What are the top concerns for cybersecurity pros in financial services? Look no further than FS-ISAC's 2024 FinCyber Today Canada conference in Toronto, where I had the opportunity to address over 1,000 attendees with one unified goal: protecting financial services from cyberattacks.
Buzzwords always appear as part and parcel of the presentations. A couple of decades ago, it was thin-client computing. Then, the emergence of the cloud bookended all of the other variations. But this year, from the opening keynote to the closing remarks, newer topics emerged, and one subject let it be known it was here to stay: AI.
The thread of AI appeared in numerous sessions and wove its imprint into many of the discussed technologies, threats, and products. The impact of generative AI and the ability to create fraudulent phishing emails, photographs, and voice were top-of-mind concerns, especially for institutions where establishing trust isn't only a legal requirement, but a fundamental building block for a secure transactional environment.
One immutable truth of this conference, and any conference dealing with cybersecurity, is that the tactics rarely change. Deception is deception. Fraud is fraud. Money laundering and terrorist financing are still the same. The bedrock principle of know your customer (KYC) remains valid whether we're talking 200 years ago or two seconds ago. Only the tools have changed.
No matter the conversation held on the stages or in the halls, a major top-of-mind issue revolved around what was coming next. That was the insight attendees were seeking: a digital version of the holy grail.
The modern cyber landscape has evolved from a fairly linear attack surface to one dotted with twists and turns, crevices, rabbit holes, and nasty surprises. The journey creates new and complex problems and stretches the limits of finite resources, budgets, and human capital.
But that isn't the real problem security pros deal with every day.
Only one problem matters: How do our adversaries think about the problem as they continue to innovate and take attacks on banks to new heights?
What happens when attackers go after our daily safety and security needs? How would society react when a series of events prevented them from accessing their bank? Imagine the chaos and anxiety of being unable to withdraw cold, hard cash. Or having an account disappear and a person’s life savings evaporate into the ether. It's not at all out of the realm of possibility.
Rapid technological change and advances in generative AI have given attackers a powerful new weapon. They use it to gain ground in their efforts to access systems from the inside.
While adversaries used to target vulnerable machines to gain access to credentials, they are moving beyond breaking-and-entering. They now use AI to tailor what people consume and execute full human compromises that allow them to walk in like a trusted insider. Disinformation and influence operations have emerged as a new kind of warfare. Turning an employee into an insider has become more within reach than ever.
Financial institutions have evolved over the years to have sophisticated, robust measures that detect and prevent many modern threats. However, insider threats remain a glaring hole that everyone still suffers from.
How can an institution detect when an ideology compromises the integrity of an employee and makes them susceptible, either voluntarily or unwittingly, to a course of action that harms the institution?
Employees who sympathize with a particular cause can choose to act on their beliefs, violate their oaths and non-disclosures, violate the law, and offer information or material to adverse interests.
Consider some of the most egregious traitors in United States history, such as Robert Hansen, Ana Montes, and Aldrich Ames.
Each of these spies had their reasons for betraying the trust placed in them. For Hansen, it's argued it was ego. For Montes, it was purely ideology. For Ames, it was money. Modern-day adversaries also share these motivations.
In the modern world, attackers use deepfakes – voice and video — to destabilize trust and spark similar actions. The financial services industry must understand these tools to protect its systems. Employees require continuous training and education to keep systems secure. But at the end of the day, financial services remains a people business.
Cyberspace has become increasingly dangerous and challenging to defend. The financial services industry knows this well — they are under attack every minute, every hour, and every day. Attackers don't take time off over the holidays or care when security workers take a vacation. Our adversaries are looking for and hoping we'll take our eyes off the ball.
This discussion brings me back to AI. For the financial services industry to thrive and grow, embracing AI isn't a given. It's a must. Attackers, both transnational criminal groups and nation-state actors, will not cease their relentless attacks.
The financial services sector has generally led in cybersecurity innovation, spending, and resources. However, this approach alone will not be sustainable in the future.
AI offers the financial sector a unique opportunity to turn the tables on the hackers. The deliberate application of AI should aim to extract the maximum price from our adversaries by raising the cost of an attack through automated responses. Machine-speed attacks need machine-speed responses.
Nobody said the war in cyberspace has to be a fair fight.
Morgan Wright, chief security advisor, SentinelOne
