An abstract image of digital lines that form a topography

Image: Getty Images

The Banker, in partnership with Akamai, brings together a panel of experts to discuss how cyberthreats and cybersecurity are evolving in 2023.

The past year has seen a massive increase in cyberthreats, with financial institutions facing a barrage of attacks via multiple vectors. The Banker gathered together a group of European cybersecurity experts to discuss the state-of-play and how their cybersecurity strategies will evolve in 2023.

  • Paul Branley, director of security strategy, architecture, intelligence and assurance, Lloyds Banking Group
  • Sergio Fidalgo, chief information security officer, BBVA
  • Matt Payne, regional director, Europe, the Middle East and Africa financial services industry, Akamai
  • Chris Ulliott, chief information security officer, NatWest

Q: What were the major developments in cyberthreats over the past year?

Paul Branley: The cybersecurity community started 2022 at a fast pace dealing with the Log4j [a popular Java logging framework] vulnerability, then quickly shifted gears as threat levels rose following the war in Ukraine. Intelligence-led action was taken to improve resilience within individual organisations and collectively across sectors, in parallel, to move to a state of heightened readiness. All this was in addition to a backdrop throughout the year of increasing numbers of data breaches, zero-days, ransomware and supply-chain attacks.

Sergio Fidalgo: The most significant developments in cyberthreats during the past year have been the use of legitimate infra-structure in malware campaigns and the emergence of ransomware-as-a-service. Other notable developments include the systematic discovery and exploitation of major zero-day vulnerabilities, such as the Follina [a remote code execution vulnerability] and Log4Shell [a zero-day vulnerability in Log4j] cases. Smishing [attacks via mobile text messaging] and phishing campaigns, which are used to acquire log-in credentials and other sensitive information, have been on the rise during this period as well. Additionally, the growth of malicious artificial intelligence (AI)-driven malware and spam is a trend among the weapons used by the threat actors.

Matt Payne: The past year was very eventful in cybersecurity. The conflict in Ukraine was preceded by a massive rise in cybercrime activity, particularly in Europe, which continues to reverberate today.

For the financial services sector in particular, 2022 was a bumper year for cyber-criminals. According to Akamai data, web application and application programming interface attacks against financial services firms grew by 257% year-on-year. This growth is just staggering, and underlines how organisations must remain vigilant in 2023 and beyond. In the face of such unprecedented emerging threats, complacency is not an option.

80% OF CYBERATTACKERS AIM THEIR EFFORTS AT CUSTOMERS OF FINANCIAL FIRMS (NOT THE COMPANIES THEMSELVES), AS THE PATH OF LEAST RESISTANCE FOR MONETARY GAIN

Matt Payne

Chris Ulliott: Despite predictions of ‘cybergeddon’ linked to the Russian invasion of Ukraine, the past 12 months have primarily seen an evolution of previous years. Phishing, cloud misconfiguration, weak passwords and lack of patching have been main themes. That said, there has been a steady increase of high-profile breaches hitting software-as-a-service companies. Over the festive season alone, four high-profile breaches were disclosed. And, as organisations outsource critical services, it will become an increasingly targeted area as the impact of a single breach is that much greater.

Q: What’s on the horizon in the world of phishing and cyberfraud in 2023?

Mr Ulliott: In an area such as this, where the environment is rapidly changing, it’s a brave soul who tries to predict the future. But there are a number of key themes that are likely to dominate 2023. While mass phishing will continue and undoubtedly increase in sophistication (in part to the use of machine learning enabling more people to create convincing phishing emails), there is already a trend to more business email compromise attacks, where email systems are compromised and then used to send emails to targets, either to facilitate fraud or to add additional credibility to a targeted phishing attack.

Mr Fidalgo: The number of phishing attacks and cyberfraud attacks will continue to grow this year. The sophistication of the techniques used by the attackers will continue to increase, with the aim to make the attacks more difficult to detect by potential victims.

The main challenge for companies will be to minimise the impact of these attacks through the continuous training and aware-ness of employees and clients to help them identify these social engineering attacks, the continuous evolution of the monitoring and detection techniques and controls implemented and the automation of the response to these attacks. The use of AI and machine learning techniques to reinforce the efficiency and automation of cybersecurity strategies will be essential to fight cybercrime.

Mr Branley: While phishing continues to be the most common precursor to cyber attacks, including cyber-enabled fraud, defensive measures are also improving. A multi-layered approach, including two-factor authentication, secure web browsers, modern anti-malware mechanisms, and a strong education and awareness programme for staff can help to protect organisations

Despite these improvements, we know that fraudsters will continue to find new ways to carry out their attacks, and we expect to see social-engineering techniques to evolve beyond simple email phishing, to deep fakes, AI and machine learning, for example. Mr Payne: A recent research report published by Akamai (State of the Internet: Enemy at the Gates), estimates approximately 80% of cyberattackers aim their efforts at customers of financial firms (not the companies themselves), as the path of least resistance for monetary gain.

Because phishing and cyberfraud targets are often consumers, criminals’ tactics tend to evolve in response to current events, such as the Covid-19 pandemic, with a huge wave of associated cyber crime. In 2023, this could be the cost-of-living crisis, the conflict in Ukraine or some other unforeseen event entirely. It’s inherently challenging to predict, which is why banks need ongoing monitoring in place, together with state-of-the-art solutions.

Q: What can be done to mitigate the damage of a potential ransomeware attack?

Mr Payne: To protect against ransomware attacks, we must limit access between machines to make it harder for the attacker to traverse the network. This can be targeted specifically against the protocols and services that ransomware campaigns often exploit. Early detection is key to effective protection against ransomware attacks. To catch ransomware attacks early, strong visibility across the whole network is essential as it expedites spotting bad actors and any related unauthorised movement across the network, allowing prompt action.

Deception tools such as lures, honeypots [a decoy to lure cyberattackers] or distributed detection platforms can also be effective in attracting ransomware attackers towards them, making it easier to identify attempted active breaches in progress.

Mr Ulliott: Prevention is always better than a cure – for example ensuring good cyber hygiene, such as the use of multi-factor authentication, and robust patching. However, the use of robust separation between systems, deployment of zero-trust principles, data encryption and regularly created, tested, offline backups can limit the impact of a breach while facilitating a more rapid recovery. It is especially important to regularly exercise these capabilities, in the same way as companies practice fire drills. It’s important to exercise incident processes so that everyone (including the board) knows what their role is and what is (and often isn’t) expected of them.

Mr Fidalgo: To mitigate the damage of a potential ransomware attack companies have to continuously reinforce the security controls implemented to monitor their net-work and system infrastructure and to detect these types of attacks. The response will be more effective if the ransomware attack is detected straightaway.

An adequate system vulnerability management process and the implementation of preventive controls are also essential to minimise the risk of a ransomware attack.

Finally, incident response procedures and business continuity plans (including reliable back-up copies) are also essential to ensure an immediate response and to mitigate the damage of a potential ransomware attack. These plans have to be periodically tested to ensure they are effective in case they have to be activated.

Mr Branley: Ransomware is one of the biggest threats and has seen exponential growth in recent years. Often ransomware attacks can lead to high returns for pure-play cybercriminals and traditional organised crime groups, so it is essential to get the basics right: stay on top of patching, segment your environment to contain any breach, and have a robust and well-rehearsed back-up and recovery play book. No individual or company is immune, so while prevention is the aim, response and recovery are equally as important.

Q: How can network segmentation help defend against a cyberattack? Where does it make the most impact?

Mr Fidalgo: Network segmentation is an essential element of the cybersecurity strat-egy of any company. It is essential to ensure the adequate segmentation not only of development, test and production environments, but also of critical assets in production environments, like payment applications or Swift in the case of financial entities.

Network segmentation will not avoid a cyberattack but, if it has been well designed and maintained, it will help to minimise the impact of the attack, restricting the impact to specific network segments, avoiding lateral movements and preventing the expansion of the attack across the company’s network infrastructure.

Mr Ulliott: There is an old adage when discussing cyberattacks – it’s a matter of when, not if, you’ll be breached. To that end, it’s very important to implement strategies that minimise the impact of a successful attack. Segmenting systems, and placing security controls between them, helps minimise the ‘blast radius’ and damage that occurs when something inevitably goes wrong. This has the advantage that it is harder for an intruder to move around a network, increasing the chance that the defensive teams will spot them early in the intrusion.

THERE IS AN OLD ADAGE WHEN DISCUSSING CYBERATTACKS – IT’S A MATTER OF WHEN, NOT IF, YOU’LL BE BREACHED

Chris Ulliott

Mr Branley: Over the past few years society and business has taken advantage of the opportunities presented by the digital domain and embarked on creating a more interconnected world. While this has had many advantages, it has also meant that any cyberbreach or malicious activity can result in a widespread impact.

Segmentation, including network segmentation, is the best way to turn the tide on this issue, as it helps to reduce the blast radius, prevent lateral movement, shrink the attack surface and minimise the business impact of a breach.

Mr Payne: Network segmentation is akin to the hull of a modern ship. If breached, dam-age should be limited, because the hull is compartmentalised and will stop water flow across the entire vessel.

This principle applies to networks. If your network is unsegmented and a ransomware attacker penetrates your outer defences, they can move laterally across the network wreak-ing havoc. However, if your network is segmented, the would-be attacker will encounter obstacles that can help contain or even pre-vent such attacks.

As cybercriminals work hard to circumnavigate these defences, we see micro-segmentation (advanced segmentation) as a vital tool to limit blast radius, contain would-be attacks and prevent network takeover.

Q: What regulatory challenges do financial firms face in cybersecurity and data protection?

Mr Branley: Data is the new oil. Cybersecurity and data regulation is crucial in the digital domain to drive best practices and raise the overall bar for protecting personal data and preventing cyberattacks. A lot of key legislation is evolving and being published in the EU, US and UK, which will help achieve this.

Mr Payne: Financial service regulators safeguard public interests with respect to the provision of critical national infrastructure, ensuring expectations in such areas as service availability, privacy and data protection are fully compliant.

Key financial organisations, therefore, require third-party solutions to adhere to regulations set today, with the understanding that these can be flexed and adjusted as required to meet the standards of tomorrow.

A partnership with any third-party vendor should therefore incorporate collaborative working methodologies (such as design partnerships, customer advisory boards, etc), in order to support the capacity to remain in lockstep with ongoing needs specific to the finance industry.

Mr Ulliott: Historically, and quite rightly, regulatory attention has been focussed on preventing attacks from being successful. But, recent times has seen a move to what is colloquially known as ‘cyber resilience’: the ability to continue to deliver a service and protect customer data during extreme events will be under increased scrutiny. This will likely include increased attention to the industries collective supply chain, especially where there is concentration risk.

I’m also following the [Financial Conduct Authority’s] Consumer Duty legislation closely, as this may also have impact on the playbooks that are deployed should an incident occur.

Mr Fidalgo: The main regulatory challenge during the next year will be the adequacy of the financial entities to Digital Operational Resilience Act (Dora).

BBVA considers Dora as an opportunity for the digital transformation of the EU’s financial services because it establishes requirements that will enhance security in the financial sector, which is an essential element of digital transformation. Dora establishes information and communications technology (ICT) risk management requirements, requires a proportional digital operational resilience testing programme and an ICT third party risk management strategy and allows cyberthreat and intelligence information sharing. All these elements will strengthen resilience, stability and confidence in the financial sector.

Q: How will your overall cyber strategy evolve in 2023 and beyond?

Mr Fidalgo: BBVA’s security strategy resides on four fundamental pillars: cybersecurity, data security, physical security and security in business processes and fraud. A programme has been designed for each of these pillars, with the aim to reduce the risks identified. These programmes, that consider security industry best practices established by inter-nationally accepted security standards, are periodically reviewed to evaluate the progress and the effective impact on the group risks.

Our strategy will continue evolving to tackle the new risks related to emerging technologies and the increase in the risk exposure as a result of the adoption of cloud and teleworking, among other factors. The evolution of the cyber strategy is based on a proactive approach, considering market proposals and the attack trends detected by BBVA’s intelligence services.

Our strategy will continue evolving to tackle the new risks related to emerging technologies and the increase in the risk exposure as a result of the adoption of cloud and teleworking

Sergio Fidalgo

Mr Ulliott: Supply chain has been a recurring theme over the past 12 months and, as a result, our strategy will evolve to match that threat. Change happens at a rapid pace in a digital business and there are an ever-increasing range of suppliers, components and build-ing blocks that make up a modern bank. This will require increased focus to ensure the associated risks continue to be well managed.

Mr Branley: The only constant will be change. Our cyber strategy will adapt, focus-ing on: cloud security, data protection and privacy at scale; automation of security tasks; increased visibility across our ever-evolving IT landscape; horizon risks like quantum and AI; and increased use of enterprise-level data science to provide better insights into malicious activity and areas where we can improve further.

Mr Payne: Just as financial services firms strengthen their cybersecurity strategy head-ing into the year, threat actors are innovating new ways to execute increasingly nefarious acts. Therefore, financial institutions and their partners need a security mindset in every business decision, plus visibility across complex environments (multi-cloud, containers, third-party vendors, etc).

The depth and breadth of our customer base, meanwhile, provides unique intelligence across the global threatscape, allowing real-time actions and enabling proactive decisions for the benefit of all customers. This helps in areas including bot impact and managing abusive behaviour via anti-fraud solutions, etc, to maintain an optimal defensive posture despite this constant evolution.

Sponsored by:

AkamaiLogo
 

PLEASE ENTER YOUR DETAILS TO WATCH THIS VIDEO

All fields are mandatory

The Banker is a service from the Financial Times. The Financial Times Ltd takes your privacy seriously.

Choose how you want us to contact you.

Invites and Offers from The Banker

Receive exclusive personalised event invitations, carefully curated offers and promotions from The Banker



For more information about how we use your data, please refer to our privacy and cookie policies.

Terms and conditions

Join our community

The Banker on Twitter