Building cyber resilience into the financial services industry

Cyber threats are on the rise and businesses are faced with increasingly sophisticated attacks. Hacking is only one part of the problem: whether in DDoS attacks or phishing scams, it represents the bulk of an organisation’s cyber fears, however there are many other ways their technology can be compromised.   

Back in 2013 a particularly unusual case came to light, when a disgruntled employee was found guilty of sabotage after being caught spraying servers and other IT equipment with Cillit Bang. Shockingly, the crusade went on for three years, costing his organisation over £32,000 in damage – not to mention untold disruption. Though this was an isolated incident, it does help illustrate our increasing reliance on cyber safety, and the ease at which security can be compromised.    

Clearly, cyber resilience is of utmost importance. As such, it is of no great surprise that it was named as the focus of this year’s Business Continuity Awareness Week and it could not have been more timely – especially with the most recent worldwide ransomware attack, ‘Wannacry’. This kind of attack is extremely worrying and is forcing more and more organisations to place their own cyber resilience policies under the spotlight, with many coming up short when it comes to robust forms of protection.    

Serious Implications 

For the financial services industry, investing in effective cyber resilience strategies should be a top priority. After all, the consequences of a breach are potentially devastating.   

From an operational viewpoint, cyber security breaches are costing businesses nearly £30 billion every year – and this in the UK alone. In a worst-case scenario, an organisation could be infiltrated by malware without anyone realising. And if it does breach the system, and spreads throughout the infrastructure, there is a distinct possibility data confidentiality could be impacted with disastrous effect – especially if it is financial or healthcare information.   

With as many as 46 per cent of organisations reporting breaches, chances are most businesses are already under attack and cyberattacks like ‘WannaCry’ further illustrate that business operations can be severely impacted not just by compromising confidential data but also through impacting the availability of the required files/file systems. 

A Changing Regulatory Landscape 

Things don’t get any easier when it comes to compliance. It’s no surprise that increasing attention is being paid to the protection of personal data, as well as ensuring that business protocol puts the customer first. As society continues its move online, people’s lives are becoming even further interconnected with an area that has previously known very little regulation.   

The impending enforcement of the EU’s General Data Protection Regulation (GDPR) will have significant implications for any business that fails to ensure cyber resilience. As well as obvious loss of customer trust that results from a data breach, if organisations are deemed to have been negligent in their handling of data security matters, the new law makes it possible for businesses to be fined up to five per cent of their annual worldwide turnover. 

Similarly, the introduction of the revised Directive on Payment Services (PSD2) and the E-Money Directive (EMD) means that security protocol must be robust enough to withstand the frequent attacks, but flexible enough to ensure that data can be shared as and when needed.   

As these regulations come into play, risk assessments will become more important than ever before. Not simply for Financial Service providers assessing their own infrastructure, but those of the other fintech organisations they will need to work with. Ensuring that any partners have the right security controls in place to mitigate the identified risks will be a top priority when it comes to the opening of APIs and the sharing of mission critical data. Time will tell as to how effective these regulations are in not only providing greater resilience to cyber-attacks but will also show very quickly which businesses are prepared to adapt.  

Ensuring Full Visibility 

What’s more, the issue could easily get worse before it gets better. As IT and technology becomes an ever more integral part of business operations, attack surfaces will continue to widen. This serves only to increase the risk of cyber-attack, offering potential hackers more points of entry into the organisation. The ability to detect threats is not enough, it must be done quickly – ideally in real-time. Troublingly, the industry is still some way from safe; research found that financial firms take an average of 98 days to notice a breach. Even worse – in the case of DDoS attacks, 40 per cent of businesses only discovered the attack when customers drew attention to the issue

Having a holistic and comprehensive understanding of your organisation is crucial – as a financial service provider, you must ask yourself: are you aware of all realistic and applicable threats for your estate? Do you review all the published vulnerabilities to check if they apply to your environment? Do you have full visibility of your information access points? And do you have the measures in place to know if someone is accessing that information without your permission?   

One Lesson to Learn 

If you take one piece of advice, make it this: take the time to know your organisation’s attack surface intimately and put in place the mitigations needed to ensure a safe and secure defence-in-depth - otherwise you may well end up having to deal with a cyber-attack like WannaCry. There is no substitute or shortcut for knowing your own weaknesses – and no matter how much you spend on security and cyber-breach tools, if you don’t have a complete picture of your organisation’s security requirements then you cannot defend it properly.  

Finally, and perhaps most importantly, good security practices begin in the board room. Cyber resilience is a top-down operation, requiring strong and vocal support from management. Everyone in the business has a part to play and employees must be given a good grounding on what kind of threats they should guard against, as well as the potentially devastating consequences of a breach.   

Thanks to the nature of our work, organisations within the financial services sector are at a significantly higher risk than other markets. However, with numerous guidelines to help offer a baseline for good security measures, as well strategic investment in understanding the weak-points of your own organisation, it is possible to build cyber resilience into the fabric of our industry.   

Shruti Kulkarni, Information Security Manager, Intelligent Environments 

Image Credit: Den Rise / Shutterstock