ensure a firm’s cyber program is prepared to defend against new or prevalent threats, access to real time threat intelligence is critical. In 2023, we will likely see forums and platforms expanding to share threat intelligence across the industry.

Avoid The Same Mistake Twice

Cybersecurity should not be an all-or-nothing tick-box exercise to satisfy regulators or shareholders. Rather, it should be an ongoing continuous journey to strengthen defenses against evolving threats with updated systems and processes.

Firms can take proactive steps today to learn from 2022 - either through their own experience or those of others - to prepare for 2023. Although cybersecurity threats and regulation will inevitably evolve in the next year, many aspects will remain the same; regulators will still be watching; threat actors will still seek out the path of least resistance and basic cyber protections will still be effective.

Firms shouldn’t wait until regulators force their hand into compliance. Just as threat actors aim to remain a step ahead so should firms aim to be a step ahead of the cybercriminals, and the best time to start is today.

Simon Eyre is CISO at Drawbridge

You Might Also Read: 

Ransom: Prepare For The Worst:


If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« Web Browser Attacks & How To Combat Them
Spying On Mobile Phone Calls »

CyberSecurity Jobsite
Check Point

Directory of Suppliers

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Tendo Solutions

Tendo Solutions

Tendo Solutions provides intelligence, security, forensics and risk solutions to clients across different sectors and jurisdictions.

Parasoft

Parasoft

Parasoft is an independent software testing and software quality assurance tool and solution vendor.

EuroISPA

EuroISPA

EuroISPA is a pan European association of European Internet Services Providers Associations and the world’s largest association of ISPs.

Ethoca

Ethoca

Ethoca is a secure network for card issuers and merchants to connect and work cooperatively outside the payment network in a unique and powerful way.

Paygilant

Paygilant

Paygilant’s disruptive technology is designed to protect mobile payment  financial transactions against fraudulent attacks, whether executed by NFC, QR code, P2P or in-app.

Crosscheck Networks

Crosscheck Networks

Crosscheck products allow you to test your APIs across different protocols and message formats with functional automation, performance, and security testing capabilities.

Infosistem

Infosistem

Infosistem is a Croatian ICT company with extensive expertise and experience in enterprise and SMB ICT projects and solutions.

Havelsan

Havelsan

HAVELSAN is a leading technology company in Turkey developing indigenous systems for domestic and foreign military, public and private sector clients.

BotRx

BotRx

BotRx is the only AI-enabled, automated fraud protection technology that allows fast & easy deployment - continually keeping invisible bad bots and agents at bay, so you can rest easy.

Smart Protection

Smart Protection

Smart Protection are experts in brand and trademark protection - we fight against counterfeits and unauthorized usages of brands with machine learning technology.

Nubeva Technologies

Nubeva Technologies

Nubeva provide a breakthrough TLS Decrypt solution with Symmetric Key Intercept to gain the visibility needed to monitor and secure network traffic.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Debevoise & Plimpton

Debevoise & Plimpton

Debevoise & Plimpton LLP is a premier law firm with market-leading practices in areas including Data Strategy & Security.

ProArch

ProArch

ProArch is a global team of multidisciplinary experts in cloud, infrastructure, data analytics, cybersecurity, compliance, and software development.

Infima Cybersecurity

Infima Cybersecurity

INFIMA tackle the hard parts of managing your Security Awareness Training program so you can focus elsewhere.

CyberGrape

CyberGrape

CyberGrape is a client centric managed services company, providing enterprise leading security solutions and helping companies through their IT risk and security challenges.