Posted: 21st January 2020
On New Year’s Eve, as celebratory fireworks were going off in cities around the world, alarm bells were ringing at one of the UK’s most utilised foreign exchange businesses.
While the world celebrated the arrival of the 2020s, cyber security experts and customer service staff at Travelex worked to contain a well-planned ransomware cyber-attack.
The hackers demanded £4.6m for the return of access to systems – systems that held thousands of customers’ personal data (including payment card details).
The Travelex website was quickly taken offline and systems locked down as IT specialists and cyber security experts were brought in to contain the malware and restore normal, safe service for customers around the world. For a period of time, the global business was forced to use pen and paper to serve customers.
And to the company’s credit, the tremendous effort has paid off. On the 13th January, Travelex systems were starting to be switched on again. After containing the infection, refusing to pay the hackers and ensuring that customers were protected, the business is returning to its feet.
Even with the relatively happy ending, this kind of attack should come as a warning for businesses. The 2020s won’t bring a reprieve from cyber-crime. In fact, we expect the risk to increase.
But, as we know, “forewarned is forearmed”.
Here are some of the threats and risks we currently see on the horizon. Take these on board in your resilience planning and get your business ready for the decade to come.
1. Ransomware is a booming business
Companies, businesses and non-governmental organisations will continue to suffer as a result of the evolution of ransomware. As mentioned at the beginning of this article, we’ve already seen ransomware attacks cripple some major players in the industry.
It is likely that the volume of ransomware attacks may decline as companies become wise to the security flaws that allow them to occur, but new attacks will be much more destructive. Europol expects to see less of a ‘scatter-gun’ approach from criminals using ransomware. Instead, attacks will become more sophisticated and far more highly targeted at specific companies.
2. Phishing attacks will become even more commonplace
We’ll no doubt see phishing attacks (the use of fraudulent emails to gather private information), on both people and businesses, continue to be an issue going forward. After all, criminals have seen great success in using this tactic to infiltrate our defences.
Criminals are now looking beyond email as well, as many businesses have already put defences in place (secure gateways and extensive employee training being just two examples). However, too many businesses are still unaware of the large and growing variety of phishing tactics that target employees outside of email. They can now be carried out via browser pop-ups, ads, malicious search results and malicious apps. We will certainly see more attacks designed to elude companies’ software protections being used in the 2020s.
This is an issue that will require more of a social and cultural fix than a technical one. Phishers only need to deceive employees into visiting malicious sites or input data into hacked webpages in order to succeed, after all.
3. Malware goes mobile
The continued growth in the use of mobile banking applications will see a corresponding increase in mobile malware attacks.
As always, cyber criminals will follow the money and, increasingly, they are going to distribute malware specifically designed to steal payment data and login credentials from our smartphones. And see as many businesses provide their employees with work mobiles, this could potentially result in sensitive data being compromised.
These devices now commonly hold vast amounts of information, including payments data (how many of us have Apple or Google Pay enable on our phones?). It is time for users to scrutinise more closely what apps they download and where they originate from. They will also have to be more careful what websites they visit with these devices, as they are no longer as safe from malware as they used to be (simply by merit of mobiles being less regularly used than desktop devices – something that is certainly not the case anymore).
4. Geopolitical tensions hit the private sector
Some cyber security experts have claimed that we are on the edge of a new ‘cold war’, in which nation state-backed actors are taking the battle online. And it is the private sector that could bear the brunt of this tension.
Whether through direct attacks, such as hacks aimed at a country's financial services sector or being hit indirectly through the crippling of critical national infrastructure, the private sector will need to be prepared to face increasingly sophisticated threats.
5. Hope on the horizon?
We couldn’t finish this list on a bad note, could we? In fact, we have a ‘hope’ to add.
Over the next year and beyond, we will begin to see the growth of more cyber-aware boards. Such boards will have the appetite to take a strategic view of cyber security, both as a business necessity and as a differentiator.
Increasingly, company boardrooms will recognise that they can and must defend themselves and their customers from cyber-crime by being strategic, acting decisively and showing leadership from the top rather than delegating all responsibility to their security teams. Such a change will require boards to be proactive rather than reactive, strategic rather than tactical, in order to stay ahead of the ever-increasing challenge from hostile cyber actors.
Huntswood recently published a free white paper specifically to help boards reach this state. This report will provide a lot of the guidance your firm needs to step into the 2020s with confidence.
How things have changed …
In 2010 we marvelled at the arrival of the first iPad. The business phone of choice was the Blackberry Curve. Remember those days?
Over the course of the 2010s we also witnessed the rise of the ‘Internet of Things’ and cloud computing. Technology became deeply embedded in how we live, making us more connected, but also more vulnerable than we have ever been.
But the next decade will be very different from the last, at least in some ways.
Q1 2020 is the perfect time to take a strategic view of your cyber defences. It would also pay to bring a fresh set of eyes on board to carry out an independent review of your security and help you to develop your own distinct cyber strategy. Any business taking this approach will be going a long way to protecting themselves, their employees and their customers from whatever the new year, and the new decade, may bring.