Skip to main content

How can financial service institutions learn from past security mistakes?

(Image credit: Image Credit: Balefire / Shutterstock)

Cyberattacks in the financial sector are on the up. In the UK, cyberincidents reported to the Financial Conduct Authority (FCA) rose 12-fold year-on-year from 2017 to 2018, while according to Verizon, 76 per cent of cyberattacks are financially motivated. With the sheer amount of cash that passes through financial institutions, it’s easy to see why they appear to be at higher risk. In the last year, stories surrounding the Capital One, Travelex and Equifax’ data breaches have all dominated the headlines. So what can the financial services sector do to mitigate against, and prevent data breaches from happening?

Bin the password

Prevention is always better than cure, and passwords are the scourge of the cybersecurity sector – they need to be eliminated entirely. Travelex was exposed to a ransomware attack, which are usually distributed using malicious attachments embedded in phishing email. Phishing or social engineering looks to manipulate the user into handing over their details to a hacker. According to Wandera, phishing represents 57 per cent of attacks in the financial services sector, which is significantly higher than the average of 42 per cent. If passwords didn’t exist as an authentication method, this figure would undoubtedly be lower.

Both businesses and the technology industry should work together to drive security forward by replacing passwords. New capabilities, such as zero sign-on, software and hardware tokens, behavioural analysis and biometrics, already exist to do so. These capabilities need to be standardised and businesses need to look to choose vendors who are offering them. Otherwise the enterprise's greatest vulnerability will reign supreme.

Forget about trust

Getting rid of the password is an integral part of adopting a zero-trust framework to protect a business. Zero trust is a security concept based on the belief that organisations should not automatically trust anything, both inside and outside of its perimeters. It assumes that any individual trying to connect to an organisation’s network has been compromised, and therefore must be verified.

Modern work takes place on mobile devices, outside the traditional security controls designed to protect the network perimeter. In this instance, employees’ laptops were seized to gauge how the ransomware had spread. In the event that mobile devices, like laptops, are misplaced or wrongfully accessed, they may compromise a whole ecosystem. Before granting a user access to corporate resources zero-trust seeks to validate the device, establish user context and verify the network. Sensitive data can then be protected both internally and externally.

Ramp up audits

Cyberattacks have become an unfortunate fact of life. As a result, damage control now forms an integral part of security strategies. The attack must be detected, contained, the problem diagnosed, and any backdoors into the network closed and bolted shut.

In many high-profile data breaches viruses go undetected whilst they work their black magic. Travelex took eight months to identify the vulnerability in its’ security configurations. Time is money, so early detection is key. IBM found that companies that contained a breach in less than 30 days saved more than $1million compared to those that took more than 30 days.

By conducting frequent threat analyses, the likelihood of detecting benign or active viruses increases. By monitoring every device, user, app and network, precious time is saved as the source of the problem can be quickly identified. Resources can then be directed to the areas where they are most needed.

Good security hygiene

Mitigating the risk of an attack is dependent on the juxtaposition of human expertise and reliable technology practices. Data breaches often occur when one or both of these elements fall into limbo. Before organisations look to implement any kind of security strategy, it is vital that they first understand their people. Organisations must look to understand the environment in which their employees want to work, not the environment in which they want their employees to work. This means contacting a thorough review of the devices and applications that employees need to remain productive. If not then organisations will be simply be securing an environment that no one is working in.

Security doesn’t come naturally to humans. Good security housekeeping is therefore necessary. This means that once businesses have secured their employees optimum working environment, they educate and alert their employees to the security protocols and best practices that have been implemented. Businesses have become accustomed to protecting against outsider threats, but are less prepared when it comes to internal threats - as was the case with Capital One. By ensuring that organisations are up to speed with best security practice incidences such as these can be avoided.

Enrol devices

For many organisations, mobile devices are fast becoming the most prominent mode for employees to consume their business data. Thus, a new perimeter must be set up to protect and mitigate against risks resident on-device. Containment in this new environment is difficult, especially if a virus has been undetected in the system for some time. But data breaches can be contained by Unified Endpoint Management (UEM). UEM is the foundation for secure enterprise mobility. In line with the principles of zero-trust, endpoint management reserves the ability to remotely wipe the data present on the device.

Travelex rated its devices red, amber and green on the risk they posed to the organisation. UEM systems use device, network and app threat defence to prevent malicious apps and network threats harvesting data. The contents of the infected areas can be deleted so the cybercriminal can’t view, replicate or retrieve any data. The Travelex devices rated red and amber certainly would have been under endpoint control.

All the above measures of prevention and mitigation are interdependent. They take the onus of cybersecurity off humans considerably, and form part of a rounded end-to-end, zero-trust security system. All it takes is for one weak link to be discovered and a malicious actor can wreak havoc, as was the case with Travelex. As cybersecurity becomes more important to financial organisations their systems will be considerably bolstered and they stay out of the headlines.”

David Critchley, Regional Director UK & Ireland, MobileIron