Small and medium sized businesses (SMBs) are increasingly under attack by cybercriminals skilled in a variety of sophisticated tactics. And this is no different for smaller financial service firms, thanks to the wealth of data held in the sector. In fact, the number of data breaches reported by UK financial services firms to the Financial Conduct Authority increased by 480 per cent in 2018. But despite this, many SMBs still believe they are too small to be targets.
According to a recent study by Webroot, over half (51 per cent) of SMBs in the financial sector believe that their smaller business size does not allow them enough time to fully comprehend or address cybersecurity matters. In fact, 35 per cent of these IT professionals remain self-taught about cyberattacks, using industry news and events to stay informed. While a recognised starting point, this approach is not enough to properly manage the advancing threat landscape.
As financial services organisations progress with digital transformation strategies to keep stride with challenger banks in the space, they must also take a proactive approach to cybersecurity. Companies that can provide personalised, seamless digital experiences for their clients, while compliantly preventing and protecting against threats, will win the race of business success and customer retention.
An easy target?
According to the ‘Size Does Matter’ report by Webroot, one of the biggest concerns when it comes to cybersecurity in the financial sector, is the employees. In fact, 74 per cent believe that stressed and time-poor workforces are more likely to make mistakes, click malicious links or open infected files, putting organisations and customers at risk. Further, 78 per cent believe their business is at risk due to employees’ lack of security knowledge.
Unlike large enterprises, SMBs simply cannot afford to not take security seriously, as a single incident could put them out of business. In fact, over half believe that a data breach would put their business at risk of closure, while 61 per cent vouch that profits would take a hit as a result of such cybersecurity incidents. Poor cyberhygiene also risks SMBs relationship with their customer, shown by the 26 per cent that were targeted as an entry point to a larger enterprise that they supply to.
Luckily, the level of investment that SMBs make in cybersecurity is growing. The report found that over half (54 per cent) of SMBs within the financial sector devote more of their annual turnover (6 per cent-20 per cent) to cybersecurity, compared to other industries.
To prevent attacks caused by human error, SMBs must first identify the front-line factors that can lead to a data breach, such as over-worked employees or lack of cybersecurity education and awareness across departments. SMBs must also implement and enforce cybersecurity best practices to ensure sensitive financial information is protected and users’ data secure. Guidance includes:
- Always educate. Employees are often described as the first line of defence against cyberattacks, and it’s clear that lax working practices and behaviours could be putting businesses at higher risk. As a result, security awareness training can’t be a quick tick-box activity for SMBs. It needs to be constant, so cybersecurity stays top-of-mind and user error is reduced. Attention also needs to be paid to the method of delivery. Micro learning, or short courses about five to ten minutes each, is a best practice among e-learning specialists when it comes to information retention.
- Take a layered approach. SMBs need to leverage both next-generation endpoint protection and network protection to ensure they are covering the gaps that cybercriminals and hackers deploy to compromise businesses.
- Assess your risk profile. Every business has a variety of different risk factors. If you don’t have the expertise, get an independent security audit or a managed service provider (MSP) to help assess your security posture. Work to develop a plan for adequate ongoing risk mitigation. Look at your GDPR exposure and follow guidelines to ensure the appropriate mitigation criteria are met.
- Know the signs. Phishing is a favourable technique amongst attackers. Make sure employees are confident in identifying the different types of attack. Security awareness training that incorporates phishing simulations will help ensure that people, processes, and technology are all harnessed effectively together, to help stop cybercriminals.
- Plan for the worst. Create a data breach response plan that identifies specific security experts to call and a communications response plan to notify customers, staff and the public. Have a backup and recovery strategy at the ready, just in case.
Enhancing economic security
Financial institutions have always been at the forefront of enterprise cybersecurity, and it’s time smaller financial service firms take action. With money and consumer data involved, they will remain a top target for hackers. And the risk of financial losses, regulatory consequences, and reputational damage for the business could be devasting. Meeting modern cyberthreats head-on requires relevant and ongoing employee training, well-defined processes and sophisticated security systems that need to be closely monitored yet easily managed.
Organisations must also put processes in place to mitigate risky employee behaviour at times of high stress. This approach reduces the risk of a successful cyberattack, ultimately protecting financial organisations and their customers’ valuable assets.
With confidence that they are protected, smaller financial businesses can enhance their customer and employee experience to ultimately secure their success. Size does matter when it comes to cybersecurity. And nimbleness can be financial SMBs’ main advantage in these times of change.
Paul Barnes, Senior Director, Product Strategy, Webroot