In today’s digitized and hyper-fast world, cyberattacks and the threat of security breaches abound.
So, what are treasury leaders and companies to do to both protect themselves and mitigate the fallout from the ever-evolving cyber threat environment?
There is no easy, one-size-fits-all answer, and that’s why PYMNTS CEO Karen Webster sat down with Rosa Ramos-Kwok, managing director and business information security officer for Commercial Banking at J.P. Morgan, and Matanda Doss, executive director and lead information security manager for Commercial Banking at J.P. Morgan, to get their thoughts on actionable strategies for organizations to strengthen their cybersecurity posture as we head into 2024.
Doss emphasized the need for the consistent exercise of cybersecurity playbooks, ensuring readiness for potential attacks, particularly given the realities of each attack’s “blast radius,” where cyberattacks impact both technical and business aspects.
“When you think about the business itself, you’re talking about reputational, regulatory, legal impacts, which there are a lot of,” Ramos-Kwok said. “And the most difficult one to manage is probably reputation.”
She explained that it is rarely ever just one piece of data that is compromised by an attack but frequently an entire system, and managing the blast radius becomes critical in the aftermath of an attack.
“There is the attack path of how they came into your system, how and where they got through firewalls, how they avoided intrusion detection,” Doss said. “… Now those systems have been compromised, and you have to start cleaning up forensically.”
Both Ramos-Kwok and Doss highlighted the significance of post-incident reports in understanding and addressing vulnerabilities. Key lessons include prioritizing cybersecurity hygiene, regularly reviewing access privileges, and conducting thorough business continuity planning.
The best practices that come out of these after-incident reports are particularly helpful for treasury organizations, which learn to be more proactive in defending against attacks.
“The No. 1 thing that I would start with is good cyber hygiene,” said Ramos-Kwok, explaining that sometimes firms can fall behind on patching up legacy systems, which leaves aged software with “all sorts of vulnerabilities” in place because firms had “other priorities or it was too expensive.”
“The after-action report will also help you understand what your business continuity plan was and where it failed,” added Doss. “If you haven’t stayed up on your hygiene, that will come out in the report. That’s why running red team exercises or simulated events is so important.”
The highly interconnected digital banking system itself brings both increased speed and efficiency, as well as increased exposure to fraud and cyber threats.
“The environment has changed,” Doss said. “The internet was built to share information, then later we decided we needed to put security on top. And so fundamentally, you’ve got holes because the original architecture was built to be pervasive and promiscuous, not to be tight and secure.”
“Threat actors are counting on busy professionals,” Ramos-Kwok added. “They’re counting on the fact that you are going from meeting to meeting, and you are going to click on something because you’re trying to do everything quickly.”
She stressed the importance of recognizing the ease with which fraudsters can impersonate individuals, emphasizing the need for robust identity verification measures, particularly around threat vectors like business email compromise (BEC).
“It’s all about the art of distraction — and it’s important to pay attention to those distractions,” Ramos-Kwok said.
“And that’s only half the problem,” Doss added, noting that social engineering attacks including impersonation and fraud can open the door to newer, “polymorphic” attacks where different styles of attack occur at the same time.
“As you’re dealing with the obvious problem, [bad actors] are coming in the back door activating software they’ve left behind or a back door they’ve opened previously,” Ramos-Kwok said.
Regular training, phishing tests and practicing response protocols can contribute to building a resilient defense against social engineering attacks despite the online world’s lack of inherent security infrastructure.
Ramos-Kwok highlighted that while some attacks may resemble traditional methods, such as distributed denial of service (DDoS), new attack vectors are emerging. The integration of artificial intelligence (AI) and machine learning (ML) allows fraudsters to quickly adapt and modify their tactics, making attacks more sophisticated and challenging to detect.
That’s why the importance of recognizing cybersecurity as an ongoing battle has never been more important, and neither has the need for organizations to adapt continually.
Recognizing that humans are often the weakest link in cybersecurity, both Doss and Ramos-Kwok emphasized the importance of instilling a strong cybersecurity culture within organizations.
“Your first line of defense has to be people,” Doss said. “Most organizations have more people than they do systems, and that’s a lot of vulnerability.”
“The more you practice [these cybersecurity exercises and tests,] the better muscle memory you have so that when the real thing happens, you’re ready and you’ve shrunk the scope of what can be done,” added Ramos-Kwok.
Looking ahead, both Ramos-Kwok and Doss agreed that mitigating cyberattacks requires a holistic approach that addresses both technical vulnerabilities and human factors.
The world is only getting more connected, meaning that multiple attacks at once across various vectors will become increasingly common as attack surfaces expand.
“Operational technology like manufacturing system software that’s not really designed to be secure but was designed to enable [across the Internet of Things (IoT)], there might be a pattern that emerges with artificial intelligence in taking advantage of the complexity of attack that can be launched,” said Doss.
“We are increasingly dependent on software,” added Ramos-Kwok. “Most organizations have software they rely on that they did not write and that is not proprietary.”
She noted the importance of the configurations of Software-as-a-Service (SaaS) providers and the need for organizations to review and adapt contractual agreements with vendors.
“The legal contract is so important, particularly when you think about the supply chain blast radius,” Doss said. “How does [a SaaS] contract protect you or help mitigate the issues that might occur?”
That’s why the importance of continuous adaptation, collaboration and preparedness in the face of evolving cyber threats can’t be overstated — and neither can running those after-incident reports.