by Paul Sellers
It’s hard to address the risk of cyber security because it’s new - and very difficult to measure. The reality is that you’ll only know if you have it right when nothing happens - or when it does happen, just how good how are at responding to it, by which time it’s too late.
As technology solutions proliferate at an ever-increasing rate, firms invest in new systems that pull in data from various sources, and more devices are connected to the Internet, it can be hard to know where the risks lie.
We recently came across a firm that had connected the vending machines in the canteen to their network. Employees could use the same cards they use for entering the building and preload it with money to pay for their snacks. What that actually meant was that the third party that provided them with their chocolate bars could potentially gain access to their office. It was a risk they had not considered.
3 things to worry about: risk, risk and a bit more risk
So how can we become specific about preventing cyber security breaches when we don’t know what the risk is going to be and where it is going to come from? The key is not to focus on the technology solutions or specific threats like ransomware but focus on the information assets you’re looking to protect. From there look at the vulnerabilities and threats that could impact those assets and what controls you need to mitigate these risks. These controls should be a combination of people, processes and technology. They should include how you respond to the risks in the event they occur.
Identifying the biggest risk
We asked a group of managers from the wealth management and investment banking sectors where they believed the biggest cyber risk for their firm was. A comfortable majority (52%) said that the risk was down to lack of staff awareness and training. This was followed by the risk of an insider threat (21.7%). A lack of awareness at board level and lack of attention to third party awareness came in third place each with less than 10%.
Let’s take a look at that 52%.
It’s important that firms step back and think about who has access to what, and why should those access rights change over time. For example, if you have just terminated someone’s contract you cut their access immediately. But what about employees that may have a drug or gambling problem? Who is thinking about what access to data that person has? Think about employees who travel for work. Their passport details are often left lying around at hotels. The key is to think who has access to data, how might their circumstances change and who might approach them.
One of the things that needs to come out of a risk management programme is ensuring people are more accountable for information security as part of the responsibilities that they hold. This is in addition to someone in the organisation who needs to be given responsibility for data security overall.
A critical part of this role will be to make sure the board takes cyber security seriously. For most of the past 10 years, firms have struggled to get executives and non-IT business owners to take an interest in understanding and engaging about Cyber risks. Cyber security is finally reaching the board room of financial firms.
Another key area is to look at firm’s relationships with third parties. In a world where we love sharing information, this is becoming a complex area to address for information security and it holds significant risk. One example of this is ‘shadow IT’ that refers to applications that are outside the scope of traditional IT but that employees use for work-related tasks. This means that, although they are usually legitimate, they have not been sanctioned by the IT department, so no checks have been performed that will ensure the technology is compliant and secure and does not put the organisation at risk.
It is becoming increasingly difficult for organisations to address cyber security risk and ensure they provide evidence they are doing so in a compliant way. There are so many different kinds of regulations coming forward, each affecting the other. But if we take a look at the normal regulation for financial firms, there are basic FCA rules and laws in place. It is up to firms to take more care around compliance and control their affairs responsibly, putting adequate risk management systems in place. In addition, Financial firms are going to be under increasing pressure by the Regulatory to demonstrate “Operational Resilience” this includes plans and controls to mitigate an operational disruption such as one caused by a cyber-attack, failed outsourcing or technological change.
Get in touch
Lanware’s expertise in cloud technology for FCA-regulated business means we understand the regulatory context you operate in and the security levels and oversight it takes to manage risk and regulation. Our range of enhanced security services enables your compliance, lowers your risk and gives you auditable evidence to reassure your partners and investors that your security controls are fail-safe.