trending
As we turn our attention to 2024, James Wood says the advent of generative AI is going to create major security headaches for payments companies – amid other problems.
In moments of comfort, it can be easy to forget what’s at stake in the event of a major cyberattack that goes the wrong way.
In 2023, a cyberattack on the MGM Grand Casino in Las Vegas shut the entire complex down for four days, costing MGM tens of millions of dollars in lost revenue and remediation costs.
Lloyds of London, the world’s insurance oracle, estimates that a major cyberattack on a global payments system could cause a $3.5 trillion hit to the world’s GDP.
As businesses struggle with escalating expenses and a wave of inflationary pressures, one cyberattack could be enough to see them go under.
And with around half of businesses in the UK alone unable to withstand a single attack, according to Forrester Research, the payments sector needs to sit up and pay attention.
What’s new or different next year?
The first thing to note is that cyber-risk has never been higher.
The latest figures for Q2 2023 tell us week-on-week figures for cyberattacks are up 10 percent on this time last year – and at the highest level ever recorded, according to Check Point Research.
In what follows, we set out the key risks to look out for next year – and the one issue that everyone will find increasingly challenging:
RISK ONE:
As generative AI gets better, criminals could profit.
There’s a lot of hype around generative AI right now. At Payments Cards & Mobile, we agree with other commentators that AI has been over-hyped.
That said, generative AI is going to cause headaches next year – not least because new regulations in the US, UK and EU will prevent certain aspects of its development by legitimate companies – but not by criminals.
Generative AI is the technique behind software such as ChatGPT: it allows the creation of new imagery, text and information based on background data.
Criminals are highly likely to make use of generative AI to enhance their existing attempts to create fake identities and profiles, access company systems and cause havoc.
“Expect criminals to use generative AI and GPU farming to create higher volumes of harder-to-detect fake customer profiles.”
The news doesn’t get any better when we add GPU farming into the mix.
“GPU farming” means setting very specific tasks to a series of networked computers to enable data calculations to be completed more efficiently. Expect criminals to combine GPU farming with generative AI software to create fake user profiles more effectively than ever before – and more rapidly.
How to solve it: There are two essential elements to mitigating what amounts to highly-evolved deepfake risk.
The first is that companies must do more to protect their data – and secondly, they must ensure their data is as clean and up to date as possible.
As well as protecting against highly sophisticated fakery, this will also make the use of AI and ML for positive purposes – such as improving customer service – easier.
“Companies need to beef up their data hygiene efforts and put cyber-risk at the very top of the board agenda.”
The second part of the answer, simply put, is recognising the problem at the most senior level in an organisation. security teams are being overwhelmed by the sheer volume of cyberattacks they have to react to.
“As the attack surface becomes more complex, security teams will become increasingly overwhelmed,” says Bernard Montel, EMEA Technical Director and Security Strategist at exposure specialists Tenable.
“Security leadership needs to be involved in high-end business decision making. Only then can organisations hope to reduce risk.”
RISK TWO:
Shift to the cloud creates criminal opportunity.
Research published by Forrester and Tenable in November 2023 reveals two-thirds of Chief Information Officers (CIOs) see the move to cloud infrastructures in 2024 creating the biggest systems risk.
In order, the highest perceived risks come from the use of public cloud infrastructure (31 percent), multi cloud and/or hybrid cloud (27 percent) and private cloud infrastructure (9 percent) – and with just three in ten companies using private cloud arrangements, expect trouble in 2024.
CIOs say public cloud raises risk
How to solve it: Data strategies should differentiate between business-critical data (including customer personal information) and other information.
Most obviously, all data stored on the cloud should be encrypted, almost as a hygiene factor – other protections include ensuring that access to business critical data on the cloud is role-specific and protected by multiple factors, including biometric data from the nominated users.
At present, just 5% of company files stored on the cloud are protected in any way, according to banking services firm BaaS Business Solutions – with cyberattacks occurring every 24 seconds, this is a recipe for disaster.
RISK THREE:
Malware and IoT devices.
Malware attacks were up 87% last year, according to tracking by SonicWall Capture Labs – and European countries made up half of the global top ten for malware attacks.
Malware works by gaining access to a poorly-protected device, then using that device to launch malicious attacks on a wider system.
An example would be malware on a personal smartphone accessing company e-mail or data systems and preventing use of those systems in a technique known as Direct Denial of Service (DdoS).
How to solve it: The obvious remedy here is to strengthen protection on personal devices, and/or to limit access to company data via personal devices.
Some organizations issue staff with encrypted devices for company use only – and with 17 billion internet-connected devices out there at present, this sounds like a smart choice.
Across the board, cyber-risk is on the rise. And while investment in cyber-security continues to grow, it seems that – in common with many other areas – a little more careful attention and thinking would go a long way to solving many simple exposures companies face.
That said, the advent of generative AI and GPU farming looks to be a significant threat development, and payments firms should prepare for significant challenges in this area.
Comments