2018 was not a happy year from a security standpoint. 1One estimate suggests losses from cyber attack topped US$ 1.6 trillion in 2018, and will rise astronomically to US$ 6 trillion by 2021. Meanwhile, what’s in store for banking cyber security in 2019?
Coming on the heels of a milestone year for data privacy regulation – both MiFID II and GDPR took effect in 2018 – we expect compliance to be top of mind at banks worldwide. GDPR, billed the most important development in data privacy protection in two decades, will change the global privacy landscape. It will force banks to evolve their security controls and exercise appropriate controls depending on the vulnerability or value of information. Revelations, such as a prolonged attack on the Marriott hotel chain that saw the personal information of more than 500 million guests being compromised, only underscores the need for such defenses in 2019.
Data privacy aside, banks will also focus on protecting themselves against malware. Year 2017 saw a surge of large scale ransomware attacks globally, however in 2018 this transpired to be milder; we expect 2019 to maintain this trend.
But new threats will arise due to extensive use of digital technologies – particularly Artificial Intelligence and Machine Learning – in cyber attacks. As enterprises switch to these technologies, so will hackers. AI-related attacks will include exploitation of AI solutions such as chatbots to influence behavior. An example of the latter is the 2016 attack on Microsoft’s chatbot Tay, which was manipulated by trolls to post offensive tweets on its Twitter account. Banks will need to be watchful of hackers seeking to poison their applications with malicious bias, such as influencing an AI agent to recommend the wrong type of loan or investment product to customers with the intention of damaging a bank’s reputation. News about threats of biometric hacking tools has already started trickling in. Cryptocurrencies will be yet another area to come under increasing attack. Some months ago, hackers compromised five cryptocurrencies. They used massive computing power to manipulate transactions and decamped with huge sums of money. 2The threat of a “51% percent” attack, where miners acting in concert acquire 51% of a network’s hashing power that they exploit to prevent transactions, create double spending and do other mischievous things, is becoming very real.
We expect hackers to up their game further with nextgeneration techniques, such as probabilistic modeling, to find ways to exploit vulnerabilities that the traditional deterministic techniques fail to identify. Another key development would be comprehensive governance and security mechanisms for open APIs to prevent malicious use of free movement of data.
How will banks counter these threats in 2019?
Large banks in particular, are evaluating the ability of their security defense tools to withstand AI-based attacks, and are also tightening control over applications. We also expect an uptake of cloud-based security solutions that allow security teams to switch security technologies on demand. On their part, technology vendors would secure their product development lifecycles, besides upholding security best practices.
Security skills will remain in short supply amidst rapidly growing demand. 3A research by ISACA reveals that one in four enterprises have critical security positions open for more than six months on an average.
We are also observing a trend of organizations developing deep cyber security courseware to train their existing staff.
Investment is on the cards to safeguard banks against “zeroday attacks”, that is, attacks that exploit unknown security vulnerability in software. Banks will have to spend big on tools to beat these and other Advanced Persistent Threats in 2019 using a combination of technologies in threat intelligence, data leak prevention, user behavior analytics, access management and cloud security.
“It takes 20 years to build a reputation and few minutes of cyber-incident to ruin it.” – Stephane Nappo, Global Head, Information Security, Société Générale International Banking.