Our new digital, tech-driven world is always switched on. It is constantly demanding more data, more resources and faster response times to adding even more tech to back it up. Staying online and active all year round requires cybersecurity that is strategic, proactive and expecting the unexpected.
Is it a lack of defences, or are cybercriminals getting smarter?
Unfortunately, in a rush to capitalise on tech innovation and growing profit margins, not forgetting the hunger to be ahead of all competitors, many organisations in the financial world are underestimating the risks of cybersecurity.
Cybercrime is growing at such a rate that it is often running slightly ahead of any processes the financial industry has in place. To put context to this growth, the FCA (Financial Conduct Authority) in 2018 received 145 breach alerts, up from just 25 in 2017.
Investment banks are not being let off, which also saw a tenfold increase year on year from 3 to 34 and retail banks 1 to 25.
“We have seen in recent times an increase in reports of cybercrime. This could very well be opposed to being fuelled by a mix of; the continued increase in the adoption of the IoT (more end-points and access), the rise of eCurrencies (no need any more for a suitcase full of cash), increase in regulation and penalties and a general lack of cyber hygiene by the public in general.” Joao Costa, Projects and Programmes Manager in Business Technology.
To add even further context, April 2017 will conjure images of hassle and financial loss when seven British banks, including Royal Bank of Scotland, Santander and Barclays, were forced to shut down their organisations' systems following a bombardment of cyber-attacks. The level of sophistication and entry points has increased significantly since then.
Events like this mean that banks who have not invested in the latest cyber defences are falling behind to the rate at which cybercriminals are expanding. Those responsible for the attacks have a different result if they should fail. For example, the consequence of a failed cyber infiltration, if not caught through criminal proceedings, is negligible (it will cost them their time and resources but no money). On the same note, if they are successful, they can easily recoup their investment a hundred times over.
Already assume you have been breached – even when you haven’t
Reading this so far, it may seem as if you are fighting a losing battle and, it is easy to focus on the short-term wins and to prevent a minor attack each time, they come your way. There are simply too many threats from a growing gathering of cybercriminals for you to keep up, and the more technology you implement, the higher chance of failures and gaps in your systems. We are seeing regulated organisations moving an increasing percentage of applications to the cloud, rather than on-prem, partly in a bid to ensure they protected by the latest security systems. In addition, the level of IT disaster recovery plans has increased significantly to combat an attack having a company-wide security meltdown.
“Interestingly, the anatomy of the crimes and the way criminals get the “keys to the front door” continues to be very low-tech in nature, which clearly suggests that individuals and organizations should concentrate more on pre-breach strategy: education, training, implement serious basics in privacy (e.g. don’t post the picture of your car number plate on Instagram) and make sure you can truly answer the question – What to do if it happens?” Says Joao Costa.
Do your cybersecurity budget and system fit the size of your business?
There are few companies in the financial services industry that can wholeheartedly say that their cybersecurity budgets and protocols are fit for the threats they are up against. Legacy system-based companies are at the forefront of these risks.
Compared to other organisations, banks and insurers should have significantly stronger cybersecurity defences as the financial information they hold gets the attention of cyber-criminals as the main prize. Historically over complicating security systems to protect legacy or overly complex architecture results in insufficient protection and a costly approach.
Cybersecurity is far from the opinion that ‘who spends more is the most protected.’ The problem often originates from new technology being bolted onto existing legacy systems. This can duplicate applications already in place, make old ones that were effective redundant and causes a potential false understanding of the level of protection in place. This has further implications when it comes to purchasing cybersecurity insurance, both for the (re)insurer and the insured.
Organisations are now looking to leverage new technologies that create these gaps in security, like blockchain and AI, to manage exposure.
Which emerging technologies have the greatest potential to support cyber-protection? It is a continuous race of playing catch up with cybercriminals and unless the financial and insurance industries continue to act, it will result in significant financial losses and customers looking for an alternative solution in an already competitive marketplace.
This is a topic we thrive on discussing and finding solutions for; for more information please contact Mark Weller: mark.weller@ecmanagedsolutions.com.
