Cyber attacks are not only growing more common, they’re getting more complex. And it's only going to get worse for financial services firms, which experts say are a top target for cyber criminals.
“Unfortunately the landscape of cyber risk is deteriorating, it’s worsening. This year, 2015 was a tough year, 2016 stands to be an even tougher year,” Matthew Chung, chief information officer of technology and information risk at Morgan Stanley, told attendees of SIFMA’s annual conference on Tuesday.
In 2014, the security breaches at companies like Home Depot and Target were generally about gaining account information, credit card information and financials. The big attacks this year—the Office of Personal Management, Anthem, the Internal Revenue Service—had a much different objective: personal identifying information, said Melody Hildebrandt, director of cybersecurity at Palantir Technologies.
“To me, that’s a far more pervious threat, far more valuable and I don’t think we’ve seen the other shoe drop on what’s going to be leveraged from that data,” Hildebrandt said.
Because there’s now a vast amount of personal information in the wild, expect identity theft in 2016 to be considerably worse, she said. Already last year, there were a lot of issues with the IRS and with some of the tax preparation software providers who thought they were hacked. “I think it’s going to be a crazy tax season this year based upon all the breaches we’ve seen over the past year,” Hildebrandt said.
In addition to increased identity theft issues, Chung says he expects ransom schemes to increase. Already, cyber criminals are using ransomware, such as CryptoLocker, where a program gets into a system, looks for sensitive files and encrypts them. They remain encrypted until the firm or company pays a ransom to unlock the files.
“We’ll see increase in those types of activities,” Chung said, adding that this type of scheme goes hand-in-hand with criminals who infect a machine, steal sensitive data and then threaten to make it public.
Malicious insiders—someone inside the organization with valid credentials who is looking to do harm— will continue to be a threat for firms, Chung added. This type of risk is hard to mitigate, and Chung noted that it requires firms to better understand behavioral norms and look for outliers in data streams. Solutions for this type of crime are only in the early stages, he said.
Expect to also see an increase in the use of destructive malware, which can be programmed to override all the data stored on the hard drives of computers and prevent them from booting up. Chung said that while the financial services sector hasn’t experienced this type of attack yet, he expects one in 2016.
“When we see the digital attack that results in physical impact on an organization, where whole swaths of their network are destroyed and they’re not able to go to work … the impact is tremendous,” said Shawn Henry, president and chief security officer of CrowdStrike Services.
The capability of hackers to implement this type of attack is already out there, Henry said, adding they can either buy or lease it or develop it relatively quickly.
The common theme in all of the attacks implemented so far, is that the hackers were taking advantage of “embarrassingly trivial security flaws at these organizations.” Hildebrandt said. While many firms could not withstand an attack by the Chinese government, that’s not the level of sophistication seen in these attacks.
“One organization was running on a Windows XP service package that had been end-of-lifed by Microsoft 10 years ago," Hildebrandt said. "It’s well known if you plug one of these machines into the Internet, it will be compromised within four minutes.”
A lot of hacks were failures of basic hygiene, and organizations need to think about shrinking risk surface, she added. It’s no longer just about preventing and mitigating cyber risk—it’s about managing it.
“It’s critically important for organizations to recognize and understand that the government does not have capability, the capacity or the authority right now in today’s infrastructure to stop the attacks,” Henry said.
Firms need to need move from just implementing pure preventive measures to installing detection and response protocols. “We’re not going to solve the problem," Henry said. "This is a long term problem with no short term solution. This is something we’ll have to manage indefinitely."