Cybersecurity and the financial services sector – trends in 2019

Greg Day, VP and CSO, EMEA, Palo Alto Networks

Legislation bites back – In 2018 GDPR went live and it seemed many people expected headlines of major companies being hit by big fines straight away. Yet the reality is that it takes time for any new legislation to be tested. Indeed, some countries have made their own tweaks to GDPR so that organisations are given a first chance to resolve any non-compliance issues without penalties. Despite this, I predict in 2019 we will start to see penalties applied, and headlines generated, that will make those executives who haven’t taken the regulation seriously enough finally take note.

At the same time, the NIS directive is behind schedule in terms of some countries adopting it and turning it into national legislation. The EU cybersecurity act is also under discussion, and many businesses are looking to understand how the USA Cloud Act will impact them.

So, the regulatory tide isn’t receding but rising.

FinTech opens up new risks – Fintech cybersecurity is a growing space that we can expect to be tested as new regulations come into force. PSD2 is opening up the banking space, while some parts of the implementation are still ongoing. Specifically of concern in 2019 will be Third Party Provider (TPP) access rules which aim to enable access through APIs for third parties to provide their own services (such as payments) directly on your bank account. As you can imagine there is much debate on just what and how access should be granted. Linked to this is also the new Strong Customer Authentication (SCA) for eCommerce payments. Like any new capabilities that involve complex processes and a very broad supply chain, it’s only human to expect mistakes along the way. As such, expect adversaries to be testing TPP and SCA to find new methods of financial fraud in 2019.

In terms of PSD2, the challenge for cybersecurity and business leaders within banks is how to leverage the decades of experience traditional financial organisations have in digital payment processing and apply it across a much broader and more complex supply chain.

AI on AI battles start – Whilst banking cybersecurity experts look for new ways to spot adversaries using machine learning techniques, and leverage AI to analyse the mass of threat indicators gathered, the adversary is likely looking to subvert machine learning and AI. Adversaries will be trying to find ways to trick AI solutions and uncover the cracks to sneak through. We can also be sure threat adversaries are also looking to leverage the AI for their own purposes. Increasingly, cybersecurity will be a machine on machine fight with humans alongside to deliver oversight and judgement.

Ransomware goes for low volume, high value hits – despite rise in illicit cryptoming, we will also see more targeted ransomware with target organizations being held to ransom for much larger sums because their entire infrastructure is locked, preventing business operations. Victims having critical infrastructure, or vital responsibilities to customers have a need to immediately restore order, making paying the ransom all the more appealing.

These breaches occur through weak credentials, poor password policies, lack of multi-factor authentication, unnecessary exposure of systems and services to the internet or unpatched vulnerabilities. Addressing some of these very basic cyber hygiene factors would significantly strengthen an organization’s defences.

Crypto currency and crypto mining trends in 2019

Business email compromise (BEC) can lead to many cyber incidents, including crypto currency theft where we have greater trust in the credentials behind the communication. Tools such as DMARK can help and I see no reason not to use it, but it won’t stop use of genuine credentials in cloud services such as email. What can help is the right implementation of Two Factor Authentication (2FA) in business processes.

Businesses have typically enabled their firewalls to stop adversaries getting in, yet adversaries are using compromised computer power be that on premise or in the cloud. What does this mean? Well most focus is on inbound firewall rules, and businesses typically don’t have any or many outbound rules. Looking at your outbound rules can stop crypto miners functioning on your systems.