Cyber-risk is finally moving up on the list of boardroom priorities. A number high-profile cyberattacks on leading brands and organisations like Equifax, British Airways and even the NHS, left firms realising that a major Cyber-attacks have the potential to destroy your business.
1. Media coverage of cyber-attacks on big brands
2. Increased pressure from clients demanding greater data protection
3. Increased focus on regulation around data protection since GDPR
Cybersecurity hasn’t got far enough up the agenda to be treated with the same importance as traditional or major disasters. And yet a cyber-attack is much more likely to take a business down than fire or flood! Much more needs to be done to raise the consciousness of management teams internally to increase the understanding of what makes them vulnerable.
Big banks are as likely to fail as small ones
Big banks may spend more money than everyone else on advanced security controls however you’re only a strong as your weakest link. Cyber criminals don’t need to test sophisticated defences to get an employee caught up in a phishing attack from an email that appears to be genuine. It’s a no longer a question of if but when. One asset management firm who does regular phishing tests on their own staff (who aren’t the most hard off financially) found their people still commonly fall for a link in an email that says: ‘Free food and drink – click here for details’.
Social Engineering
In another firm that was targeted, eight people within the firm had raised money for their chosen charity. They received an email from the HR Director thanking them and asking them to click on a link to receive a pair of new trainers. Naturally, everyone clicked on the link. It turned out to be a fake email.
Wealth managers and investment fund managers have becoming particularly vulnerable to data breaches of this kind because of the type of client data they have. Over the last couple of years these financial firms are having to make authorities aware about their clients’ financial activities. They hold all kinds of data about their clients: overseas accounts, their beneficiaries, what the fund pay-out is for… They become an easy target for social engineering as criminals will use family members’ social media platforms to find additional information that can be used to deceive individuals into handing over confidential or personal information.
The threat within
The threat from an insider is probably the biggest challenge that the financial services industry faces. That is because traditional approaches to protecting banks have pretty much dissolved. Today, customers are digitally connected to their banks and encouraged to do things directly with them. Increased transparency and focus on collaborative work mean sharing information with shareholders and other stakeholders. The fact is that online collaboration exposes businesses to the risk of having a malicious party access the network, or worse still, someone who is already within the network.
The danger of low and slow
Another less-known risk is longer-term attacks. This is when people try to steal an identity gradually, bit by bit. These low and slow attacks are often hard to detect because someone believes they are under the radar. This is against the integrity and the organisation trusting they don’t have the right information and have problems trusting the information. Healthcare, for example, is starting to experience that problem with patient’s data being gradually changed in a way that could be very serious or even life threatening.
The downside to digital transformation
Despite having big budgets, Financial Services still remain behind the curve in terms of digital transformation compared to other industries. Adoption of the public cloud is a great example of that. As the biggest spenders and lowest adopters of cloud, there is a lot of transformation yet to come… Financial Service firms tend to get distracted by what the latest technology solution is – and they outsource a lot more. And along with that comes more risk.
Regulation creating the perfect storm
As the ex CEO of Cisco said ‘There are two types of companies. There are the ones that have been hacked and the people that don’t know they have been hacked’. GDPR is bringing a real focus on security around data protection that wasn’t there previously. GDPR requires a 72-hour notification period in the breach of personal data to lead to harm. Financial Services will have to notify the FCA and deal with all their clients, so they will need a very robust crisis management plan. And there is a risk of data loss from the people they are notifying!
Trust is the new currency
Much of what financial services are doing currently focuses on data loss and financial loss. The media treats cyber-attacks as a sensational phenomenon – especially when it involves a big brand. Even if hackers don’t manage to achieve a lot in terms of what they take from firms, just making it into the papers is sufficient to bring ten years’ worth of reputation loss and have to recover the public’s trust again. Reputations are lost in a single headline and public perception of banks following the financial crisis shows the public believe banks are less trustworthy than a used-car salesman!
It’s not all bad news.
The Financial Services industry, along with Healthcare, is twice as likely to be attacked, and this is increasing significantly each year – between 30-50%. In contrast the number of security breaches isn’t climbing at the same rate which does suggest they are getting better at defending against them. Unsurprising perhaps, given they have bigger budgets alongside regulatory pressures.
Technology providers, like Lanware, that work almost exclusively with the small to mid-market asset management firms, are under a lot of scrutiny about what they are doing to manage information security. However, ultimately, it is the firm that is accountable for keeping its clients’ data safe.
Get in touch
Lanware’s expertise in cloud technology for FCA-regulated business means we understand the regulatory context you operate in and the security levels and oversight it takes to manage risk and regulation. Our range of enhanced security services enables your compliance, lowers your risk and gives you auditable evidence to reassure your partners and investors that your security controls are fail-safe.
