The impact of cybercrime will undoubtedly grow in the coming years. Cybersecurity Ventures statistics reveal that such crimes will cost the world six billion dollars annually by 2021, compared to three billion dollars in 2015. It also highlights the need for greater innovation and investment in this area, which allows counteracting cybercriminal tactics, especially in view of next year, in which new and more sophisticated threats are expected.
In the last year cyber attacks have increased significantly in size and sophistication. New technologies and mobile devices within organizations are the perfect target of cybercriminals. The increase in threats and the innovative strategies in the attack methods employed by hackers can endanger not only information but the security of people, so cybersecurity is crucial to face the new digital era.
Intelligence and technology will be the main weapon in new “cold wars” between the powers of the East and the West, such as the current commercial war between the United States and China. Cyber attacks will also be used in direct and indirect conflicts between small countries, funded and enabled by large nations that seek to consolidate and extend their spheres of influence.
In 2019, Ransomware exploits became highly selective against specific companies, as well as against local government and health care organizations. The attackers spend time collecting information about their victims to ensure that they can cause maximum disruption and rescues were expanded accordingly. This tactic is so harmful that the FBI has softened its stance on the payment of bailouts, they now acknowledges that, in some cases, companies can evaluate options to protect their shareholders, employees and customers.
While email is still the main attack vector, cybercriminals are also using other channels, including SMS text messages or the use of messages on social networks and gaming platforms. The first half of 2019 saw a 50% increase in mobile banking malware attacks compared to 2018. This malicious software can steal payment data, credentials and money from victims’ bank accounts. In 2020, phishing attacks will become more sophisticated and effective.
According to Kaspersky experts, during the next year there will be a resurgence of attacks such as targeted ransomware and those focused on supply chains, as they have proven to be very lucrative and have a greater impact on the attackers. In addition, the social situation that exists in several countries of the world will boost the use of social networks for the manipulation of public opinion and misinformation, something that has already been seen in recent months.
The company expects infections to exist via attacks on supply chains. It is likely that companies engaged in the production of mass software will become targets of such attacks. The level of maturity in cybersecurity of many of these companies, for example, those that produce accounting software, is quite low. However, the penetration of the software produced by these companies in the market is usually important, which for attackers would represent a high-impact attack with minimal investment.
Also, “worm-type” attacks may be exploited, taking advantage of vulnerabilities in Windows 7 since technical support for this system ended on January 14 of this year and, according to Kaspersky data, about 30% of users in the region still use it on a daily basis. Cybercriminals will take advantage of the security holes without patches of this OS to attack users, just as it happened with Windows XP.
Scams designed to raise funds are planned through phishing aimed at users of buying and selling sites, as well as cryptocurrency exchange. Dissatisfied with just attacking financial services clients, cybercriminals now seek to commit banks themselves or any institution or organization that offers this type of services, such as correspondents or transaction hubs, as recently observed in Brazil, Mexico and Chile. These types of attacks will continue, carried out both by local cybercriminal groups and by international groups, such as Lazarus and Silence, which will increase their presence.
Next year, instead of demanding money for deciphering the information, there will be an increase in extortion campaigns where the victim will be forced to pay a ransom so that their information is not filtered into the public domain. This will be particularly problematic for hospitals, law firms and accountants, and any type of entity that handles third party information subject to regulations. Additionally, certain cybercriminal groups will choose high-profile objectives where the impact of the attack and media can compromise the operation and reputation of the affected organizations.
There will be an expansion of blackmail attacks aimed at companies and large corporations, due to the adoption of new legislation to criminalize data leakage incidents. These laws, inspired by the European GDPR, are being adopted in the world, with the purpose of applying harsh penalties to companies that leave personal data exposed. As a result, criminals, when invading a corporate infrastructure and consequently stealing data, will launch attacks to blackmail victim companies, which will have to choose between paying the penalty imposed by law or paying the criminal, causing direct losses to corporations.
Compliance issues
A recent Kaspersky report reveals that two-thirds (67%) of industrial companies do not report cybersecurity incidents to regulators. Although compliance is a necessity for modern industrial organizations and an engine for investment, there are many factors that influence the way in which companies comply with the standards.
In a world in which cybercriminals use sophisticated attacks to penetrate industrial companies, strong cybersecurity policies and regulatory compliance have never been as important as now, as countries gradually begin to adopt regulations and laws such as the case in Europe with the General Data Protection Regulation (GDPR), for example.
However, Kaspersky’s report on the state of industrial cybersecurity in 2019 reveals that many companies are breaking the guidelines on reporting, possibly to avoid penalties and public disclosure that could harm their reputation. In fact, the respondents stated that more than half (52%) of the incidents entailed a violation of the regulatory requirements, while 63% of them consider that the loss of trust of the clients in case of infraction is one of the main concerns.
Concern for cyber risk grows
Technology is drastically transforming the global business environment, generating a wider range of interconnected and constantly changing risks, such as cyber risk. The Cyber Risk Perception Survey 2019 published by Marsh and Microsoft gathered the responses of more than 1,500 companies globally, about their vision of cyber risk.
According to the survey, in Argentina, 64% of organizations classify cyber risk as one of their five main concerns, compared to 50% registered in 2017. Meanwhile, one in ten organizations consider it their number one risk.
Likewise, the level of confidence in their ability to face cyber risk increased to 75%, of which 54% of them feel confident and 21% are very confident. However, 26% of companies in the country totally distrust their ability to respond to a cyber event.
Regarding the areas responsible for managing cyber risk within an organization, 77% of respondents identified the Technology / Information Security area as the main responsible, followed by the Board of Directors (57%) and the Risks Management (32%). More than 40% of senior executives and members of the Board of Directors mentioned that they spent a few days in the last year focusing on the issue, while 45% spent only a few hours or less.
At the same time, organizations continue to adopt new technologies, but are not sure of the risks they entail. 79% of respondents said they are adopting or considering adopting new technologies such as the cloud computing, robotics or artificial intelligence. 69% say they assess cyber risk both before and after adoption and 13% do not evaluate the risk at all.
One in three organizations surveyed quantifies the economic impact of cyber risk, one in four companies surveyed evaluates it after an attack. This may be due to the lack of experience in the organization regarding these methodologies, the lack of resources (time and money), or the fact that many companies continue to consider cyber threats as a technological problem rather than as a strategic risk.
On the other hand, the survey mentions that 56% of cyber risk investment for the next three years will be focused on technology and mitigation, but not on all the elements that create resilience to this growing and changing risk.
Edson Villar, regional leader for Latin America in Marsh Cyber Risk Consulting, mentioned: “Companies are becoming increasingly aware of this problem, but they are not yet prioritizing their resources in creating true resilience, that is, in identifying, quantifying, mitigate, transfer and plan their response in case of an incident.” According to the survey, 70% of the organizations consulted mention that one of the main triggers for the increase in cybersecurity investment is cyber attacks.
Threats on the web affect the industry
Over the years, large companies have become the target of cyber attacks. Technological advances have shown that they are increasingly vulnerable and leave their information exposed and defenseless. Cybersecurity strives to protect the data stored in computer systems and thus prevent unauthorized entry.
“All companies are investing in technology. We are in a cybersecurity boom due to digitalization in the world. Today everything is ‘smart’. This is found in various sectors such as agriculture (there is robotics for planting and environmental control, for example), mining, retail and commerce, which has been going on for several years, among others,” said José Carlos Vargas Medina, vice president at Isaca Lima Chapter and Chief Technological Risk at Falabella Bank.
Currently, the financial and gaming sectors are undergoing major transformations, caused by constant technological innovations. That is why they migrate to web-based business models and the mobile ecosystem, to improve the customer experience. The incorporation of new applications such as Big Data, Google Analytics, Artificial Intelligence (AI), Blockchain and the conduct of online banking operations, even from mobile devices, have generated great benefits for institutions and customers.
However, this represents a threat to sensitive documents of users and financial institutions, and a new challenge in terms of computer security. These sectors have become the perfect target for hackers, due to the large amount of customer data and financial assets that they can use to their advantage.
Vargas Medina said that it is no longer a technological issue, but a concept linked to the value offer that the company has with its customers. “Now the company’s concern is not in operations or day to day, but in customer satisfaction. What is happening today is that the client has evolved throughout the world. Naturally, it has a cybersecurity requirement, without mentioning it directly,” he said.
In that line, he explained that now we talk about ensuring the company’s growth and profitability, because technology has to provide that. “Nobody does business with someone who is not reliable. That is the basic rule,” he emphasized.
