New data affirms too many companies are not taking cybersecurity seriously
Cybersecurity concerns become more acute with each passing year, but is the corporate world taking the threat seriously?
The newly published Deloitte Center for Controllership study found roughly half (48.8%) of the 1,100 C-suite and other executives interviewed for the data research expected the quantity and depth of cyber events targeting their organizations”™ accounting and financial data to increase in the year ahead, but only 20.3% of those polled said their organizations”™ accounting and finance teams were working closely and consistently with their peers in cybersecurity.
During the past 12 months, 34.5% of polled executives reported their organizations”™ accounting and financial data weretargeted by cyber adversaries. Within that group, 22% experienced at least one such cyber event and 12.5% experienced more than one.
Looking to the year ahead, 39.5% of respondents expected to increase the amount of collaboration between their finance and cyber teams. Currently, 42.7% of polled executives said their organizations”™ finance and cyber teams only work together as needed with inconsistent closeness and consistency, while 11.1% said that no such cooperation exists in their organizations.
“Accounting and financial data is the lifeblood of organizational operations ”” and often meant to be kept confidential outside of highly regulated public disclosures for publicly traded organizations,” said Temano Shurland, a Deloitte Risk & Financial Advisory principal in finance transformation. “While there may not have been much need for accounting, finance and cyber teams to work closely in the past, recent years have shown that”™s no longer the case. We strongly recommend that these teams try to ”˜learn each other”™s languages”™ and tighten their working relationships across silos.”
Elsewhere in the financial services world, the Cyber Bank Heists report published by Contrast Security found 60% of major financial institutions were victimized by destructive attacks. The study found 64% of these institutions experienced an increase in application attacks, while 50% experienced attacks against their APIs.
Of the institutions that were targeted, 48% experienced an increase in wire transfer fraud and 50% have detected campaigns to steal nonpublic market information. More than half (54%) of the financial institutions were most concerned with the cyber threat posed by Russia, while 72% planned to invest more in application security in 2023. Contrast Security, a code security platform company headquartered in Los Altos, California, culled its data from global Tier 1 financial institutions (those with a minimum of $200 billion in assets) and Tier 2 financial institutions (those with between $5 billion and over $10 billion in assets).
“The financial sector needs to shift its thinking when it comes to attacks, as geo-political tensions manifest via cyberattacks,” said Contrast”™s Senior Vice President of Cyber Strategy Tom Kellermann. “Cybercrime cartels are modernizing their criminal conspiracies so as to steal non-market information and destroy the integrity of sensitive data within financial institutions. This is no longer a question of duty of care but rather a duty of loyalty to the digital safety of customers.”
The Greatest Dangers
Check Point Software Technologies Ltd., a provider of cybersecurity solutions, reported in its latest Global Threat Index (covering activity in January) that the malware Vidar is quickly spreading through fake domains claiming to be associated with remote desktop software company AnyDesk. The malware used URL jacking for various popular applications to redirect people to a single IP address claiming to be the official AnyDesk website. Once downloaded, the malware masqueraded as a legitimate installer to steal sensitive information such as login credentials, passwords, cryptocurrency wallet data and banking details.
The top three cybersecurity threats last month were Qbot ”” also known as Qakbot ”” which is a banking Trojan often distributed by spam emails and is designed to steal a user”™s banking credentials and keystrokes; LokiBot, a commodity infostealer that harvests credentials from a variety of applications and sells them on hacking forums; and AgentTesla, an advanced remote access Trojan functioning as a keylogger and information stealer which is capable of monitoring and collecting the victim”™s keyboard input, system keyboard, taking screenshots, and exfiltrating credentials to a variety of software installed on a victim”™s machine.
“Once again, we”™re seeing malware groups use trusted brands to spread viruses, with the aim of stealing personal identifiable information,” said Maya Horowitz, vice president of research at Check Point Software. “I cannot stress enough how important it is that people pay attention to the links they are clicking on to ensure they are legitimate URLs. Look out for the security padlock, which indicates an up-to-date SSL certificate, and watch for any hidden typos that might suggest the website is malicious.”
But for some companies, Horowitz”™s warnings are not being heeded. A new survey by the Outsourced IT Services practice of the consultancy EisnerAmper found 31% of corporate respondents admitting they never held a cybersecurity training session and 51% stating they were only “somewhat prepared” to deal with current safety measures.
The largest share of respondents (32%) said their annual spend on cybersecurity as a percentage of overall technology outlays was only between 1% and 3%, while 30% said that budget line was between 4% to 6%; only 23% said their spending level was 10% or higher. This survey polled 113 C-suite executives at corporations where the annual revenue range was $50 million to $500 million and the workforce ranged from 10 to 99 employees.
“This plays right into the hands of malicious actors,” said Rahul Mahna, partner and head of Outsourced IT Services at EisnerAmper. “When times are tough, these criminals expect companies to cut back, essentially leaving doors unlocked. In good times or bad, cybersecurity spending should always remain a top priority that yields significant return in losses avoided.”