Over nine in ten (94pc) financial services companies are confident in their cyber security posture. However, high confidence is being tempered by an increase in successful cyber attacks against the sector, suggesting that further cyber security improvements must be made, according to a cyber security services firm.
Bridewell’s findings can be read in full in a new white paper, Cyber Security in Critical National Infrastructure Organisations: Financial Services. It suggests that finance organisations are outperforming their peers across the UK’s critical national infrastructure (CNI) in cyber security confidence and maturity. Organisations are taking on average just 13 days to discover a cyber attack, detecting and mitigating security threats much faster than any other CNI sector. In contrast, the transport and aviation industry takes almost two months (51 days) on average to do the same. The finance sector’s high-confidence, high-performance security posture reflects the relative maturity of organisations’ digital transformation, says the cyber firm.
But with cyber attacks rapidly expanding in volume and sophistication, most, 69pc of finance firms have experienced an increase in threats during the last 12 months. Furthermore, the industry has seen the second-largest rise among all UK CNI (81pc) in cyber attacks since the outbreak of Russia’s war on Ukraine, suggesting the sector is far from immune to geopolitical cyber warfare, Bridewell suggests.
Meanwhile new technologies and processes are supporting more flexible working practices. Widespread cloud adoption in particular is enabling more organisational agility but also introducing new cyber risks, Bridewell adds. Almost half (46pc) of cyber decision-makers in finance identified cloud services as the biggest potential attack route within their organisation. Similarly, compromise of remote employees (39pc) and insecure VPNs (37pc) were flagged as significant threats, demonstrating the sector’s clear awareness of the security challenges surrounding hybrid working.
Ransomware also remains a cyber concern for financial services firms, with 33pc of respondents identifying it as a top risk. This reflects a recent increase in ransomware attacks against the sector – as many as one in five cyber security incidents reported to the regulator the Financial Conduct Authority (FCA) in 2021 were ransomware-related, up 20pc from the previous year.
Emma Leith, Director of Consulting at Bridewell, says: “The finance sector has made fantastic progress in evolving its cyber security posture, and its maturity and resilience in the face of mounting security challenges sets the standard for organisations across CNI. However, as the continued rise in attacks against the sector shows, there is always scope for improvement. Organisations must take further proactive steps to strengthen their security postures. They can achieve this by preparing and rehearsing cyber scenarios, and ensuring that a cyber threat intelligence-led approach to security is firmly embedded in everything they do.”
See also the firm’s “Cyber Security: What to Expect in 2023” white paper.
Deepfake reality
Attacks using deepfakes became far more common last year, says a remote authentication product company. The technology is hotly debated and becoming more mainstream, with bans on its non-consensual use forming an important part of the draft of the UK Online Safety Bill, going through Parliament. Cyber attackers can create 3D videos that trick systems into thinking the real consumer is trying to authenticate.
Last year also saw the first use of a new type of synthetic digital attack – novel face swaps – which combine existing video or live streams and superimpose another identity over the original feeds in real time. This type of complex attack appeared for the first time in the first half of 2022 but instances of its use continued to soar throughout the rest of the year. These attacks are incredibly challenging to detect for both active and passive verification systems.
Andrew Bud, founder and CEO of iProov said: “In 2020, we warned of the emerging threat of deepfakes being digitally injected into camera feeds to impersonate an individual’s biometric verification process. This report proves that deepfake attacks are now a reality. Even with advanced machine-learning computer vision, systems are struggling to keep up in detecting and triaging these evolving attacks. Any organization that isn’t protecting its system against these threats needs to do so urgently, especially in high-risk identity verification scenarios.”
Motion-based attacks launched en masse all over the world occurred three times a week last year, sending bursts of 100 to 200 verification attempts at a time to try and overwhelm platforms. Attacks targeted different systems at once and were indiscriminate of industry or geography, suggesting no organisation is safe. Motion-based verification systems – which use active motions such as smiling, nodding, and blinking – were frequently targeted, iProov added.
More on proof of identity for financial services onboarding in the March print edition of Professional Security magazine.
Prediction
Daniel Spicer, Chief Security Officer at the workplace IT management software firm Ivanti said: “In 2023 we’ll see a disruption to network supply chain unlike anything we’ve ever seen before. A new tactic that will be added to the warfare arsenal is the sabotage of fibre cable. In 2023 we will see that military operations will focus on the destruction of critical infrastructure, like fibre cable. It has long been a war tactic to target communication lines, but the attacks will be farther reaching and wipe out internet access for entire continents. This will obstruct organisations from doing business and nations from effectively responding to threats.”
