When people think about the threat from artificial intelligence (AI), visions of the robot apocalypse may come to mind. While that scenario may not be realistic, the threat posed by new technologies, such as AI, are very real.
“Generative AI has been around since the 1960s,” notes Jason Harrell, DTCC Managing Director of Operational and Technology Risk. “It’s not new, but now it is much more accessible, has far more capabilities and is easier to use. Any time you have a large population that can use a powerful new tool, security professionals must think about how people may use it for malicious purposes.”
Cybersecurity experts weigh-in on the threat posed by new technologies.
At one end of the spectrum are new AI tools and applications that can help users skip video meetings by logging into the meeting on behalf of the user, answer questions in chat, and generate a summary of the meeting after it ends. At the other end are deepfakes that threat actors could use to create communications impersonating senior people to trick employees.
Related: Why AI is a double-edged sword
“Say you post pictures of your wife and kids at the company party,” says Ron Green, Fellow at Mastercard. “Generative AI could scrape social media and find that, then generate a fake email from the boss saying, ‘nice to see you and your kids at the party last week,’ along with a number to call, answered by a voice that sounds like the boss. This is classic social engineering, made far more powerful by AI.”
And we are already seeing cyber criminals use AI to great effect. A Hong Kong-based employee of a multinational company was recently duped into transferring the equivalent of US$25 million to fraudsters by AI-generated deepfakes after being invited to a video conference call in which he saw and interacted with what he though was the CFO and other actual colleagues, according to local police.
Only after transferring the money did the clerk learn the “people” he saw on the video call were not real.
“This shows the challenges AI poses for security teams in training employees to be even more vigilant,” says Harrell.
That said, for all the hype around AI, most of the cyber threats we’ll see in 2024 may well be the same one’s security professionals have managed in the past – but turbocharged by new technology.
“People are using the same old tactics, they’re just using them a lot more effectively thanks to better technology,” notes Green. “New technology such as AI is a threat multiplier.”
Attack of the Data-nappers
Ransomware attacks have grown exponentially in recent years and remain one of cyber security teams’ top concerns. From only about 2% of all breaches in 2017, ransomware attacks climbed to account for 10% of all breaches in 2021 – and to over 24% in 2023, according to the Verizon 2023 Data Breach Investigations Report.
“We’re most concerned about ransomware,” says Thomas Wagner, Managing Director of Financial Services Operations with the Securities Industry and Financial Markets Association (SIFMA).
Even worse, while the data-nappers may have the skills to hack into and freeze access to data, they may not be proficient enough to restore it – at least not in a format that allows you to quickly resume operations.
“Even if you pay the criminals, they often cannot restore the data,” adds Wagner.
Not only are ransomware attacks becoming more common, but they are also becoming more effective; bad actors can now offer the equivalent of software as a service (SaaS).
“We have seen the emergence of ‘Ransomware as a Service’,” says Barth Bailey, Senior Vice President and Chief Information Security Officer for Fulton Bank. “This has in turn fueled the commoditization and commercialization of ransomware through a sophisticated business-like operating model. Most notably this includes cloud-based Ransomware as a Service offerings.”
This means the cyber criminals don’t need to have the software expertise to write ransomware code themselves, they can just rent the ransomware from someone that does have the expertise. “The Ransomware as a Service model enables a continuous improvement type of software development cycle resulting in ongoing enhancements and improvements,” says Bailey. “Therefore, I believe we can expect ransomware attacks to evolve in sophistication and effectiveness for the foreseeable future.”
Related: Find out where “cyber” ranked in our 2024 Systemic Risk Barometer
Zeroing in on Third-Party Vulnerabilities
Another challenge is that threat actors are going after softer targets. Instead of hitting a large financial institution, they target small players who may not have the level of security the big players have.
“The threat actors know third parties may not have the same security resources,” notes Bailey. “That’s why effective third-party vendor risk management is so important.”
SIFMA’s Wagner agrees ransomware remains a major threat, and that third-party vendors represent a particular vulnerability.
“Critical third parties are the ones we think about most,” says Wagner. “An attack on one of your important service providers can impact you more than you’d think. In one case, a financial institution experienced a liquidity concern because a third-party had been hacked and could not settle trades.”
Wagner notes that while in some cases small players may be more vulnerable because they do not have the resources to put in place the same level of security as a large institution, in other cases their efforts were simply not as thorough as they should have been.
“Some of the third parties that have been targeted were just not prepared,” notes Wagner. “One firm did not install patches quickly enough, another did not adequately back up data, and some had not conducted drills to proactively identify weaknesses.”
And, with today’s increasingly complex supply chains and networks of service providers, it may not always be your own third-party vendors who pose a risk: Your third-party vendor’s own suppliers could also put your organization at risk.
“We’re looking at our entire extended supply chain to better understand where risk may come from,” adds DTCC’s Harrell. “It goes beyond third parties. One of the approaches we are taking is to have in-depth conversations with our vendors to understand their security postures, and to put specific risk management steps into our contractual agreements with them.”
Five tips for cyber resilience infographic
Collaboration is Key
The key to solving many emerging threats in 2024 is collaboration and practice. Working closely with third-party service providers can help them bolster their security to better protect you. Teaming up with government agencies is another force multiplier.
“We’ve all benefited greatly from the intelligence government agencies provide,” says Bailey. “But it’s most powerful when industry and government collaborate to share information.”
Working together as an industry, partnering with government agencies and regularly practicing incident management can bolster security by building the muscle memory to respond more quickly and effectively.
“We need to have the same view of the market,” adds Harrell. “It’s more than just our own response, it’s how individual responses fit into the industry response to ensure everyone can get back up and running with minimal disruption.”