Alvin Mills

Alvin Mills
VP of Information, Technology & Security

2023 year in review

Making investments to speed the recovery of user services and incident response times is key going forward.”

I remember having several conversations earlier this year with my peers in cyber, specifically at the 2023 TBA Cyber Tech Conference, that maybe 2023 would finally be a year that we could “catch up” a little — take a deep breath, pat ourselves on the back and start tackling some of the basics again in protecting our businesses. We talked a lot about the ongoing issue of addressing our third-party risk, and maybe this year we could turn the corner. And then it hit — more specifically, “MOVEit” hit, and “it” hit the fan.

As of this writing, the full impact of the Progress software flaw is still being analyzed. Current estimates show that 2,120 organizations have been impacted by MOVEit transfer exploits, resulting in data being compromised for at least 62 million individuals. To this day, companies are still uncovering details about data that was compromised in the ensuing exploits, painting a more complete picture of the bug’s impact.

“It’s easy to see that multiple victims have been affected only because they rely on a third-party provider that uses MOVEit Transfer — not strictly using the software themselves.” — John Hammond, senior security researcher with Huntress 

We, the Texas Bankers Information Sharing and Analysis Organization (TBISAO), started receiving the reports very quickly from our threat intelligence service, and much to our surprise, we had a handful of banks that were notified by their service providers that they were already addressing the exploit. This is something we hadn’t seen that much of before. Maybe the prior year’s exploits such as Solarwinds, Log4J, ConnectWise and Exchange finally sunk in but regardless, we much appreciated the heads-up from our partners. 

As for my organization, we learned via a vulnerability scan that we were indeed at risk, and we immediately made the decision to shut off access at the firewall. Yes, we broke some processes, but considering the outcome of not shutting it off, I believe the right decision was made. A lot can be said for our community banks in Texas. They responded very quickly, shared information, and collaborated with their peers — that’s really what it is all about. Kudos to them.

How has the overall financial sector fared with this exploit? 

According to American Banker, 15 banks and credit unions reported that their customers’ personal information, such as names, SSNs, addresses and phone numbers, was involved. But this is only what’s been reported. There are still ongoing investigations, so the number may grow. I remain optimistic, but I know many IT and security teams are still spending a lot of effort to ensure they are safe and secure. 

But it hasn’t just been about this one exploit this year. MOVEit might have been the big iceberg, but the IT and security teams are very busy addressing other challenges as well. As I report every year, the emerging technologies, the cyber threats and the sophistication of these attacks continue to go up and up. 

Some interesting stats were provided by Splunk. They surveyed over 1,500 IT and security teams worldwide. 53% of the respondents stated that keeping up with security requirements is harder than it was two years ago. But the number was 66% in 2022. So, I take that as a silver lining. We’re making progress. 

Some other interesting stats: 

  • 95% of those surveyed have increased their focus on third-party risk assessments. 
  • 81% of organizations are converging aspects of security and IT operations.
  • 95% of security budgets will increase over the next two years — 56% of them significantly. 

We’re spending money to address our greatest risk, we’re partnering across our organizations (it’s everyone’s responsibility), we’re trying to solve these issues by sharing information and we’re collaborating more with our business partners.

To meet these persistent challenges, we need to focus on being resilient and agile. Traditionally, the focus has been on business continuity and disaster recovery. Making investments to speed the recovery of user services and incident response times is key going forward.

Biz2X ad