Tuesday 5 November 2024
 
»
 
»
ANALYSIS

Cyber security... how will the new threats evolve?

Hacktivism, Western cyber key threats for Mena

RIYADH, December 11, 2014

If 2014 was the “year of the breach,” then what future cyber security threats await us?  What’s the next mode of attack, and how much worse will it be?  Booz Allen Hamilton, a leading provider of management consulting, technology, and engineering services, examines the top cyber trends for 2015 impacting financial services in Mena.

Today, cyber security is a priority issue for every stakeholder in the financial services industry – investor, consumer, regulatory, employees – all the way up to boards of directors.  That makes the “tomorrow” question – how will the threat evolve? – all the more important. In the aftermath of the Arab Spring, the provision of strong and secure financial services for businesses and consumers is necessary to the nurture of political and social security to Middle East residents.

A solid financial services industry is one of the keys to attracting foreign direct investment to the region, but also to supporting the region’s pockets of new-found confidence and economic growth. That industry is under significant cyber threat, however, according to trends reported by Booz Allen Hamilton.

To help financial services companies better anticipate future threats and identify new approaches to cyber security, Booz Allen, as it does annually, has assembled its list of likely Cyber Trends for 2015 and beyond.  The list is based on conversations with CISOs, CIOs, CPOs chief risk officers, and other leaders in the financial services sector, as well as Booz Allen’s own extensive analysis of cutting-edge cyber issues and threats.

Among the top global trends for the Middle East are the spread of hacktivism to the region and the impact of ‘Western’ cyber problems on developing nations in the region whose economic prosperity and lightning fast adoption of new technologies are exposing them to threat.

“The Middle East region has been the target of the most sophisticated cyber attacks and espionage campaigns. Cyber risks are becoming more worrying than traditional risks and public and private organizations are looking for an effective way to deal with any future cyber threats as they become more frequent and diverse,” said Lutfi Zakhour, a vice president with Booz Allen who leads the firm’s work in the financial services sector across the Mena region.

“Cyber threat is evolving into one of the most serious economic and national security challenges we face as a region, and in order to get ahead of these threats and manage them we need the right balance of technology and highly skilled analysts with intelligence tradecraft and data analytics skills.”

Booz Allen senior vice president Mahir Nayfeh, who oversees the firm’s Technology and Analytics team in the region, observed: “In a rapidly interconnected cyber world, the security of financial institutions is only as strong as its weakest link; therefore, a cohesive convergence of governments and the private sector is required in order to tackle the cyber crime challenge. The nature of attacks will evolve in terms of complexity and potential scalability placing predictive threat intelligence solutions and services at the center of security operations.”

The top financial services cyber security trends for 2015:

•    Hacktivism spreads to the Middle East.  Long directed at US and European-based multinationals, hacktivism will become a major threat to financial services institutions in the Middle East.  Regional threat actors have adopted local grievances and formed around hacktivist collectives similar to or associated with Anonymous.  The proliferation of cyber tools and hacking knowledge is giving independent hacker and loosely connected groups an opportunity to participate in cyber-attacks against the region’s financial sector.  Some popular targets are already emerging, like the Saudi Stock Exchange (Tadawul) that was targeted in early August 2014 by regional hacktivists, Izzah Hackers and AnonArabOps.

•    “Western” cyber problems are coming to a developing nation near you. Economic prosperity and light-speed growth in mobile banking in some countries have bypassed regional and local financial organizations’ ability to manage threats.  As a result, phishing, ATM skimming and banking malware are no longer the sole concern of “Western” or multi-national financial firms.  Industry research shows that the Gulf Cooperation Council (GCC) region experiences ongoing threats, including widespread banking malware in the UAE and a significant amount of phishing attacks in Saudi Arabia.

•    Third-party risk moves to the top of the list.   Like other sectors, the financial services industry is a huge mesh of intertwined capabilities.   Companies are already aware of the potential cyber risks associated with partners, vendors and other third parties and are feeling more pressure from international regulators to better manage this risk.

As illustrated by numerous breaches this year, the security posture of critical third parties can have a profound impact on financial services firms. In 2015, there will be a shift towards active cyber risk mitigation and monitoring with third parties versus the current “self-certification” process that is proving less reliable.  Third-party relationships will no longer be an afterthought and security will be built in by design into any product, service, solution or software capability provided by a third party – and subject to frequent testing and updates.

•    The rise of the “fusion center.”  Financial services institutions have increasingly sought a holistic, integrated approach to cyber security, yet it has often proven elusive.  Now, firms are building cyber “fusion centers” that better integrate the many different teams – fraud, cyber, IT, physical security, product development – to boost intelligence, speed response, reduce costs and leverage scarce talent.  The result: more efficient and faster threat awareness and mitigation.

•    Information protected at the database and data element level.  It is the most important question: how does a firm protect its most valuable, sensitive and regulated data and where is it located?  In 2015, the discussion will move away from “building bigger walls” to a “defence in depth” risk-based approach around high-risk and high-value repositories that limits the value of raw data (for example, debit card PINs). The use of tokenization, chip cards and other solutions will increasingly render stolen data useless to hackers.

•    Rise in alternative payment systems creates exposure.   As companies continue to roll out – and consumers embrace – new electronic, wireless payment systems, hackers are presented with more targets.  In particular, use of underlying technologies like Bluetooth or NFC (near-field communications) creates opportunities for cyber attacks and breaches.  Simple “bench testing” of new systems will not suffice: companies must adopt a holistic approach that assumes a breach will happen and protects the data.

•    Cyber crime analysis evolves away from brute force to big data.  Traditionally a labour intensive, second-by-second process, cyber crime analysis will increasingly move towards more of a big data approach.  The use of powerful, real-time analytics across multiple data sets – both structured and unstructured – will vastly improve the quality and speed of real-time cyber threat analysis while greatly reducing overall cost.

•    Wargaming drives incident response preparation.  Looking ahead, financial services firms will borrow from the military to adopt better approaches to preparation and simulation training.  In particular, the use of wargaming – as opposed to more rudimentary testing – will help firms better understand – and prepare for – those seeking to attack their cyber defences.

•    Everything firms know about privacy has changed.  The next generation of privacy is focused on the halo of information around individuals – the transactional, behavioural and navigation information generated as individuals move and interact through the online and physical world.  This information is not currently regulated, yet consumers expect a high level of protection.  Companies that manage this well will create a competitive advantage through customer loyalty and insight.  

•    Cyber insurance usage grows while coverage and ability to successfully make claims shrinks.  The NIST Cyber Security Framework, financial statement reporting requirements and D&O insurance risk have created a new perfect storm of potential liability.  The insurance industry, where premiums are projected to grow to more than $2 billion, is in a race to actuarially quantify new cyber risks and to carve out coverage of large, uncertain future risks.  Insurance companies – increasingly litigating with policy holders over coverage – are insuring not only future financial loss, but also brand, reputation and goodwill.  – TradeArabia News Service




Tags: Booz Allen | Cyber threat | Hacktivism |

More Analysis, Interviews, Opinions Stories

calendarCalendar of Events

Ads