December 5, 2022

On October 13th, Kaspersky, the global leader in Cybersecurity, and Cyber Capital HQ had the pleasure of organizing a roundtable to discuss the latest Cybersecurity trends in Financial Services.

Cyber Capital HQ partners with Kaspersky on many dimensions of Enterprise Cybersecurity, including Threat Intelligence, which is particularly relevant in the Financial Services industry. We are an ISO27001-certified consulting and advisory company in Cybersecurity strategy and technology. We approach Cybersecurity in a Digital Transformation context to help our clients build resilience and strengthen their security posture across all organizational levels. By working at the intersection of policy and technology, we take an enterprise-wide risk management approach to Cybersecurity. As a part of a security strategy and remediation roadmap, we leverage multiple security and compliance frameworks, such as ISO27001, CIS controls, and NIST, to give structure and visibility into an organization’s information security management system.

Governance, Risk, and Compliance thus drive our approach to Cybersecurity. By building bridges between IT and business functions, we bring Cybersecurity to a Board Level agenda, translating Cyber risks into business risks. As Cyber can get very technical, distinguishing between strategic and operational advisory to keep both technical and business-oriented audiences interested and attuned is essential.

From a risk management perspective, our goal is to minimize the likelihood and impact of cyber incidents and build resilience across all levels of the organization. We are increasing security maturity from reactive to proactive and adaptive security, ideally bringing an organization into a low-impact low-risk environment.

Cybersecurity breaches and incidents are inevitable. A data breach occurs every 39 seconds. As such, we should implement safeguards, countermeasures, and controls across people, processes, and technology to reduce the likelihood and minimize the cost of incidents. Good Cybersecurity should make it difficult for threat actors to break into a system.

Cybersecurity is also a cultural issue, and through education and training, we can build a safer world and foster a security culture within businesses and organizations.

In the last few years, the accelerated pace towards Digital Transformation and new hybrid ways of working has presented several challenges and opportunities for security practitioners. To build more robust and efficient infrastructures, finding the proper unifying framework between multiple layers of technology is one of the challenges that organizations face. Orchestration, integration, interoperability, and standardization will continue to be essential issues to address. We see ecosystems and platforms when we look at people, processes, or technology.

Rather than looking at various point solutions working independently, we should take a platform approach to Cybersecurity where multiple solutions communicate, share information, and work in synergy. Cybersecurity is also becoming a systemic risk, with possible domino effects, thus the need for increased cooperation and collaboration between organizations and practitioners across multiple countries. Within or across organizations, silos may hinder Cybersecurity progress and effort. Finding the proper framework for collaboration and cooperation is a delicate balance, as there will always be a trade-off between transparency and protection.

We need transparency for collaboration and information sharing, but we also must maintain various degrees of protection. On the one hand, organizations are protecting their sensitive data, network, and infrastructure. On the other hand, transparency and information sharing require a degree of openness and trust. Lack of communication may hinder transparency, collaboration, and information-sharing efforts.

Cyberattacks show no signs of abating, and we are experiencing a rather unprecedented cyber arms race between attackers and defenders. Some notable breaches have affected the financial services sector. The average cost of a data breach amounts to 4 UMSD, and it takes on average 277 days to detect a data breach. Not Petya has caused more than 100 Bln USD of damages, costs, and supply chain disruption.

We are also experiencing new attacks emerging as threat actors combine multiple attack vectors, such as DDoS with ransomware. Statistics show that another sort of malware and ransomware accompanies 70% of DDoS Attacks. A DDoS attack can, for instance, take down a firewall, a WAF, and other devices and make it easier for threat actors to break into a system and disseminate ransomware. A DDoS attack is typically an attack on the availability of resources. By combining DDoS with other malware, threat actors increase the scope of the attack across the CIA (Confidentiality, Integrity, and Availability) triad, and thus the potential damage, disruption, and associated costs.

Security practitioners seek to ensure confidentiality, integrity, availability, safety, and privacy while protecting an organization’s critical assets, such as personally identifiable information and sensitive data.

Security aims to prevent risks from becoming realized by addressing vulnerabilities and blocking threat agents and events from jeopardizing assets through vulnerability exploitation.

Closing all of the gaps all of the time would prove a daunting task. Organizations should instead take a proactive approach to prioritise security strategy to protect their most valuable and critical assets. Filter out the most relevant security events to minimise the impact and incident costs will contribute to building operational and infrastructure resilience.

Security should be cost-effective. If the cost of any countermeasure is greater than the asset’s value (the cost of risk), it is better to accept the risk. Obtaining the best security for the price is essential to security management. As such, Cybersecurity should be a business enabler. Ideally, security should not come at the expense of the loss of privacy and usability. We should instead foster a virtuous cycle between security, privacy, and usability.

Kaspersky and CCHQ recently published a report on Cybersecurity trends in financial services. We interviewed 200 IT decision-makers from the financial services industry for their opinions on IT security. 78.6% from senior or middle management. 54% in companies with 50-499 employees, 46% in companies with more than 1000 employees.

Employee breaches and spear phishing reached a peak during the pandemic. 98% experienced at least one breach, either employee disregarding security practices, spear-phishing attacks, generic malware attacks, or targeted attacks. 70% of respondents rate their IT threat level as high and 86% of the C-suite are openly concerned

Most think their company can defend against attacks, but only 28% felt strongly about this, and only 37% of IT security professionals felt strongly about this. Only 48% believe they have a business continuity plan, less for IT security professionals, 50% for large financial institutions, and 63.2% for small financial institutions.

Companies realize that a lack of employee awareness heightens the risk of non-compliance. (70% believe that non-compliance with regulations increases risk, 40% fear the financial impact of regulatory fines, and 53% among the C-suite). 49% attribute security incidents to employees through remote working, disregarding company policies, and lack of essential cybersecurity awareness. Only 37% said all IT professionals were trained, and only 24% of C-suite had followed sufficient training.

Respondents allocate the IT security budget to compensate for the lack of in-house expertise. 74% rate the cyber threat level as high. 85% think their funding is adequate for the next two years. But 54% think they lack the in-house know-how to protect themselves. Over 30% felt strongly about this, and 85% want to work with external providers, especially among small businesses with 50-249 employees.

More than 99.5% of respondents use at least one Threat Intelligence service covering malware analysis, APT reports, and targeted attack discovery. More than a third would like security assessments, threat data feeds, and threat lookups used to improve incident response.

On the question of regulation, we noted that compliance doesn’t equate to security which is much broader than compliance. Companies should look at security beyond a compliance tick-the-box exercise and ensure it is effective. In that context, measuring the effectiveness of security controls is essential. In addition to establishing an information security policy and related rules, procedures, and guidelines, one should deploy mechanisms to ensure a satisfactory degree of compliance and enforceability with the requirements of an information security policy.

We also noted that several risks might emerge from regulatory initiatives. A disconnect between policymakers and the market may have several adverse consequences, including developing regulations without sufficient involvement from the market and industry practitioners. The market needs better regulatory frameworks that allow market efficiency. The cybersecurity industry has many directives but requires a comprehensive legislative framework that would increase the degree of accountability for market and industry practitioners. Due to the cross-border and multi-jurisdictional nature of the Cybersecurity technology and threat landscape, harmonizing cross-border and cross-jurisdictional legislative and regulatory frameworks will remain challenging.

We should approach Cybersecurity in the context of Digital Sovereignty. Digital Sovereignty is about cultivating locally produced solutions in Cybersecurity, supporting the local ecosystem. Secondly, it’s about ensuring that local laws are obeyed within the local jurisdictions within a sovereign country or, in the case of the EU, across the whole region. Each country has its cultural norms. There is some workaround for standardizing Cybersecurity norms and acceptable behaviour on the Internet. Countries can have different stances on digital sovereignty and, at the same time, agree on common themes which everybody would sign up for, and that’s a necessary process to harmonize the relationships and produce a baseline that is applicable everywhere.

We already see in the Brexit agreement a disconnection of the flow of intelligence security information from European sources such as Europol to the UK. There will likely be more fracturing, balkanization, and separation of sovereign digital identities. On the other hand, this is an argument for the broad establishment of cyber norms, which are crucial. Even if countries want their local systems to be different from each other’s, there will undoubtedly be some agreement about the standards across all countries, for example, related to cybercrime, money laundering regulation, or undesirable kind of content on the Internet. A situation like Brexit increases the importance of establishing norms across sovereign boundaries.

Kaspersky has developed excellent visibility on threat actors worldwide, with advanced capabilities to monitor the underground sphere and understand how new advanced threats and malware emerge. We notice an increase in the sophistication level of malware. Threat actors develop commodity crimeware against financial organizations with APT-like evasion capabilities. The capabilities of modern crimeware have become very sophisticated. Tools like Brute Ratel or Cobalt Strike are highly advanced cyber weapons that can evade sophisticated EDR systems. With a shift to work from home and sometimes blurred lines between corporate and private networks, threat actors are going after home computers as they are less protected.

We also notice that the underlying code of malware and ransomware is evolving more professionally, using non-standard cryptography like elliptic curves and other unusual mathematical algorithms. They can be swift and reveal that some IT professionals in countries like Russia are moving to the dark side because of financial instability. Threat intelligence for financial institutions will thus remain the best source of information and even more relevant in this current and evolving sophisticated threat landscape to protect and investigate Cyber threats.

Regarding some future trends, as threat actors are leveraging artificial intelligence and automation to develop more sophisticated cyberattacks and weapon, we should apply artificial intelligence, machine learning, and automation, to defensive mechanisms to address the challenges experienced in Secure Operations Centres, such as alert fatigue, the skill gap, and an evolving and more sophisticated threat landscape. Automation should be efficient and works best on optimized processes. There will be a continuous need for SOCs and OCs, independently of their scale, to optimize resources to capacity ratios and address the skill gap.

Cybersecurity is a global problem that requires a global response. Cooperation, collaboration, information sharing, and effective capacity building supported by sound technology at the cross-border level will remain important ways to continue strengthening Cyber resilience.

By Jean Lehmann, CEO, Cyber Capital HQ

Subscribe

Your personal information is kept in accordance with our Privacy Notice