In the picturesque haven of Davos, enveloped by the shimmering Landwasser, the 2023 World Economic Forum unfolded, echoing sailor’s warnings of an imminent storm; the escalating menace of cyberattacks. INTERPOL’s secretary general, Jürgen Stock, rallied for a unified global stand against this digital tempest.
Meanwhile, Oxford’s Professor Sadie Creese prophesied an impending “cyber storm”, a growing specter marked by escalating incidents of phishing, ransomware, and distributed denial-of-service (DDoS) attacks, the latter witnessing a chilling 79% surge, casting long shadows of insecurity.
Mirroring this rising concern, the 2023 Global Cybersecurity Outlook report unveiled that an alarming 91% of business leaders stand vigilant, anticipating a major cyber event within the next two years. Yet, the formidable challenge of bolstering their digital defenses persists.
Financial Services in the Crosshairs
While sectors like energy, public transportation, and manufacturing face substantial threats, the scope of potential targets is expanding. Every organization that holds consumer data, regardless of its magnitude, is at risk. The financial sector, a cornerstone of the global economy, is no exception.
Charting the Tides
Ransomware threats have intensified since 2020, exacerbated by the pandemic-driven surge in online interactions.
Approximately 37% of global organizations reported succumbing to this threat in 2021. Everyone is a potential victim of the relentless surge of automated ransomware, DDoS, or bot attacks, from industry giants to small ventures. For some, these attacks signify a digital demise.
Picture ransomware as a malicious software seizing a victim’s files, making them inaccessible, and demanding a ransom for their release. With the automated kind, the entire assault unfolds without human intervention, increasing the scale and speed, making them especially dangerous. DDoS attacks, meanwhile, are cyber floods that overwhelm a target system with torrents of traffic, making it inaccessible. These assaults, with their distributed nature, rain from multiple directions, making them challenging to counter. Bot attacks, conducted by a collection of infected internet devices controlled by a hacker, also contribute to these large-scale digital crimes.
The surge in teleconferencing, another pandemic legacy, has made these platforms susceptible to cyber breaches. In response, companies are compelled to raise their defense strategies and secure sensitive data during virtual meetings. In 2021, over 30% reported a breach in their videoconferencing systems.
A Thrust against Ebbing Currents
Hope cuts through the gloom; on one hand, the industry edges towards passwordless authentication due to the well-known frailty of passwords. Techniques such as biometric authentication, involving fingerprints or facial recognition, are steering us away from the precarious shores of password insecurity.
On the other hand, this shift raises concerns related to the safeguarding of personal and sensitive data, with regard to the compass of the General Data Protection Regulation (GDPR) in the European Union. Biometric data, categorized as unique personal data under the GDPR, involves the distinct identity of an individual. The EU’s 2018 regulation restricts processing such data, with exceptions for employment-related purposes[1].
Tech Target hails 2023 as the year of passwordless authentication, owing to the prevalence of smartphones facilitating multifactor authentication (MFA), a method aimed at enhancing the authentication process. Yet, these solutions have drawbacks, as they rely on the availability and reception of the user’s mobile device, and the accurate transcription of a one-time code. Tech Radar suggests that these inconveniences hinder the adoption of SMS codes or one-time passcodes.
Steering the Financial Ship Amidst Cyber Waves
Foremost Perils in Organizational Waters
According to a survey from Delinea[2], a Privileged Access Management solutions provider, most companies fail to navigate the stormy seas of cyber threats. Only 39% of respondents believe their leadership comprehends cybersecurity’s vital role. A scant third perceive cybersecurity as an essential compass for compliance, leading to an increase in successful cyberattacks and delayed investments and strategic decisions.
The words from the Davos forum echo loudly as the rising global economic uncertainty further complicates the alignment between business objectives and cybersecurity.
SMEs, grappling with increasing inflation and energy costs, cannot afford to ignore the looming cyber threats, nor can they overlook the necessity of a robust disaster recovery plan. As per Business Insurance Hiscox, a small business is breached by cyber pirates every 19 seconds, with 79% having faced a cyberattack in the past year, as reported by Typetec.
In 2023, an EY/IIF survey found that 72% of global Chief Risk Officers (CROs) ranked cybersecurity as the top risk for the year, followed by credit and environmental risks. As aptly put by Chief Security Scientist and Advisory CISO Joseph Carson:
“Executive leaders need to think of cybersecurity not only in terms of ticking the compliance box or protecting the company, but also in terms of the value it can deliver at a more strategic level.”
The Calm Before the Storm?
The 2023 State of the Phish report of Proofpoint warns that global cybersecurity threats are rising back to the pandemic’s peak levels. Alarmingly, 68% of Chief Information Security Officers (CISO) from 16 countries anticipate a cyberattack within the next year. The report also underscores that as cyberattacks become increasingly scalable and innovative, user awareness lags, exposing organizations to ransomware, phishing, insider threats, and corresponding financial risks. Only a third conduct phishing simulations, down from 41% in 2021, while financial losses from successful phishing attacks rose by 76%. Also, 64% of infected organizations consented to pay the ransom, with 90% receiving aid from cyber insurance.
In today’s climate of “quiet quitting” and talent hunt, another storm is brewing: the growing untenability of the CISO role. A worrying 61% reported grappling with unreasonable job expectations, 62% feared personal liability, and 60% experienced burnout in the past year. Adding to the woes, a 2021 report by Code42 revealed that exiting employees are increasingly spiriting away sensitive company data, with “data exposure events” rising by 40% between the first halves of 2020 and 2021. As a remedy, lawyer Ng Lip Chih recommends tailored employment contracts with explicit anti-competition, IP ownership, and enforceable confidentiality clauses to deter intellectual property theft.
According to Cyber threats pose critical business risks, including operational disruption, lawsuits, and credit downgrades. But solutions do exist.
Guiding the Financial Sector Through the Storm
Secure digital voyages
In the digital business world, cybersecurity must serve as a steadfast anchor, prioritizing data protection with unwavering commitment:
- All entities, especially those in the financial sector, should comply with cybersecurity regulations, safeguard their sensitive data offline, and deploy continuous AI-driven cybersecurity solutions.
- Cybersecurity should be viewed as a strategic investment, not just an expense. A comprehensive cybersecurity policy acts as a roadmap, detailing coverage, identifying assets that need protection, assigning roles, setting access control guidelines, outlining security incident reporting, specifying data and system protection measures, ensuring software updates, and devising a disaster management strategy.
- Financial leaders should prioritize cybersecurity with tools such as multi-factor authentication, zero-trust security, and web application firewalls. Regular evaluations of the evolving cybersecurity landscape are essential to proactively deter threats. As the digital domain expands, prioritizing cybersecurity becomes the guiding compass ensuring a secure and prosperous voyage.
- Firms should invest in digital skill training for their employees. Those that have invested, report higher efficiency, revenue growth, and reduced employee turnover.
- firms can strengthen their cybersecurity by seeking guidance from government and accreditation bodies, thus thwarting unauthorized access, and equipping themselves with the latest security and encryption protocols.
Support from the Big Ships
Firms can improve their cybersecurity using national and local government resources designed to assist organizations navigate the complex cyber threat landscape.
- In Luxembourg, The Luxembourg House of Cybersecurity (LHC) serves as the safe harbor for all cybersecurity-oriented ventures within the country’s digital waters. Its intent is to make full use of, and further cultivate, innovation, skills, cooperative ties, and capacity enhancement. The National National Cybersecurity Competence Center (NC3) also promotes cybersecurity capacity and competence development in organizations at risk, fosters a strong cybersecurity industrial base, and drives research towards technological excellence in cybersecurity.
- In Germany, the national cybersecurity initiative aims to secure information technology. The Federal Cabinet adopted the 2021 Cyber Security Strategy for Germany, providing a roadmap for the country’s cybersecurity for the next five years. The strategy focuses on four areas: society, private industry, government, and EU/international affairs.
- In the United Kingdom, the National Cybersecurity Centre (NCSC) offers small organizations a free cyber action plan, including a quick online assessment and a customized plan to enhance their cybersecurity posture.
Countries worldwide, from Europe to the United States and Canada, provide similar support for businesses. Organizations aiming to enhance their cyber defenses and stay updated with evolving data privacy laws can benefit from these resources.
Conclusion
In the complex digital era, the pressing need for enhanced cyber defenses resonates amidst escalating cyber threats. Financial institutions must fortify their defenses or face severe repercussions. Despite the emergence of security measures like passwordless authentication, persistent vulnerabilities remain. The frequent absence of a clear cybersecurity strategy leads to increased cyberattacks and hampers business continuity.
The solution lies in a holistic cybersecurity approach that encompasses compliance, secure data storage, threat awareness, and employee training.
In the shadow of mounting cyber threats lies an opportunity. Financial institutions, all businesses, can recognize the risks, adjust their strategies, and act decisively. Investing in cybersecurity is not just an expenditure; it’s a vital shield for an organization’s reputation and longevity. In the Fourth Industrial Revolution, neglecting cybersecurity is akin to navigating blindly through a storm: perilous and potentially catastrophic.
[1] GDPR, Article 9(b)– « Processing of special categories of personal data »: “Processing of […] biometric data for the purpose of uniquely identifying a natural person […] shall be prohibited.” This rule “shall not apply if one of the following applies:” the “processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment […] in so far as it is authorized by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject.”
[2] As quoted in the article : “Global Research from Delinea Reveals That 61% of IT Security Decision Makers Think Leadership Overlooks the Role of Cybersecurity in Business Success” – IT Wire (last accessed: 17 May 2023) https://itwire.com/guest-articles/guest-research/global-research-from-delinea-reveals-that-61-of-it-security-decision-makers-think-leadership-overlooks-the-role-of-cybersecurity-in-business-success.html
