The increasing sophistication of cyber-attacks means stronger strategies are needed in financial organisations

null

Cyber-attacks are on the rise and the UK financial system is at risk. IT security has become more highly prioritised by organisations, due in some cases to increased threats and in other cases, tougher legislation. Yet financial organisations in particular must take a tougher stance and consider their cyber-security strategies.

Cyber-attacks were found to be the joint second most cited risk to the stability of the UK financial system in a recent survey by the Bank of England. A record level of respondents (62 per cent) cited cyber-attacks, signifying an uptick in the perceived risk of attacks for the third consecutive year. 

This five per cent increase on last year’s figure signals that cyber-attacks are the most challenging risk to manage.

Cyber threats have evolved to become more sophisticated, often originating from well-organised groups – state-sponsored or criminal networks – who target businesses or individuals connected to businesses for valuable information.

High cost of human errors

IT professionals in financial services often envisage their role in cyber-security as fortifying the defences against external attacks. The reality, though, is very different. Most cyber-attacks originate from human errors within an organisation, such as an employee opening a malware-laden phishing email, or as the result of some deceptive social engineering on the part of the attacker to infiltrate malicious code inside the defences.

Most standard cyber-defences, such as firewalls and penetration testing, serve to secure the systems from external attack. Anti-virus is used by most companies, but its effectiveness is minimal in the defence against the increasingly sophisticated and bespoke cyber-attacks that can go undetected for several months.

Security professionals need to change their mindset to counter these disastrous attacks. They need to carefully explore the options that can safeguard a company from damage caused by human error. They must be mindful of the reality that mistakes can – and will happen.

It is not a case of “if” a data breach will occur, but “when”. Companies would be well advised to shift the emphasis from defending against known external threats and instead focus on identifying attacks as quickly as possible once they happen – and taking swift action to foil them before they wreak havoc.

This need to act quickly to limit damage is borne out by key findings in a study published last year by IBM security and Ponemon Institute. In the 2017 Cost of Data Breach Study: United Kingdom² the Mean Time to Identify (MTTI) and Mean Time to Contain (MTTC) metrics were used to assess the effectiveness of an organisation’s incident response and containment processes. It took an average of 168 days to identify a data breach and 67 days to contain it. The previous year’s MTTI and MTTC figures were 178 and 72 days respectively.

Incident response plans important

The findings also emphasise the importance of being able to rapidly detect and contain an attack. New technologies are emerging that focus on detecting malware before it can do any damage. If the MTTI was less than 100 days, the average cost to identify the data breach was £1.98 million. However, if the MTTI was greater than 100 days, the average cost rose significantly to £2.97 million. If this MTTI were reduced to a few days, the costs of a cyber breach could be massively reduced.

Similarly, the study highlights the need to have an effective incident response plan in place. If the time it took to contain the breach was less than 30 days, the cost to contain the breach was £2.24 million. If it took 30 days or longer to contain the breach, the cost soared to £2.71 million. The longer it takes to detect, respond and contain a breach must become a critical priority for every CISO and board. The rising costs of data breaches are extremely detrimental and only set to increase with GDPR legislation in place, let alone the reputational damage that can be suffered as customers begin to lose trust in a firm that can’t protect their assets.

Cyber-crime is recognised as a serious threat in the financial services industry and the UK Financial Conduct Authority (FCA) warns that firms should be vigilant to this threat, able to defend themselves effectively, and respond proportionately to cyber events.

Perils of bad data management

One of the chief threats to the sector comes from poor approaches to data management in notoriously disjoined IT systems or inadequately managing their defences when outsourcing data storage.

The importance of the guidance given by the FCA can easily be seen in perspective when we consider the disastrous impact of recent cyber-attacks at large well-known companies.

In June the data breach at Dixons Carphone served as a serious wake-up call to improve cyber security across the world for organisations holding data on EU citizens. The reality is that Dixons Carphone showed it was unable to secure the card details of 5.9 million customers, who became victims of “unauthorised access”. The breach, which also involved the personal data of 1.2 million customers, was serious enough for cybersecurity chiefs at GCHQ to launch an investigation.

An Equifax security breach revealed last October, is understood to have affected around 700,000 UK-based customers and many more in the US. Stolen information included email addresses, passwords, usernames and partial card details linked to membership data, as well as driving licence and phone numbers. This breach led to Equifax being fined £500,000 by the ICO after it was ruled that they had failed to take appropriate steps to protect UK citizens data. Under GDPR poor data management can cost companies crippling fines.

Financial organisations must assume they are going to be breached, they are being targeted on a daily basis and the sophistication levels of hackers continues to rise. It’s absolutely critical that banks and financial service businesses know about the breach in a matter of minutes or hours, not days. They can then mitigate the risk and avoid further damage to their systems or avoid data loss.

Alan Platt, COO, CyberHive
Image source: Shutterstock/BeeBright