10 cybersecurity predictions to watch

When it comes to cybersecurity, if you’re reachable, you’re breachable, says Cy Sturdivant, director of cybersecurity consulting at Forvis.

“You’re at risk regardless of your size, location, or other factors,” he says. “If you’re on the internet, you’re reachable.”

All industries have become more breachable in recent years: Reported losses from online fraud grew from $2.7 billion in 2018 to $10.3 billion in 2022, according to the FBI’s Internet Crime Complaint Center.

The financial industry is among the hardest hit. The average cost of a data breach for financial institutions was $5.97 million in 2022, according to IBM’s 2023 Cost of a Data Breach Report.

“Criminals don’t have to breach your firewall, just trick your members or employees,” Sturdivant says. “Most criminals just log in to your system because we make it so easy for them.”

The most common cybersecurity threats are social engineering attacks via phishing, business email compromise, supply chain attacks, malware (e.g., ransomware, remote access, and keyloggers), cloud applications, and attacks via artificial intelligence (AI).

“The root causes of cyberattacks are ineffective patch management, weak privileged access controls, unmonitored detection systems, and inadequate training,” he says. “Ignorance is risk.”

Sturdivant offers 10 cybersecurity predictions:

1. Ransomware becomes weaponized. This crime, in which malicious software blocks access to data until the organization pays a sum, will become a tool for cyberwarfare by nation states and cybercriminals.

2. Supply chain attacks increase. Attacks on software providers will grow as hackers find this to be an effective way to compromise multiple targets.

3. Cloud security failures. Misconfigurations and vulnerabilities in cloud infrastructure will lead to major data breaches.

4. AI-powered hacking. Hackers will use AI to automate attacks, avoid detection, and craft convincing phishing emails.

5. Internet of Things (IoT) botnets surge. Unsecured IoT devices increasingly will be hijacked into botnets to launch denial-of-service attacks.

6. Quantum computing threats emerge. Quantum computers will be able to crack current encryption and undermine blockchain security.

7. Credential stuffing attacks proliferate. Automated credential stuffing attacks, in which credentials obtained from a data breach on one service are used to log in to another unrelated service, will grow as criminals leverage billions of stolen passwords.

8. Application programming interface (API) vulnerabilities will be exploited. API security failures will lead to data breaches as hackers target back-end systems.

9. Critical infrastructure hacking. State-sponsored hackers increasingly target critical national infrastructure such as power grids.

10. Deepfakes for social engineering. Realistic deepfake videos will be used for more convincing phishing and social engineering.

Sturdivant says credit unions can prepare for cybersecurity threats with these best practices:

• Backup and recovery. It’s critical to maintain offline, encrypted data backups, and to test the backups regularly.
• Configuration hardening. This includes restricting user permissions for installing and running software, configuring firewalls to block known malicious internet protocol addresses, and implementing software restriction policies and application whitelisting.
• Incident response plan. Create, maintain, and exercise a basic cyberincident response plan and an associated communications plan that includes response and notification procedures for a ransomware incident.
• Email security and awareness. Scan all incoming and outgoing emails to detect and filter threats such as phishing and spooking emails, and executable files. Implement training and awareness programs, including regular phishing simulation exercises.

Managing cyber risk is how credit union leaders protect member data, employees, the institution, and the industry overall, Sturdivant says.

“Cybersecurity isn’t just about people’s data,” he says. “It’s caring about the people themselves.”

Sturdivant addressed the 2023 Supervisory Committee & Internal Audit Conference in Las Vegas.