The financial services sector is under near-constant attack from cyber criminals. According to a 2020 Forbes report, in 2019 the financial services industry faced the highest number of business email compromise (BEC) attacks compared to other industries and the second-most cyber incidents in total, after the healthcare sector.
Despite years of recommendations and reports, nothing seems to change – in fact, it looks to be getting worse. Why is that? And what can you do to change it?
The Verizon Data Breach Investigation Report 2020 logged a record total of 157,525 incidents, and 3,950 breaches. Phishing was the top threat action in breaches and 45% of breaches featured hacking.
Financial services firms are ideal targets for hackers because they’re wealthy companies and hold vast amounts of accurate customer data that threat actors can profit off. This is backed up by the numbers, which show that 86% of breaches are financially motivated, and 72% of breaches involve large business victims. In addition, financial services firms are often built on large estates, using siloed legacy systems which makes them more vulnerable.
Financial services firms tend to dedicate a similar proportion of budget to cyber security as other industries, but this doesn’t reflect how disproportionally more they are targeted.
You must actively try to uncover vulnerabilities and potential exposures in order to better protect your organisation from attacks and breaches. But you can’t achieve this without sufficient funding.
Cyber has been in the top three triggers for Directors and Officers (D&O) derivative actions since 2017, but more and more we’re seeing D&O policies not covering liability for cyber-attacks. Perhaps this will hold your C-suite more to account when it comes to prioritising and resourcing cyber security.
There has also been an industry-wide lack in cyber due diligence across the financial services sector, particularly when it comes to mergers and acquisitions (M&A). It’s a common theme that weaknesses in cyber security are lurking undetected within smaller businesses that are acquired.
Cyber criminals target small and medium sized businesses and the supply chains that support them. These companies tend to have less-advanced security and are an ideal inroad to a global financial organisation.
It’s predicted that cybercrime will cost the world over $6 trillion a year by 2021 – double what it cost in 2015.
Fines from regulators, such as the Information Commissioner’s Office (ICO) have been used to demonstrate just how hard they will come down on organisations across all sectors for cyber breaches. Last year, the ICO issued a notice to fine Marriott International £99,200,396 for GDPR infringements when details of 339 million guest records were exposed.
But the overall cost of an attack stretches much wider than simply the cost of fines from regulators. The time spent investigating and fixing the fault can take weeks out of your year and set you back in your digital transformation efforts. You must also consider customer compensation, reputational damage, loss of business, damaged brand loyalty and reduced share price.
In a time where there’s more remote working and we’re more connected than ever before, we’re all looking to streamline and integrate our apps and services. But firms must be aware of the risks that come from increasing integration. If one service is breached, any other integrated apps and services, or internal software that is linked to that service, can be exposed. You must consider what is being integrated and weigh up the ease and efficiency it creates for employees against the risk to the business.
You must manage cyber security as an enterprise risk, just like any other. The focus needs to shift from detect, protect, respond, to a process that understands the risks to your business, is able to learn from past threats, and pre-empt future attacks better.
With cybercrime and the costs that go with it increasing every quarter, the industry needs tougher government regulation to bring cyber in line with other crimes.
30% of data breaches involved internal actors, which shows how human error still contributes to vulnerabilities. Your people are still one of the weakest links in your security strategy, so continued training and awareness is crucial – especially with the rise of remote working.
An effective way of doing this is to incentivise reporting of suspicious activity. This could be through points that add up and can be redeemed, or simply a leader board within departments. Gamifying reporting and making it interactive will help keep employees alert and aware to the threats your business faces.
At 6point6, we carried out this process ourselves and we’re happy to help you secure your data.