Financial services are on the frontline of the cyber war. CIOs are in an arms race with these malicious actors to shore up their defences, protect their organizations and safeguard the broader financial system. Just ask JPMorgan’s Mary Erdoes, who recently revealed at Davos that the investment bank was being targeted by hackers an estimated 45 billion times every single day. Indeed, a successful intrusion can cost your average financial institution some $5.72m, according to research conducted by IBM and the Ponemon Institute – a figure that overlooks the reputational damage inflicted on the bank, or the myriad opportunities for future attacks afforded to hackers after a successful breach.
Little surprise, then, that CIOs worry daily about how to shore up corporate cyber defences, whether that comes in the form of simple phishing scams or more exotic threats like deepfakes or AI malware. More disturbing, however, is the lack of attention being paid to securing firmware against attack, as tech-illiterate execs shunt funding toward software security and away from patching vulnerabilities in the systems that help run the business day-to-day.
CIOs should prioritise firmware protections
Cyber watchdogs agree. Last year, a joint cybersecurity advisory published by the US Cybersecurity and Infrastructure Security Agency (CISA), NSA and FBI, detailed attacks made by BlackTech, a group backed by the Chinese state. BlackTech modified Cisco routers and installed custom firmware to gain persistent and undetected administrator access, through targeting peripheral subsidiaries and then pivoting to the corporate headquarters.
It’s not just routers that are vulnerable. Kaspersky Lab has identified APT attacks on BIOS/UEFI firmware by the group ShadowHammer, as well as worms that infected air-gapped computers by compromising hard drive firmware. What’s increasingly concerning for CIOs is that as the Internet of Things proliferates, more and more devices become potential targets – even Samsung’s smart TVs have had their firmware manipulated to function as listening devices. And as more office smart printers, lighting systems and cameras get connected to the internet, the risk ratchets up.
These attacks are a clear shot across the bow for CIOs in financial services. They need to be looking to secure routers, BIOS/UEFI, hard drive firmware, and any others in their organisation immediately. Shockingly, though, we’re yet to see the narrative around cybersecurity even begin to address the need to more aggressively secure firmware against such threats.
Delegating change
So, what tactical changes do we need to see? Firstly, CIOs need to stop delegating responsibility to cybersecurity consultancies, which, on the whole, overcharge and underdeliver. They’ll come in and run some virus scans, and then recommend some best practices that were timely before the millennium, like changing your passwords every six months. For large multinational financial institutions, this kind of advice should be acted upon but remains nowhere near satisfactory for the business when implemented in isolation. Moreover, in the event of a breach, CIOs cannot expect conforming to best practices to absolve them of responsibility.
Secondly, there needs to be a shift in broader management practices. Financial executives have been happy to underfund cybersecurity across the board. CIOs are sidelined, often exiled to a dark corner of the office, and not considered full-blooded members of the decision-making C-suite. Executives need to take CIOs seriously and crack open the war chest to bolster their defences. This includes increasing investment wholesale in cybersecurity, but also reallocating significant funds from the software to protect the firmware, which has been left exposed for far too long.
Thirdly, once they’re taken seriously and given increased funds, CIOs in financial services can immediately deploy preemptive battle plans to protect their firmware. One of the priorities in this preemptive defence should be peripheral networks, which are a significant blind spot for multinational financial institutions. CIOs must conduct regular audits, implement network segregation, and enforce least privilege access to protect fringe firmware. Also, CIOs in financial services must have a third-party risk management program. There’s no guarantee these providers have rigorous security measures and they’re a backdoor into larger financial institutions. CIOs need to require code signing, request security certifications, and have a regular patch management process. CIOs possess an intimate understanding of all these intricacies, as it lies at the very core of their professional expertise.
Management has sidelined CIOs, relied on consultancies and underfunded cybersecurity across the board for far too long. With the sub-optimal funds CIOs do have, priorities are dictated to them based on media soundbites like AI and deepfakes. This has left technology like the firmware exposed out in the open. Hackers have their sights trained on it. Management of financial services firms must recognize the imminent threat now and properly fund cybersecurity or risk being the next high-profile casualty in this rapidly escalating war.