By Genevra Champion, Sector Marketing Manager at IT Governance
With the vast amounts of money that the financial services industry trades and controls, and the sensitive personal customer information that they store, it’s clear to see why financial organisations are an obvious target for cyber criminals.
In 2018, the number of breaches reported by UK financial services firms to the FCA rose by 480 per cent compared with 2017 – making the industry second only to retail in terms of the sectors most affected by cyber crime.
For an industry that is built on customer trust, a data breach could be disastrous. So, with the scale of attacks only set to rise, what do financial services firms need to put in place to proactively protect not just their own information security, but also that of their customers.
A Growing Threat
No matter the size, no financial institution is immune to the threat of cyber crime. Tesco Bank, Metro Bank and HSBC all reported breaches in the last year, so clearly, the banks’ cybersecurity defences have not advanced at a fast enough pace as cyber criminals’ attack methods become increasingly more sophisticated. For many of the traditional banks, their cumbersome legacy systems also pose challenging reliability issues, as well as flaws in security.
Thousands of TSB customers were locked out of their accounts after last year’s IT banking fiasco when the company was upgrading its systems to migrate customer data to a new platform. This ultimately led to scammers exploiting the issues by contacting customers and posing as bank staff in order to steal significant sums of money. This wasn’t just a case of bad luck for TSB, it failed to fully assess the risks that come with such a huge project and put an appropriate plan in place to mitigate such risks.
The importance of effective cybersecurity defences and processes must be promoted at every level of the organisation, spearheaded by the board all the way to the admin departments.
Since this occurred, TSB has promised to refund all customers that are victims of fraud. Other banks have also updated their approach to the rise of this particular type of cyber crime, signing up to a new voluntary code that will create a central pot to refund people when neither the individual or the bank is to blame. While this scheme is not a guaranteed refund for customers, and not all of the banks have signed up, it’s a step in the right direction to protect individuals tricked into handing their information to fraudsters.
As the industry is heavily reliant on digital technology, security incidents are an ever-present threat. Organisations can take steps to be prepared – scoping a defence strategy specific to the firm, with processes for implementation, will mean an attack can be quickly identified, isolated and resolved, minimising business impact.
Cyber Security as a Service
With increased regulatory scrutiny and cybersecurity tools and techniques developing at a rapid pace, it’s no surprise that many organisations struggle when it comes to implementing an appropriate defence strategy in-house.
Training is an essential component for in-house security teams to keep up to date with current and evolving threats and data protection issues. But such specialist skills come at a cost, which for many organisations would be cost-prohibitive. As a more suitable and cost-effective alternative, an insourced model allows you to leverage a dedicated and skilled team on an ‘as you need’ basis to deliver an appropriate strategy. With a Cyber Security as a Service (CSaaS) model in place, organisations can rapidly access a dedicated team with the knowledge and skills to deliver a relevant and risk appropriate cybersecurity strategy.
Crucially, the model will also apply to people and processes. Often, a company’s workforce is the weakest point of an organisation, so attackers will typically target their attempts at the staff. Employees will frequently forget passwords, fail to spot malware, or open phishing emails, for example. Therefore, a blended approach of technology, processes and shared behaviour is required that promotes the need for staff awareness and education of the risks, in order to effectively combat the threat.
The importance of effective cybersecurity defences and processes must be promoted at every level of the organisation, spearheaded by the board all the way to the admin departments. The issue of cybersecurity risk must become as embedded within business thinking as operational risk. Any employee can be a weak link, so firms must prioritise their defence strategy and remain compliant with increased regulatory requirements, or risk potentially severe financial and reputational damage.
Cyber crime is a serious and complicated issue to tackle, but financial services firms do not have to take on the fight alone. By implementing a CSaaS model businesses can embed their cybersecurity strategy as a cost-effective, reliable and practical core component of the organisation’s process.