We've all have discussed on the Internet of Things by now, billions of devices connected to the internet, gathering all kinds of information on us and our daily lives. And while many of the attention-grabbing headlines will highlight the consumer-facing Internet of Things, such as in cars, domestic appliances and healthcare, the industrial sector is also already embracing connected devices.
In their Asia/Pacific Internet of Things Market Forecast, predicts that by 2020 there will be 8.6 billion connected devices in APeJ. Smart Grids will be the leading use case, followed by Manufacturing Operations, Asset/Fleet Management and Smart Buildings. According to the report, by 2020 the total market opportunity in the IoT ecosystem will be in excess of $500 billion, of which the anticipated spend on security will be $8 billion plus.
Utilities, energy providers and manufacturers are increasingly looking to connected devices to help their business streamline industrial control systems (ICS). But just as there are worries over IoT security, ICS are also facing increasing security threats, and connected devices further highlights the need for proper security measures. According to a report, Asia-Pacific Industrial Control Systems Security Market, the APAC market for ICS security is set to top $1 billion in just four years as industry players begin to understand the growing cyber threat to operational technology.
What we're addressing here is the Industrial Internet of Things, and attacks on it are already fairly common. This is a particular worry because the very foundation of IoT, and indeed IIoT - what makes it such a game changer - is also its security weak spot. By this we mean the fact that all these different components - typically manufactured by different vendors - talk to each other. And these vendors can and do require remote access to systems for a variety of reasons, such as pushing out updates or collecting data. And because many of these vendors originally come from the consumer sector, security perhaps isn't built into their devices as much as it should be. PCI have mentioned specific concerns over the IOT platform add hoc extensions. The security risks are quite major concern in Financial institutions as well.
So IIoT vendors can be targeted by cyber criminals as a way to gain access to a specific organization. It's one more route to bypass a company's defenses attacking a third party that interacts with or maintains part of the connected infrastructure of another business.
We have seen attacks like this already. This attack, for example, targeted three companies that make software for the industrial sector. Malicious code was implanted into their software update processes, which when their customers updated was transferred to their systems, giving the attackers access to vital data, systems and services.
The fact that the attackers were able to introduce malicious updates to the victims' servers strongly suggests that they had some sort of internal access to the network. It is also likely that they would have had sufficient permissions to upload the infected updates. These privileges or permissions are associated with human accounts or automated systems and if these are not properly managed, if a company loses control of critical administrative login data, for example, they can be hijacked.
Now, it is of course very difficult for a customer to have any influence over the security a vendor has put in place. But there are some things that can be done. It is vital, for example, that customers understand the dependencies within the supply chain, and where any weaknesses lie. Any links within that chain should have the same level of control that exist internally. Also, it's possible that when working with vendors, customers can negotiate contracts or SLAs that guarantee sufficient security controls. This can be specific to interaction between the vendor and customer, such as ensuring the integrity of updates before the customer downloads them.
It's also worth considering whether there is a human element involved, and what controls are in place to ensure credentials are secure. The same process can be applied when it comes to who at the vendor has the right to access the customer environment. Credential management like this can control who has the privilege or permission to gain remote access into your infrastructure. Ultimately, the openness of the IoT and communication among its different elements can and should be extended to include vendors and customers. That's key to ensuring your business remains secure.
Financial technology Risks has reached a tipping point, today more and more financial institutions are noticing the benefits that technology offers users, from convenient services to real-time access amid the rapid proliferation of mobile devices and cloud computing of recent years.
According to Accenture's analysis of CB Insights data, investments in APAC various ventures, primarily in China, reached almost US$10 billion as of current year July end,- more than twice the US$4 billion invested in the region in all of 2015. The top 10 investments in APAC ventures occurred in China and Hong Kong were accounting for 90% of all investments in the region. Evidence of this growth is all around us today. For example, according to PwC's Global Economic Crime Survey 2016, the number of consumers using digital banking in Asia Pacific reached 670 million in 2014, and is expected to increase to 1.7 billion by 2020. The service has revolutionized the banking industry, leading to a growth in online and mobile banking of 35% on average annually, while the use of traditional banking decreased by more than a quarter.
Banking industry is being put at risk. Not limited to the launch of Apple Pay and the first batch of stored value facility (SVF) licenses to provide e-wallet services by the Hong Kong Monetary Authority (HKMA), they bring huge convenience to daily life, while at the same time, though the growth presents significant benefits to the industry, it also brings about significant risks. Recent incidents across Asia, and in particular in Hong Kong, have drawn attention to the security risks associated with digital banking.
HKMA recently revealed that there are at least 22 online bank accounts in at least four banks that have reported unauthorized stock trading activities, totaling a sum of HK$45.97 million. Although HKMA said that none of the cases reported resulted in any fund transfers to unregistered third parties (thanks to a double authentication process), there were nine cases that resulted in financial losses of HK$1.56 million. For the banks, the fallout extends beyond just financial liability, and could have lasting impacts on everything from consumer trust to organizational reputation.
Bring security awareness on a healthy level: According to a recent study by F5 and The Asian Banker, the majority (84%) of financial firms now rank cyber threats as one of their top business risks. CEOs are increasingly concerned about the impact of these threats on their business, but less than half (37%) of organizations actually have a cyber incident response plan or policy in place.
Threats are becoming increasingly sophisticated and creative. The five most common threats organizations face are malware, web application attacks, point of sale attacks, insider compromise and DDoS attacks. Despite this, end users are increasingly used as an alternative channel of launching attack due to the sheer number of devices, many of which are unknown - and unsecured. Awareness is growing about this and other threats, but it is a cat-and-mouse game, with criminals switching tactics and inventing new methods of attacks regularly.
Prevention is better than mitigation : Regulators are aware of this threat, and increasingly they are taking steps to mitigate the risks. The HKMA has announced the launch of a Cyber security Fortification Initiative (CFI) at the Cyber Security Summit 2016, and issued a formal circular to all banks setting out that it is a supervisory requirement for them to implement the CFI. This initiative will enhance the protection of multiple banking channels.
For banks and financial institutions strategies are needed that offer real-time threat identification, deep analysis and comprehensive protection due to the dynamic nature of their operations. They should stay vigilant and focus their effort on three items.
First, they need to prioritize real time monitoring and prevention, to guard against malware and phishing attacks which are designed to steal identity, data and money at any time. Second, they need to make sure that no endpoint software or user involvement will be required and have full transparency on the security control. Third, they also need a multi-device support, to protect transactions made on any devices or channels as every transaction can be at risk.
Cyber crime is the greatest threat that banks and financial institutions face today. Careful planning and prompt action for when, not if, organizations are threatened could mean the difference between competitive success, or financial failure.
In their Asia/Pacific Internet of Things Market Forecast, predicts that by 2020 there will be 8.6 billion connected devices in APeJ. Smart Grids will be the leading use case, followed by Manufacturing Operations, Asset/Fleet Management and Smart Buildings. According to the report, by 2020 the total market opportunity in the IoT ecosystem will be in excess of $500 billion, of which the anticipated spend on security will be $8 billion plus.
Utilities, energy providers and manufacturers are increasingly looking to connected devices to help their business streamline industrial control systems (ICS). But just as there are worries over IoT security, ICS are also facing increasing security threats, and connected devices further highlights the need for proper security measures. According to a report, Asia-Pacific Industrial Control Systems Security Market, the APAC market for ICS security is set to top $1 billion in just four years as industry players begin to understand the growing cyber threat to operational technology.
What we're addressing here is the Industrial Internet of Things, and attacks on it are already fairly common. This is a particular worry because the very foundation of IoT, and indeed IIoT - what makes it such a game changer - is also its security weak spot. By this we mean the fact that all these different components - typically manufactured by different vendors - talk to each other. And these vendors can and do require remote access to systems for a variety of reasons, such as pushing out updates or collecting data. And because many of these vendors originally come from the consumer sector, security perhaps isn't built into their devices as much as it should be. PCI have mentioned specific concerns over the IOT platform add hoc extensions. The security risks are quite major concern in Financial institutions as well.
So IIoT vendors can be targeted by cyber criminals as a way to gain access to a specific organization. It's one more route to bypass a company's defenses attacking a third party that interacts with or maintains part of the connected infrastructure of another business.
We have seen attacks like this already. This attack, for example, targeted three companies that make software for the industrial sector. Malicious code was implanted into their software update processes, which when their customers updated was transferred to their systems, giving the attackers access to vital data, systems and services.
The fact that the attackers were able to introduce malicious updates to the victims' servers strongly suggests that they had some sort of internal access to the network. It is also likely that they would have had sufficient permissions to upload the infected updates. These privileges or permissions are associated with human accounts or automated systems and if these are not properly managed, if a company loses control of critical administrative login data, for example, they can be hijacked.
Now, it is of course very difficult for a customer to have any influence over the security a vendor has put in place. But there are some things that can be done. It is vital, for example, that customers understand the dependencies within the supply chain, and where any weaknesses lie. Any links within that chain should have the same level of control that exist internally. Also, it's possible that when working with vendors, customers can negotiate contracts or SLAs that guarantee sufficient security controls. This can be specific to interaction between the vendor and customer, such as ensuring the integrity of updates before the customer downloads them.
It's also worth considering whether there is a human element involved, and what controls are in place to ensure credentials are secure. The same process can be applied when it comes to who at the vendor has the right to access the customer environment. Credential management like this can control who has the privilege or permission to gain remote access into your infrastructure. Ultimately, the openness of the IoT and communication among its different elements can and should be extended to include vendors and customers. That's key to ensuring your business remains secure.
Financial technology Risks has reached a tipping point, today more and more financial institutions are noticing the benefits that technology offers users, from convenient services to real-time access amid the rapid proliferation of mobile devices and cloud computing of recent years.
According to Accenture's analysis of CB Insights data, investments in APAC various ventures, primarily in China, reached almost US$10 billion as of current year July end,- more than twice the US$4 billion invested in the region in all of 2015. The top 10 investments in APAC ventures occurred in China and Hong Kong were accounting for 90% of all investments in the region. Evidence of this growth is all around us today. For example, according to PwC's Global Economic Crime Survey 2016, the number of consumers using digital banking in Asia Pacific reached 670 million in 2014, and is expected to increase to 1.7 billion by 2020. The service has revolutionized the banking industry, leading to a growth in online and mobile banking of 35% on average annually, while the use of traditional banking decreased by more than a quarter.
Banking industry is being put at risk. Not limited to the launch of Apple Pay and the first batch of stored value facility (SVF) licenses to provide e-wallet services by the Hong Kong Monetary Authority (HKMA), they bring huge convenience to daily life, while at the same time, though the growth presents significant benefits to the industry, it also brings about significant risks. Recent incidents across Asia, and in particular in Hong Kong, have drawn attention to the security risks associated with digital banking.
HKMA recently revealed that there are at least 22 online bank accounts in at least four banks that have reported unauthorized stock trading activities, totaling a sum of HK$45.97 million. Although HKMA said that none of the cases reported resulted in any fund transfers to unregistered third parties (thanks to a double authentication process), there were nine cases that resulted in financial losses of HK$1.56 million. For the banks, the fallout extends beyond just financial liability, and could have lasting impacts on everything from consumer trust to organizational reputation.
Bring security awareness on a healthy level: According to a recent study by F5 and The Asian Banker, the majority (84%) of financial firms now rank cyber threats as one of their top business risks. CEOs are increasingly concerned about the impact of these threats on their business, but less than half (37%) of organizations actually have a cyber incident response plan or policy in place.
Threats are becoming increasingly sophisticated and creative. The five most common threats organizations face are malware, web application attacks, point of sale attacks, insider compromise and DDoS attacks. Despite this, end users are increasingly used as an alternative channel of launching attack due to the sheer number of devices, many of which are unknown - and unsecured. Awareness is growing about this and other threats, but it is a cat-and-mouse game, with criminals switching tactics and inventing new methods of attacks regularly.
Prevention is better than mitigation : Regulators are aware of this threat, and increasingly they are taking steps to mitigate the risks. The HKMA has announced the launch of a Cyber security Fortification Initiative (CFI) at the Cyber Security Summit 2016, and issued a formal circular to all banks setting out that it is a supervisory requirement for them to implement the CFI. This initiative will enhance the protection of multiple banking channels.
For banks and financial institutions strategies are needed that offer real-time threat identification, deep analysis and comprehensive protection due to the dynamic nature of their operations. They should stay vigilant and focus their effort on three items.
First, they need to prioritize real time monitoring and prevention, to guard against malware and phishing attacks which are designed to steal identity, data and money at any time. Second, they need to make sure that no endpoint software or user involvement will be required and have full transparency on the security control. Third, they also need a multi-device support, to protect transactions made on any devices or channels as every transaction can be at risk.
Cyber crime is the greatest threat that banks and financial institutions face today. Careful planning and prompt action for when, not if, organizations are threatened could mean the difference between competitive success, or financial failure.
