Bolster your digital defences
Cyber criminals have the financial services sector firmly in their sights, but there is much that organisations and employees can do to protect themselves from the threat
Cyber crime is on the rise, and the financial services sector is particularly vulnerable to attack. The sector’s position at the heart of the world’s economies makes it an attractive target for cyber criminals, with hackers often able to exploit weaknesses in the growing number of digital connections between financial firms and their clients and customers.
A recent report by the Center for Strategic and International Studies and McAfee estimated that the likely annual cost to the global economy of cyber crime is more than $400bn.
Financial services firms are often the victims, according to the PricewaterhouseCoopers (PwC) 2014 Global Economic Crime Survey, with 39% of financial sector respondents saying they had been victims of cyber crime, compared with only 17% in other industries.
Many firms are increasing their spending on cyber security to protect their systems and data. J.P. Morgan’s Chief Executive, Jamie Dimon, recently pledged to double cyber security spending over the next five years after the bank admitted in October that the records of 83 million customers had been compromised – one of the biggest breaches in banking history.
Further evidence of growing demand for IT protection is the growing number of cyber security firms changing hands for large fees. Raytheon, which specialises in defence and national security, has just acquired IT security solutions provider Blackbird Technologies for roughly $420m. Last January, cyber security company FireEye acquired Mandiant, a firm known for responses to network breaches, in a deal worth more than $1bn.
Financial firms everywhere need to ensure they have sufficient measures in place to prevent cyber attacks, whether they come from sophisticated criminal organisations looking to steal data, rogue states intent on disrupting services or activist groups wanting to simply cause havoc. Here are ten tips for improving your cyber security:
1. Create a reporting culture
“Financial services organisations need to recognise cyber crime as a risk type and establish proper cyber crime reporting.” So says Andrew Clark, Partner in PwC’s forensics practice.
“In our experience, financial services organisations do not always identify and log the cyber element of economic crime,” says Clark. “This leaves them exposed to cyber threats in spite of any existing cyber defence. If cyber crime is not being accurately tracked, the true risk of it cannot be fully grasped and understood.”
2. Everyone needs a good education
Educate employees on good data security. This should include teaching colleagues how to keep company-issued devices, such as smartphones and laptops, secure.
According to Symantec’s Norton Report, 38% of mobile users experienced mobile cyber crime in 2013, with 24% of users storing work and personal information in the same accounts and 21% sharing logins and passwords with family.
Employees also need to exercise caution when opening emails. Symantec’s report found that out of 156 million phishing emails sent every day, eight million are opened, 800,000 links are clicked and 80,000 people have their information stolen.
3. Multiply authentication
Protecting your organisation’s data has never been tougher, according to Raj Samani, Vice President and Chief Technical Officer (CTO), EMEA at McAfee. “You now have people using company phones, USB sticks, laptops and tablets, and working from home or accessing Wi-Fi in hotels,” he notes.
Security is often further weakened by poor password protection, adds Samani. “One in four employees write passwords on Post-it notes, and the most popular password is ‘123456’.”
Firms, therefore, should consider introducing multi-factor authentication by adding security measures such as smart cards and fingerprint recognition to complement passwords and provide extra layers of protection.
4. Secure your supply lines
Any assessment of cyber security should include suppliers or contractors, emphasises McAfee’s Samani.
Last December, discount retailer Target admitted its records had been hacked, and that as many as 110 million customers had personal data stolen.
“With Target, the data breach was a supply chain issue, with the breach originating from a heating and ventilation supplier it was using,” notes Samani.
5. Cloud control
If you use cloud-computing providers to store sensitive data, make sure their cyber security is as good as they claim it is.
McAfee’s Samani, who is also Chief Innovation Officer of the Cloud Security Alliance, says: “Many cloud-computing providers obtain security certification and undergo third-party audits, so do your homework: look at the security measures they not only say they have, but certify and audit against.”
6. Keep tabs on privileged users
Firms need to keep a close eye on who exactly has access to their data. PwC’s Global State of Information Security Survey reported more than 117,000 detected security incidents per day worldwide in 2014, nearly double that of the previous year – with employees the most-cited culprits.
Companies should keep up-to-date lists of privileged users, such as those with access to information including HR, finance and customer details, and monitor their activity.
7. Get on board
More firms need to welcome security experts into the boardroom. Neil Woodford, one of Britain’s best-known fund managers, recently commented: “My gut feeling is that most boards haven’t got to grips with cyber security.”
Only two FTSE 100 companies have a CTO on their main board, according to business intelligence service BoardEx. The Institute of Chartered Accountants in England and Wales (ICAEW) believes a CTO can bridge the gap between IT and the board.
Headhunters who appoint non-executive directors, meanwhile, say they are increasingly targeting digital experts to improve board-level skills.
8. You get what you pay for
Capable cyber security professionals can prove hard to find. The best candidates often end up being lured by security or other technology companies, so attracting the right people might mean offering higher salaries than originally planned.
No firm should rely on just IT professionals, though – cyber security should be the responsibility of everyone in the organisation.
9. Share the knowledge
Firms can help each other by sharing intelligence on cyber threats, whether by notifying their local police force or the National Fraud & Cyber Crime Reporting Centre, or by sharing intelligence through industry bodies.
In September, Europol’s European Cybercrime Centre announced plans to work with the European Banking Federation to “intensify co-operation between law enforcement and the financial sector”.
That same month, the British Bankers’ Association revealed that 12 government and law enforcement agencies are to start using a “pioneering financial crime alert system” in early 2015 to warn banks of the latest threats.
10. Run for cover
Organisations need sufficient insurance cover in case the worst happens.
The cost of breaches has risen in the past three years. The Department for Business, Innovation and Skills’ Information Security Breaches Survey 2014 showed that for smaller organisations, the worst breaches cost between £65,000 and £115,000 and for large organisations, between £600,000 and £1.15m.
Colin Tankard, Managing Director of data security specialists Digital Pathways, says: “If we consider the recent attack on Target in the US, the estimated cost to the business is around $3bn – enough to bring down the biggest organisations.”