By Phil Robinson, Principal Consultant and Founder at Prism Infosec
The financial sector continues to suffer from a high rate of data breaches. The latest figures from the ICO’s Data Security Incident Trends report reveal the sector has the third highest rates in the country, with over 2,874 incidents reported during Q4 2021/22. The vast majority involved human error such as sending data to the wrong recipient but 891 are described as cyber incidents, with ransomware, phishing and unauthorised access listed as the top types of attack.
The vast majority of attacks (95%) against the sector are financially motivated, according to the Verizon 2022 Data Breach Investigations Report but it also made some surprising discoveries. Misdelivery of data is three times higher than it is in other sectors, for example, whilst system intrusion has doubled from 14% to 30% over the past six years. Further, organised crime is now backing an increasing number of attacks, up from 49% to 79% over the course of the past four years. This is reflected in the two biggest attack types, ransomware and Denial of Service (DoS), with the latter accounting for 58% of security incidents which is double that seen in other industries.
Phishing is by far the most common form of attack which can then provide a foothold for other compromises. Mass “phishing” or targeted “spear phishing” attacks seek to obtain sensitive information (such as a username and/or password) or the compromise of target endpoints such as laptops or mobile devices.
Both attack vectors enable unauthorised remote logins to organisational services or data, which the attacker can then use to exfiltrate sensitive information. This could include personal data (names, addresses, dates of birth, medical data et al), banking details, credit card information, or company intellectual property. The information will then be sold (usually at a price per record), used to target other individuals with fraudulent attacks, or could become associated with a ransomware situation where either it may then be permanently encrypted and/or released publicly if the attackers do not receive payment within a certain time.
To protect against data breaches, financial organisations must begin to address the woeful record with the misdelivery of data and that requires security training and the implementation of policies and controls that can reduce the number of incidents. Similarly, user education is key when it comes to protecting against the dangers of clicking on suspicious links or opening dangerous attachments. However, how the organisation goes about this education is important.
Many organisations find it much more beneficial to tailor their security training to the business culture and its processes. Just using an off-the-shelf series of sessions can make the material seem irrelevant, whereas if the business can use real incidents and preferably those that have happened to the organisation itself this is far more likely to resonate with staff.
Be aware also of the dangers of phishing simulation exercises. Carrying these out routinely has been shown to desensitise staff and there is little value to be had from capturing these metrics and performing trend analysis. Identifying those who fell for the phishing email is often counterproductive; its more useful to be able to determine the numbers who flagged and reported a suspicious email and whether this would buy the necessary time to limit the impact of the breach.
From a security technology perspective, ensuring that staff endpoints are protected with robust security protection mechanisms such as Endpoint Detection and Response (EDR), Anti-Virus (AV) and a strong configuration (policies and device hardening) can also reduce the risk of targeted malware being successful. And a strong logging and monitoring policy can also support early identification and defensive actions against threats before they are successful.
Additionally, consideration should be given to file versioning and offline backups as these can protect against common ransomware attacks that will encrypt files. Finally, conducting scenario-based penetration testing (“red team”) attack simulations as well as simulated breach tests can test the resilience of organisational defences and ensure preparedness for such attacks.
From our experience, the major players in the banking sector and financial services sectors operate mature and robust controls against such attacks occurring and have invested heavily in experienced personnel in their information security teams as well as controls to protect the organisation. There are, however, gaps in smaller organisations such as asset management and investment firms that do not typically have the same level of budget available to spend on their cyber security.
These organisations must review, prioritise and invest wisely in the most appropriate protection. Determining what that might involve will depend upon their organisational risk profile. The business must be clear on what it deems are acceptable and unacceptable risks and place these within the context of internal and external factors such as legislative, regulatory and contractual requirements to form a picture of its risk appetite.
Yet it is also important to remember that risk management is not a onetime process. It requires regular attention to ensure that changes including business direction, new or aging technology and external influences are factored in, so that controls reviewed to ensure that they remain effective. Revisiting and revising those controls must form part and parcel of the way the business is managed on an ongoing basis to help counter the threats of data breach.