Discussing the cyber threat landscape with IBM X-Force
As part of our recent FinTech Magazine Show live on LinkedIn, we spoke with IBM X-Force's Head of Security, John Dwyer.
Amid a cost-of-living crisis, concerns abound that some businesses will have to scale back on the amount of cyber insurance they take out – leaving them with insufficient coverage, or potentially vulnerable to attack. Following the release of its Threat Intelligence Index 2023, Dwyer explains the motives of cyber criminals and tells us how we can make sure our cybersecurity setups are as good as they can possibly be.
Could you talk to us about what IBM X-Force is?
X-Force is IBM Security's elite team of hackers, incident responders, and threat intelligence analysts. We help clients across the globe prepare for and respond to cybersecurity incidents. Even more importantly, we help organisations identify weaknesses in their security posture and then help them address them so they don't even have an incident in the future.
IBM X-Force recently released its Threat Intelligence Index 2023. What are the primary contributing factors to the threat landscape for finance and insurance organisations?
If you look at the data, it's so interesting to pull the narrative out of what, what is happening in the world. The number one thing that's popping out to us is that backdoor attacks were the number one action taken by attackers globally, and in the finance and insurance industries. But of all of those backdoor attacks, 70% of them were failed ransomware attempts. Additionally, we saw a shift from phishing syndicates moving away from the data that they were targeting. Classically, they had been targeting credit card information or banking information, and now they've shifted into crime to grab things like credentials or Personal Identifiable Information (PII) – information about people such as email addresses, names, addresses and such.
What can we glean from that behavioural shift in cybersecurity? First of all, the good news is that, if you look at all the incidents that came in from our clients, for the first time since the boom of ransomware clients are starting to call us when the back door of the ransomware attack is happening. They're detecting and responding to that back door. So efforts and investments into detection and response have had a marked result. We have seen an actual shift in the data to show that this has improved, which is great news. That's not to say that ransomware has gone away; it's still the number two action [in our report], but it is a shift. We need to continue on that momentum so it doesn't take back over because, as soon as these criminals' bottom line is impacted, they are going to adjust.
The second part of that is that, from the shift from credit card data to PII, we can see that extortion-based attacks are driving the whole global economy of cyber crime. Every ancillary area of cyber crime is now driving efforts into keeping that machine going.
Are there common weaknesses within finance and insurance organisations, or things that we can tighten up?
If you look at ransomware attacks, it's not something that is actually pervasive across just finance and insurance. This is a global problem. Actually we published a paper called Understanding the Adversary: How Ransomware Attacks Happen. If you look at how these ransomware actually carry out, what these criminals did is they came up with one attack path that essentially worked on the majority of organisations on the planet and they carried out this attack and the whole world burned to the ground because they capitalised on problems that have persisted through organisations regardless of the business vertical that have existed for 10 and 20 years. Those are the things like overextension of privileges, overextension of access, things where admins have too much access. They were able to build upon that to take advantage of those very permissive security architectures to come up with one attack pack that was applicable to a bunch of different organisations.
Obviously, businesses and consumers both feeling the squeeze from cost of living pressures at the moment. Have you seen any evidence of businesses deprioritising or downgrading cyber insurance cover?
We've definitely seen more concern with spending. That's something that we have seen. I think an important message that everyone should take is that cyber insurance is not a replacement for proactive cybersecurity strategy. They both have their place. Your cybersecurity strategy is one thing and cyber insurance should be considered a backstop and something that you should definitely invest in, but keep those separate. What we should be concerned with is that the investment into cybersecurity as a whole has dropped because of the economic downturn. It's a slippery slope, right?
We released something called the Cost of a Data Breach report every year. The cost of an incident is very significant and that is increasing year over year. So, if we see organisations reducing their investment into cybersecurity, what we could be doing is just ending up with a massive amount of financial impact down the road by trying to navigate these times. I do understand the tightness that that organisations are going through, but we have to keep in mind that cybersecurity is here to stay. It's the cost of doing business. If you don't invest in that, it's going to cost you literally.
Manufacturing was the most targeted industry last year for the second year in a row. Can you tell us about the factors that have made manufacturing a prime target over the last few years?
This is a symptom of the global threat landscape. Globally, cyber attacks have shifted towards extortion-based attacks. Something about cyber criminals is that, through extortion attacks, they are always going to find the path that causes the most pressure. Pressure means payment at the end of the day. Over the pandemic, there was a lot of lessons that we learned about manufacturing as an industry; when manufacturing is impacted, whether it be through a global pandemic or a cyber attack, there are real world consequences. Supply chains and economic things, where you're actually moving dollars and cents throughout the world, can be impacted by something like manufacturing. They're in a really unique position where criminals are also observing that as well, and they know that they are focusing on manufacturing industries because they are able to apply an industry that is already under a huge amount of pressure with even more pressure through an extortion-based attack. They're able to do things like demand higher payments because they know that these industries are already under the gun, so to speak.
And even though finance has fallen into second place, fintechs and financial institutions still need to be vigilant
Finance has been the number one targeted industry from 2015 to 2020. It's not like they have been ignored. It's something that will always be there. Water is always gonna find the lowest point in a floor; criminals are always going to find the path to payment. Finance and insurance have a lot of very crucial data and they have money, so there is always going to be a path to payment at the end of the day. You can't rest on your laurels from being number two. It's still very much important [to remain vigilant] because at any time if, globally, the criminals start to realise that one organisation has a least path of resistance to payment, they are going to shift and they're going to adapt. We've seen how quickly it changes. The pandemic happened and within one year, manufacturing took over and we shifted to these new types of attack. That's how quick it can be. We have to consider that it can shift just like that, and we need to be prepared for it. We need to constantly think that we're number one, because at any moment you could be.
What would be your main core message to our readers about cybersecurity within their own business?
I think the main message is that there's no single out-of-the-box solution to cybersecurity. You can't walk into a store and say 'I'll take one security please'. That's just not the way it is. It is a continuous and lifelong journey and one that we must continually evolve and mature with the threat landscape. My best piece of advice with cybersecurity would be to invest in the people, processes and technology that are going to reduce the amount of risk that you have. And then test them. Make sure you're testing them, test them often, and make sure you address those gaps that you find through that testing.