June 11, 2020
The COVID-19 crisis has brought an array of cybersecurity challenges forward that may persist as economies are attempting to open up. The latest challenges have accelerated existing trends towards increased sophistication of cyberattacks and increased need for better cybersecurity. $128 billion in annual cybersecurity spending is seeking to mitigate the $6 trillion+ in cyber-related losses expected according to Cybersecurity Ventures. Under COVID, we have seen a dramatic upswing in identity spoofing, phishing, trojan attacks, and other security breaches. Some of the factors that made these possible could continue even as shelter-in-place and social distancing restrictions are beginning to ease.
What are the implications for financial services companies? What are the implications for FinTech entrepreneurs and investors hunting the next unicorn opportunity? In this first installment of our multi-part series, we’ll look at the cyberwar currently underway in the global financial system.
Let’s first examine three major causal mechanisms of vulnerability that are being exploited in the recent spate of cyberattacks:
Remote Work Environments: CISOs in financial services have created robust security infrastructures within their corporate networks. While they have to navigate the not-always-straight line between usability and security with varying levels of usefulness for the end-user, major financial infrastructure employs an array of systems in the office setting to protect against the infiltration of corporate networks. The COVID-19 crisis has upended this carefully architected infrastructure.
In the current situation, many more people are working from home. Perhaps they are using their personal machines, or perhaps they are on work devices, but typically they are interfacing over home Wi-Fi networks. They may or may not have installed mobile VPNs on their smartphones and tablets. They very likely have not secured the array of Internet of Things (IoT) home appliances they have pervading their houses and apartments, a grid of potential points of network infiltration that historically have had weak security. Not to mention the numerous internet-enabled listening devices ranging from smart TVs to so-called smart speakers (such as Amazon Echo and Google Home), representing a new frontier of cyber vulnerability as potential targeted attacks could listen in on executives speaking out loud on video calls or phone calls.
New environments and new work behaviors call for new kinds of protective systems and new approaches to improving worker cyber literacy.
Vulnerable Workforces: Human error or action is typically responsible for more than 60% of cyber breaches. The COVID-19 crisis has seen cybercriminals gleefully exploiting this attack vector with new and rapidly-evolving techniques and systems. With normal work patterns and systems disrupted and people unsettled by the daily headlines related to the pandemic and, more recently, civil unrest, the cognitive burden on the average person is high. Cybercriminals have noticed: phishing attacks are up 600%, according to Barracuda Networks. Social engineering and associated malware are assuming new and maliciously targeted forms, ranging from defrauding the Norwegian State Fund of $10 million of grant money to hacking the World Health Organization with a ransomware attack. Business email compromise and account takeovers are getting fueled by a sophisticated ability to mimic convincing language and formats while engaging with distracted and off-balance recipients. About 33% more ransomware payments were made in 1Q 2020, according to Coveware. As more systems are compromised, we expect to see this number increase in 2Q. More investment is needed both in systems and in training.
E-Commerce: Card-not-present (CNP) transactions are more vulnerable to identity theft and spoofing compared to card swipes or EMV near-field payments. CNP is a favored vector for criminals, with the chance of fraud being 81% more likely than point-of-sale machines, according to Javelin Research. E-commerce transactions have gone up more than 200% over the same period last year thanks to the pandemic, and so has CNP fraud. Arkose Labs claims 26.5% of all transactions in the first three months of 2020 were fraudulent, a double-digit-percentage increase. Card issuer Elan attributes 80% of all banking credit card losses to identity theft, and identity verification becomes more challenging in a CNP environment. Card fraud is getting increasingly automated, with artificial intelligence systems replacing human-staffed cybercrime centers. This means increased losses related to e-commerce payment fraud and an urgent need for increased vigilance and improved systems.
So our march towards digital transformation in financial services has turned into a sprint.
What if the changes to the work environment aren’t temporary? Payments giant Square announced that its team could work from home indefinitely. Other tech giants have announced flexibility through year-end, as have many academic institutions. What pressures might start to arise on major banks from their best and brightest employees, faced with the option of a two-hour commute to the office with physical proximity to large numbers of possibly-infectious people, or a work-from-home option? The war for talent is about to open a new front, and both medical safety and convenience might encourage a longer-term shift to a more distributed workforce. And with it, comes a need to rethink the security architectures of companies fundamentally.
In turn, incumbent financial giants, in the throes of digital transformation and cost rationalization, must notice the savings they could generate from reducing their physical footprints by downsizing office space and closing bank branches. What does cyberinfrastructure look like in this distributed environment?
In our next article, we will examine what the Cyber Future could look like in the post-COVID era. And we will also explore these topics in our webinar on June 10 with Johan Gerber, the EVP of Security & Cyber Innovation of Mastercard, and Andy Jaquith, CISO of QOMPLEX, and former senior JP Morgan and Goldman Sachs executive, moderated by MEDICI’s Amit Goel.
Participate in the short survey on cybersecurity by ESME and MEDICI: