Shruti Kulkarni, Information Security Manager, Intelligent Environments
When it comes to judging the range of cyber threats that businesses find themselves up against, you’d be forgiven for thinking that it started and ended with hackers. And while hacking – whether in DDoS attacks, or phishing scams – represents the bulk of an organisation’s cyber fears, there are many other ways their technology can be compromised.
Back in 2013 a particularly unusual case came to light, when a disgruntled employee was found guilty of sabotage after being caught spraying servers and other IT equipment with Cillit Bang. Shockingly, the crusade went on for three years, costing his organisation over £32,000 in damage – not to mention untold disruption. Though this was an isolated incident, it does help illustrate our increasing reliance on cyber safety, and the ease at which security can be compromised.
Clearly, cyber resilience is of the utmost importance. As such, it is of no great surprise that it has been named as the focus of this year’s Business Continuity Awareness Week. More and more organisations are beginning to place their own cyber resilience policies under the spotlight. And worryingly, many are finding themselves coming up short.
For the financial services industry, investing in effective cyber resilience strategies should be a top priority. After all, the consequences of a breach are potentially devastating.
From an operational viewpoint, cyber security breaches are costing businesses nearly £30 billion every year – and this in the UK alone. In a worst-case scenario, an organisation could be infiltrated without anyone realising. And once hackers are in, they are free to move around the infrastructure, compromising confidential customer information or financial details, or wreaking disruption to your usual processes. With as many as 46 per cent of organisations reporting breaches, chances are most businesses are already under attack.
A Changing Regulatory Landscape
Things don’t get any easier when it comes to compliance. The impending enforcement of the EU’s General Data Protection Regulation (GDPR) will have significant implications for any business that fails to ensure cyber resilience. As well as obvious loss of customer trust that results from a data breach, if organisations are deemed to have been negligent in their handling of data security matters, the new law makes it possible for businesses to be fined up to five per cent of their annual worldwide turnover.
Similarly, the introduction of the revised Directive on Payment Services (PSD2) and the E-Money Directive (EMD) means that security protocol must be robust enough to withstand the frequent attacks, but flexible enough to ensure that data can be shared as and when needed.
As these regulations come into play, risk assessments will become more important than ever before. Not simply for Financial Service providers assessing their own infrastructure, but those of the other fintech organisations they will need to work with. Ensuring that any partners have the right security controls in place to mitigate the identified risks will be a top priority when it comes to the opening of APIs and the sharing of mission critical data.
Ensuring Full Visibility
What’s more, the issue could easily get worse before it gets better. As IT and technology becomes an ever more integral part of business operations, attack surfaces will continue to widen. This serves only to increase the risk of cyber-attack, offering potential hackers more points of entry into the organisation. The ability to detect threats is not enough, it must be done quickly – ideally in real-time. Troublingly, the industry is still some way from safe; research found that financial firms take an average of 98 days to notice a breach. Even worse – in the case of DDoS attacks, 40 per cent of businesses only discovered the attack when customers drew attention to the issue!
Having a holistic and comprehensive understanding of your organisation is crucial – as a financial service provider, you must ask yourself: are you aware of all realistic and applicable threats for your estate? Do you have full visibility of your information access points? And do you have the measures in place to know if someone is accessing that information without your permission?
One Lesson to Learn
If you take one piece of advice, make it this: take the time to know your organisation’s attack surface intimately and put in place the mitigations needed to ensure a safe and secure defence-in-depth. There is no substitute or shortcut for knowing your own weaknesses – and no matter how much you spend on security and cyber-breach tools, if you don’t have a complete picture of your organisation’s security requirements then you cannot defend it properly.
Finally, and perhaps most importantly, good security practices begin in the board room. Cyber resilience is a top-down operation, requiring strong and vocal support from management. Everyone in the business has a part to play and employees must be given a good grounding on what kind of threats they should guard against, as well as the potentially devastating consequences of a breach.
Thanks to the nature of our work, organisations within the financial services sector are at a significantly higher risk than other markets. However, with numerous guidelines to help offer a baseline for good security measures, as well strategic investment in understanding the weak-points of your own organisation, it is possible to build cyber resilience into the fabric of our industry.