There is little doubt that 2016 will likely eclipse the cybercarnage we’ve already endured.
Here’s what FDIC Chairman Martin Gruenberg recently told the House Committee on Financial Services:
“Cybersecurity … in 2015 rose to the top of the list of potential emerging threats and vulnerabilities as a result of the increase in the number and severity of cyber incidents and the real costs this issue presents in terms of risk assessment and mitigation. Given the deliberate and increasingly sophisticated attempts to disrupt institutions and markets, and given the increasing reliance on complex and interconnected technologies, it is clear these incidents will continue and will require heightened attention in the years to come.”
And here’s what the OCC says in its just-released semiannual risk assessment:
“Operational risk is elevated for a number of reasons. These include the amount and pace of internally and externally initiated change, greater interconnectedness and interdependencies, increased sophistication of cyber threats, and pervasive technology vulnerabilities. While high operational risk has been primarily concentrated in the largest banks, it is also increasing among smaller banks.”
What we’ll be up against
It’s worthwhile, then, to take a look at the specific threats that emerged this year, and to take educated guesses as to what to look out for next year.
For example, OCC’s risk assessment specifically mentions a scam called “business email compromise”:
“BEC [is] a sophisticated scam targeting businesses by forging payment requests for legitimate vendors but directing the funds to the cyber criminal’s account. The FBI’s Internet Crime Complaint Center reported approximately $800 million in losses between October 2013 and August 2015 because of BEC schemes.”
Kaspersky Lab, which is in the business of tracking and thwarting digital threats, adds these to the list of emerging issues:
• Ransomware—This involves malware placed on machines that lock them down or otherwise threaten harm to businesses unless demands are met. It’s typically in the form of what’s called “CryptoLocker attacks.”
Kaspersky Lab detected such malware on 50,000 corporate machines and notes that the ransom demanders directed their attacks to corporate entities, rather than individuals, because the corporates were more likely to pay and were more likely to pay higher amounts.
• Focus on financial institutions—“In 2015, cybercriminals and advanced persistent threats groups focused a great deal of attention on financial services organizations, such as banks, investment funds, and both stock and currency exchanges, including those handling cryptocurrencies,” Kaspersky says.
One attack, dubbed Carbanak, penetrated the networks of banks seeking out critical systems that allow it to withdraw money.
• Point of sale—Kaspersky says it blocked more than 11,500 attempts to hack into POS devices this year.
• Diversification—Hackers demonstrated an increased propensity to switch their attack targets. For example, one notorious team from China was observed this year switching targets from computer game companies to those in pharmaceuticals and telecommunications.
Looking forward, “the future cyber landscape for businesses includes a new attack vector: infrastructure, because almost all of an organization’s valuable data is stored on servers in data centers,” says Yury Namestnikov, senior security researcher at Kaspersky.
The Financial Services Information Sharing and Analysis Center also has weighed in on what it sees as primary cyberthreats in 2016:
• Email will continue to be a primary vehicle for injecting malware and conducting reconnaissance, including targeted attacks to senior executives.
As security teams improve email filtering and examination capabilities and users become more aware of email tactics, the delivery of malware may migrate to delivering malware through web pages or online advertising (often referred to “malvertizing”). [Note: This relates directly to OCC’s warning above about BEC attacks.]
• Adversaries will continue to abuse the trust that individuals have with each other and with trusted assets.
They will do so by impersonating a trusted individual or entity in order to deceive, destroy, disrupt, or steal.
• Adversaries will continue to target the financial services industry for foreign espionage operations, stealing funds, obtaining sensitive information, disrupting operations, destroying data/equipment, or harming the reputation of financial institutions.
• News media coverage of cyber threats will rise.
This exposure will lead to greater fear, uncertainty, and doubt, which will draw security teams away from real threats, instead responding to specious media reports. While debate among U.S. presidential campaigns has yet to focus on cyber threats, the policy debate will include cyber threats and mitigation strategies.
So this is what the industry has to face in 2016.
To be sure, there will be lots of head scratching regarding exactly what to do to counter all these threats. EY recently issued three top trends that companies should address in their 2016 planning:
• Prepare for the inevitable cyber breach—Cyber-savvy companies and their boards are demanding more information about the specific threats they face. They are evaluating their resources, bolstering protection for critical assets, and preparing for incursions by advanced threat actors.
• Focus on the individual—While statutory safeguards exist to protect and motivate whistleblowers, companies are expected to fully identify all individuals who take part in corporate wrongdoing if they are to secure credit for cooperation with the authorities.
• Protect data privacy, while sharing information—The ongoing focus on how personal information is handled internationally and how commercial information is shared between companies and the government during a cyber-breach investigation will drive companies to revisit their information governance strategies.
Much has been said already about cybersecurity, but there is no doubt that the conversation will intensify in 2016. The cybercriminals will see to that.
Sources used in this article include: