finance
monthly
Personal Finance. Money. Investing.
Contribute
Premium
Corporate

Not only have the number of crimes increased, but the impact of these breaches has also become more severe. Criminals are gaining access to huge amounts of personal data from enterprises, including bank details and ID documents, as seen in the recent attack on Arnold Clark. Companies integral to the UK’s national infrastructure are also being crippled by cyber attacks, such as Royal Mail, which has seen severe disruption to its overseas delivery capabilities following a breach.

Owing to the higher severity of breaches, the average cost of a single attack in the UK has reached a seven-year high at £4.56 million which has, in turn, had a major impact on both the rates and the requirements for cyber insurance. As the frequency and value of payouts has gone up, so has the price of cyber insurance – rising by 66% in the third quarter of 2022, following a peak increase of 102% in the first quarter.

And, while policies will of course differ between insurers, there is an ever-growing checklist of requirements that organisations need to adhere to in order to be accepted. It is no longer an expectation that companies show they’ve taken appropriate action to protect themselves against cyber crime, it is a requirement. And those that can’t prove they have provided sufficient technical solutions and training to secure their network will be denied insurance or refused payment when making a claim.

This comes alongside an increased number of exemptions from Insurers as to what they will, and will not, cover. One of those most notable of these recently was Lloyd’s of London’s decision to no longer protect against ‘state-sponsored attacks’, meaning that any attacks an Insurance company could claim were linked to a nation-state would no longer be covered.

For businesses, this has led to a few questions. Firstly, what are the requirements to qualify for cyber insurance and what will be covered? And secondly, given the robust level of security your organisation will achieve through ticking off the checklist of requirements – is the cost of insurance actually worth it?

Am I eligible for cyber insurance?

Across the board, insurance is becoming increasingly challenging to get hold of. Not only are costs soaring, but underwriting requirements are higher and greater scrutiny is being placed on risk mitigation and security program maturity.

Therefore, for businesses to be eligible for cyber insurance, they need to show that they already have robust security in place. While the specific requirements for cyber insurance will vary – based on the industry, insurer, the size of the business and the type of coverage required – there are some universal security measures that every business looking for insurance needs to have in place:

Having these measures in place can help towards eligibility for cyber insurance, however, actual requirements will vary on a case-by-case basis. Additionally, while implementing the above can help organisations to secure insurance and start better protecting themselves, certain industries will have their own regulations that need to be met – such as the Telecommunications (Security) Act (TSA)  for Network Operators – and it is unlikely that Insurance companies will accept those that don’t comply with Government legislations.

Is cyber insurance worth it? 

Ultimately, there is no ‘yes or no’ answer to whether cyber insurance is worth the cost. It comes down to the details of the individual policy and will require an in-depth investigation into exactly what will be covered, any stipulations and limits included in the contract, and the price of the premium.

One of the many elements that should be considered is that in the event of a breach, some Insurers will insist on choosing the company that investigates the attack themselves. And while that may not seem like a big deal initially, it becomes more of an issue when combined with the recent exemptions around state-sponsored attacks, giving the Insurance company the power to determine if there is a link to a nation-state or not – and ultimately if that affects the eligibility of the claim.

Organisations, therefore, need to ask themselves whether they are comfortable with this and whether they are happy to trust the results of the Insurer’s investigation, particularly if they have their own means to investigate a breach – be it their own technology, or an existing relationship with an attack remediation company – as an insurance company may reject findings that differ from its own.

This may draw the level of worth provided by cyber insurance further into question. What is, however, without a doubt ‘worth it’ is ensuring your cyber security continues to be at a level where its eligibility for insurance couldn’t be brought into question.

As the threat landscape continues to grow, businesses need to remain aware of the evolving threats, and increase their security measures alongside them, so they can continue to protect themselves, their business partners and their customers from attack. And while cyber insurance requirements themselves shouldn’t be used as a base level for an organisation’s security, the higher bar being set does indicate the need to reassess levels of protection.

Furthermore, as additional security compliances are imposed on some sectors, such as the aforementioned TSA and the EU’s DORA (as well as a likely UK equivalent) for Financial Services, reviewing and upgrading security measures isn’t just important for protecting your business – it is becoming a more important part of the criteria for companies assessing their 3rd party suppliers.

The bottom line

Ultimately, the choice to take out cyber insurance will come down to the cost of the policy, the level of cover you’re able to receive and any stipulations or exemptions. Nevertheless, whether you are insured or not, paying attention to the requirements for cyber security – both from insurance companies and Government regulations – is of utmost importance.

Adhering to security guidelines, such as cyber essentials and cyber essentials plus, can help to strengthen your security environment, while regular testing of cyber defences can determine any areas of your security that need to be upgraded. This will not only help your organisation qualify for cyber insurance should you want it, as well as likely reduce your premium, but it will also majorly reduce the chance of a successful breach.

Insurance or no insurance, the threat landscape is evolving, and your security measures need to evolve with it.

According to Pitchbook data, the total capital invested in cybersecurity deals grew at a CAGR of 30% per year between 2012 and 2019. In 2020, both the number and value of deals contracted heavily as a result of the global pandemic. However, as of July 2021, the cyberspace deal environment seems to have become red-hot again, with global deals worth €21 billion. 2021 could be a record year for cybersecurity deals.

There are multiple investors in the space, including cyber natives (young companies formed who provide cyber software or services), global consultancies, technology firms, professional services organisations, telcos, engineering businesses and defence companies. The US market is the most mature and advanced globally, but the UK and Europe are not that far behind. Alfonso Marone, UK Head of Deal Advisory for TMT at KPMG UK, delves into the topic/

Consolidation expected to continue

Although there are clear political divides between East and West, and although in some industries such as defence there is a need for obvious reasons to ‘buy local’ in terms of cyber services, we can expect to see consolidation in the global market, for a number of reasons.

Firstly, cyber is inherently a global issue – attackers can strike more or less anywhere, from anywhere. Secondly, software is an inherently suitable product category for scalability and market concentration. Thirdly, on the cyber services side, we also expect consolidation as providers look for economies of scale and scope, build client trust through having a global presence and also, as large international organisations, increase their chances of winning the cut-throat war for talent.

Investor challenges

However, there are a number of key challenges that investors need to overcome in order to realise effective deals:

It is essential that investors recognise this set of very cyber-specific investment challenges. In my view - and experience of working with a wide range of clients across the sector - there are three considerations that are of utmost importance for interested investors throughout the deal cycle.

Three essential areas of focus

Firstly, deal origination. Given the fragmentation of the market and the fact that many potential targets are still relatively small, deal origination can be a challenge. Well-connected local deal sources are needed who can advise and alert a potential investor on targets that may have real substance and potential.

Secondly, pre-signing due diligence must be absolutely robust. This must include both commercial and technical due diligence.

Thirdly, the target operating model (TOM). The difficulties of technical integration that we have discussed, together with the employee retention challenges, mean it’s vital investors think in detail about the post-deal TOM they are aiming for and how that can be achieved in the integration of any target business.

The case for investment in the cybersecurity sector remains compelling. But, like anything that’s hot, it requires careful handling!

However, not all crime is conducted directly online. Some people are tricked into giving away details over the phone or are told to use their banking app to transfer money into a safe account. This multi-channel approach means that at every touchpoint, an organization must be aware that their customers could be at risk; they need to put systems and processes in place to mitigate cybercrime. 

According to a report by McAfee, the European economy is one of the worst affected areas in the world. The statistics suggest that 0.84% of Europe's GDP is affected. Looking at the UK specifically, it is estimated that the cost of cyber-crime to the UK economy is £27bn – and it is growing.

GDPR and Customer Data Breaches

One of the latest and most high-profile risks that have come to people's attention over the past 18 months are customer data breaches. Customers are increasingly aware that organizations hold a lot of their personal data and they want to be sure that it is safe. The General Data Protection Regulation was brought into place to ensure that organizations are acting responsibly when it comes to processing and storing customer data.

The financial impact of not following these guidelines, or for not having the correct systems in place, has been significant. Just months after the new regulation came into place, British Airways were one of the first companies to fall foul when 500,000 pieces of customer data were stolen, which resulted in them receiving a £183m fine.

The Financial Fallout of Cyber Crime

Before any cyber-crime has taken place, there is a significant cost to businesses that need to purchase software, implement new processes and training, and even employ new cybersecurity teams to deal with threats. For global organizations, there may also be a need to hire consultants to advise on what they need to do to keep themselves and their customers safe.

One of the consequences of cybercrime that will affect every business is the direct costs. This could be money lost by the business or by consumers. It could also be the loss of reputation to a brand. If a bank suffers a cyberattack and customers lose money, they are likely to lose confidence, which can have a huge knock-on impact on business performance and profits.

Following on from an attack, there may also be payments that need to be made. On top of losing money in an attack a business, may also need to pay out compensation, fines, and legal costs. Depending on the type and severity of the attack and the data that was lost, this can amount to millions of pounds, as demonstrated by the British Airways case.

Two thirds (66%) of people rate safe and secure payments as most important in the online checkout process, with only one in ten being most concerned about speed or simplicity. Security ranked highest across all age groups, and was a particular concern for over 55s (75%) compared to just over half of 18-24 and 25-34 year olds (52% and 53% respectively).

The survey, conducted online with YouGov, also revealed a further 76% of Brits would be willing to accept a slower or less convenient checkout experience in return for greater payment security. Meanwhile, almost half (45%) said security concerns about online payment processes were the reason most likely to put them off using a particular online retailer, more so than having to create an account (14%), a confusing process (8%), or too many steps during checkout (6%).

Keith McGill, head of ID and fraud at Equifax, said: “With more than 20% of retail revenues coming from online sales*, it’s positive to see so many consumers have security front of mind when they’re at the online checkout. The latest stats from Cifas do however show an increase in identity fraud** so it’s important shoppers remain vigilant. If you have any doubts about the professionalism of a website you should always think very carefully before entering your personal or payment details.

“New European wide regulations are on the horizon which will require two stage verification for any online purchase for more than 30 euros, similar to the security checks used for online banking. While this might feel like an extra hoop to jump through, it’s an important step forward in the ongoing battle to fight fraud.”

(Source: Equifax)

The retail banks were responsible for the highest number of reports (486) – almost 60% of the total. This was followed by wholesale financial markets on 115 reports and retail investment firms on 53.

The root causes for the incidents were attributed to third party failure (21% of reports), hardware/software issues (19%) and change management (18%).

The FCA has recently warned of a significant rise in outages and cyber-attacks affecting financial services firms. It has also called on regulated firms to develop greater cyber resilience to prevent attacks and better operational resilience to recover from disruptions.

According to the new data obtained by RSM, there were 93 cyber-attacks reported in 2018. Over half of these were phishing attacks, while 20% were ransomware attacks.

Commenting on the figures, Steve Snaith, a technology risk assurance partner at RSM said: "While the jump in cyber incidents among financial services firms looks alarming, it's likely that this is due in part to firms being more proactive in reporting incidents to the regulator. It also reflects the increased onus on security and data breach reporting following the GDPR and recent FCA requirements.

"However, we suspect that there is still a high level of under-reporting. Failure to immediately report to the FCA a significant attempted fraud against a firm via cyber-attack could expose the firm to sanctions and penalties from the FCA.

"As the FCA has previously pointed out, eliminating the threat of cyber-attacks is all but impossible. While the financial services sector emerged relatively unscathed from recent well-publicised attacks such as NotPetya, the sector should be wary of complacency given the inherent risk of cyber-attacks that it faces.

"The figures also underline the importance of organisations obtaining third party assurance of their partners' cyber controls. Moreover, the continued high proportion of successful phishing attacks highlights the need to continue to drive cyber risk awareness among staff.

"Interestingly, a high proportion of cyber events were linked to change management, highlighting the risk of changes to IT environments not being managed effectively, leading to consequent loss. The requirements for Privacy Impact Assessments as a formal requirement of GDPR/DPA2018 should hopefully drive a greater level of governance in this area.

"Overall, there remain serious vulnerabilities across some financial services businesses when it comes to the effectiveness of their cyber controls. More needs to be done to embed a cyber resilient culture and ensure effective incident reporting processes are in place."

Fig1: The number of cyber incidents reported to the FCA by regulated firms in 2018 broken down by the sector the incident impacted (source FCA):

Impacted sector 2018 % of incidents
Retail banking 486 59%
Wholesale financial markets 115 14%
Retail investments 53 6%
Retail lending 52 6%
General insurance and protection 49 6%
Pensions and retirement income 35 4%
Investment management 29 4%
Total 819 100%

 

Fig2: The root causes of cyber incidents reported to the FCA (source FCA):

Root cause 2018 (Jan-Dec) % of incidents
3rd party failure 174 21%
Hardware/software 157 19%
Change management 146 18%
Cyber attack 93 11%
TBC 93 11%
Human error 47 6%
Process/control failure 45 5%
Capacity management 25 3%
External factors 17 2%
Theft 11 1%
Root cause not found 11 1%
Total 819 100%

 

Fig3: The breakdown of incidents in 2018 categorised as 'Cyber attacks' (source FCA):

Cyber attack root cause breakdown  2018 (Jan-Dec) % of incidents
Cyber - Phishing/Credential compromise 48 52%
Cyber - Ransomware 19 20%
Cyber - Malicious code 16 17%
Cyber - DDOS 10 11%
Total 93 100%

In the UK, 88% of data breaches reported to the Information Commissioner’s Office (ICO) are caused by human error. The most common mistake is sending information to the wrong person. The number one culprit? Email. So what do you do? Peter Matthews, CEO of Metro Communications, knows what to do.

CFOs should not ignore the potential impact of such breaches on a company’s finances and reputation. Research for IBM suggests that the average cost of a data breach in the UK rose to £2.7m in 2018, with health, financial and service sectors most likely to experience breaches.

Few FDs would claim to be immune to accidental data transfer via email. So, what can you do if you inadvertently send a confidential message to the wrong person?

1. Recall or ‘unsend’ it

Email services offer different ways to cancel sent messages. In Outlook it is possible to recall and then delete an email providing it hasn’t been opened by the recipient. Gmail allows you to delay messages from leaving your outbox. If a sensitive email has been sent to a fellow employee then your IT department should be able to delete it, if they are informed fast enough.

2. Contact the recipient

Get in touch with the recipient as soon as you notice the mistake and ask them to delete the email without reading or sharing it. Request that they email you to confirm they’ve done so. Log the incident in an ‘cyber accident book’.

3. Report and act quickly

Report the incident internally and ensure it’s followed through to its conclusion. An employee of SSE Energy who sent a sensitive email in error promptly reported it in accordance with the company’s policies and procedures. However, SSE’s failure to notify the commissioner in a timely manner led to a £1,000 fine and negative publicity. The regulations have since been amended so that directors, managers and company secretaries can be fined up to £500,000.

4. Inform and advise customers

Good customer service goes a long way. Boeing was mocked for failing to use its own data protection software to prevent an accidental breach which compromised the personal data of 36,000 customers. But it was applauded for informing customers about the nature of the incident, taking action to ensure files were deleted, and giving detailed advice about how customers could check their personal data wasn’t being misused.

5. Notify the regulator, if necessary

Inform the regulator within 72 hours if you believe there’s a risk to customers. Even where you don’t feel an incident is notifiable, it is still worth recording, internally. This will help you review incidents as part of a health check and if you ever have to demonstrate regulatory compliance it could prove invaluable.

Once you’ve contained the incident, revisit your strategy and consider the need for other forms of action such as staff training, policy reviews, access rights, restrictive covenants and encryption. Data classification that ‘weights’ the sensitivity of each file and document on your company’s drive and then links highly confidential information to a closed group of authorised recipients, with blocks on copying such information onto memory sticks, can be helpful. Preventative tools like this make it difficult to email the wrong data to the wrong person and they also log user behaviour, flagging up employees who try to reclassify data so they can send it out of the business.

The law doesn’t distinguish between deliberate and accidental breaches, so don’t expect a discount on fines for damaging disclosures caused by an honest mistake, and don’t be surprised to find lawyers queuing up to help those whose financial, personal or health data has been incorrectly transferred.

But let’s look at it positively. Employee error is a significant contributor to data loss, but it is easier to prevent and generally takes less time to control than a malicious hack. Indeed, many accidental incidents can be contained or even prevented by steps so simple that everyone should be taking them. However, if you’ve decided you want to take a ‘belt and breaches’ approach then it’s time to trust yourself less. Preventative measures such as data classification will ensure you send that sinking feeling to your deleted folder once and for all.

The company, which advises organisations of all sizes on their insurance requirements, and which has worked with a quarter companies in the FTSE 100, has recently launched a new Cyber Risk Consulting Practice. This helps clients to understand their exposure to cyber risks, and to source appropriate insurance cover for these. In a report, it has recently reviewed dozens of ‘off-the-shelf’ cyber insurance policies and identified seven significant common flaws:

1. Cover can be limited to events triggered by attacks or unauthorised activity – excluding cover for issues caused by accidental errors or omissions

2. Data breach costs can be limited – e.g. covering only costs that the business is strictly legally required to incur (as opposed to much greater costs which would be incurred in practice)

3. Systems interruption cover can be limited to only the brief period of actual network interruption, providing no cover for the more significant knock-on revenue impact in the period after IT systems are restored but the business is still disrupted

4. Cover for systems delivered by outsourced service providers (many businesses’ most significant exposure) varies significantly and is often limited or excluded

5. Exclusions for software in development or systems being rolled out are common and can be unclear or in the worst cases exclude events relating to any recently updated systems

6. Where contractors cause issues (e.g. a data breach) but the business is legally responsible, policies will sometimes not respond

7. Notification requirements are often complex and onerous

Bruce Hepburn, CEO of Mactavish said: “There are a number of new cyber insurance policies being launched, but despite a sharp increase in cyber incidents this market is very immature and in many respects untested. Perhaps some of these policies have been rushed to market by insurers eager to capitalise on the growing cyber risks facing organisations, and their desire to spend significant amounts of money to protect themselves against this.

“Very few claims have been made on these new cyber insurance policies, but my bet is that many will be disputed, or settlements will be much lower than clients expected. However, this can be avoided if organisations first understand the cyber risks they face, and then secure a bespoke policy to meet their needs.”

(Source: Mactavish)

Below Puneet Taneja, Head of Operations at Teleperformance, discusses with Finance Monthly how banks can prevent, detect and protect against fraud.

Trade body UK Finance reports that over £500 million was lost to fraud in the first half of 2018. What is particularly worrying is that of the £500 million lost to fraud, over £385 million was lost with no knowledge or authorisation from the account holder1.

This news seems to cement current fears that fraudsters are becoming increasingly more sophisticated in their efforts to rob banking customers and overcome current financial security and anti-fraud measures. The rise of cybercrime has led to a new generation of fraudsters using technology to come up with new and innovative ways to steal hundreds of millions of pounds from customers, all while remaining undetected.

Although this may be stating the obvious, identifying, investigating and ultimately preventing fraud must continue to be a high priority. When banks consider the technology implementation necessary to drive banking innovation forward, this initiative is still in its infancy, with banks always striving to be on top of the latest and most effective methods to overcome fraudulent activity.

A reassessment of banking technologies and systems is the key to safeguarding customer accounts.

It’s all well and good to harness the power of existing technologies and data analytics to spot irregular data patterns to highlight suspicious transactions but this is only half the story. Employing a greater number of customer service agents who can aid in the risk management process can similarly help banks pre-empt fraud and treat the causes of financial loss, as opposed to the symptoms.

Overcoming fraudulent losses has the natural flow-on effect of boosting customer satisfaction, one of the key factors to banks’ long-term financial health. If customers view banks as being up to date on the relevant technologies to keep on top of inbound fraud, reputational equity builds and so too does customer satisfaction. This relies on banks being able to tackle the issue of fraudulent transactions in real time, in a proactive manner, rather than taking a reactive approach.

Using real-time anomaly techniques to spot suspicious transactions, financial institutions can achieve an astounding 92 percent reduction in fraud losses; in one instance, a UK national bank saved £3.54 million annually from credit and debit card fraud by using analytics technology.

Not only are banks being able to mitigate the financial consequences but also the reputational repercussions from those who have fallen victim. Naturally, it can be very damaging to any organisations reputation when the media publishes an incident involving fraud. Banks need to ensure that customers appreciate the back-office efforts that are put into place to not only prevent fraud, but also support customers who fall victim to fraud.

Nevertheless, fraud is an inescapable risk associated with performing financial services and banks have a responsibility to be well prepared on how they respond to fraudulent activity. From a customer services standpoint, the main driver of this preparedness comes from banks needing to be seen as being on the customer’s side. This concerns being prepared to help consumers through financially troublesome times, like when they fall prey to fraudulent activity. This is an integral part of banks’ customer service efforts.

Overcoming fraud is a nation-wide effort that every organisation in the industry is currently attempting to accomplish. Eliminating fraudulent activity altogether may not yet be possible but firms have the technology available to make a significant difference. Considering a fraud prevention systems overhaul may the key driver to banks detecting fraud faster and more efficiently than in recent times.

There is a rush to improve speed, convenience and user experience in financial interactions, but at what cost to security?

 

While for the most part bankers are positive about their ability to improve their financial performance in 2018 and beyond, evolving risks – particularly cyber risk – are no doubt preoccupying their thoughts.  A recent report by professional services firm, EY, puts cybersecurity as the number one priority for banks in the coming year, and it comes as no surprise, especially with Britain’s National Cyber Crime Unit data showing 68% of large UK businesses across sectors were subject to a cybersecurity attack or breach in the past 12 months.

It’s a mounting problem, and the financial services industry needs to fight back. We’ve picked out the four key ways of countering the continuing threat to banks’ cybersecurity – and it’s a case of fighting cyber with cyber.

 

  1. Artificial intelligence

Like it is in retail and manufacturing, for example, artificial intelligence (AI) and advanced analytics will play a key role in banking moving forwards.

And the financial services industry is looking to this technology to play a major part in the prevention of cyber attacks, reducing conduct risk and improving monitoring to prevent financial crime.  Mitigating such external and internal threats is critical to both business continuity and limiting operating losses, and so AI shouldn’t be overlooked as a key tool in reaching this goal.

 

  1. Electronic identification

In order to meet the regulatory technical standards, which will be enforced in September 2019 as part of the European Union’s PSD2 payments legislation, the number of transactions requiring two-factor authentication will rise in the coming months.

What has been deemed by the industry as “Strong Customer Authentication” will be required, and this should result in payments and account access relying on customers providing and using a combination of the following: something they know, like a password; something they have, like a phone or card; and something they are, such as a fingerprint.

More factors equals more security is the industry theory here.

 

  1. Biometrics

Which leads us neatly on to point three: biometrics. This push for two-factor authentication and new electronic identification will pave the way for more biometrics use.  With some of the largest players in card payments, including Mastercard, investing heavily in such solutions, we expect others to start to follow suit.

As Ajay Bhalla, President for global enterprise risk and security at Mastercard puts it: “The use of passwords to authenticate someone is woefully outdated, with consumers forgetting them and retailers facing abandoned shopping baskets.

“In payments technology this is something we’re closing in on as we move from cash to card, password to thumbprint, and beyond to innovative technologies, such as AI.”

 

  1. Blockchain

According to the EY research report, 20-40% of financial service providers are investing in Blockchain now and are planning to increase investment, while approximately the same percentage are investing now but planning to reduce expenditure.

Either way, it shows that Blockchain is very much on the agenda for banks. The main attraction of Blockchain is that it creates an indelible audit trail which is distributed across multiple servers, so there’s no single weak link for cyber attackers to target. This provides banks with unparalleled transparency and increases trust.

Blockchain also has the potential to make a complex global financial system less complicated and reduce the number of middlemen involved in the transferring of money.

 

So, that’s the technology on offer, but what are the next steps?

Unless banks collaborate more with their peers, or improve their use of the wider ecosystem, the required investment in advanced technologies to address issues of growing cybercrime will be substantial and could strain their ability improve financial performance and grow their businesses.

And, as bank leadership teams focus on investing in the relevant people and technology – and it is the combination of both that’s crucial here – to enhance cybersecurity, they may struggle to find the right skill sets or the right methods for integrating cyber experts into their organisations.

Raising their knowledge of the technology available to help stem the tidal wave of cyber threats is a key requirement for banks, if they don’t want to end up washed up on the shore as a result of their defences being breached.

 

 

You’ve seen a lot of content, articles, warning and advice on cybersecurity, with hundreds of firms trying to sell you next level cyber protection. So, before you do anything else, you need to know what exactly it is you’re protecting yourself against. Below Suid Adeyanju, Managing Director of RiverSafe, lists 10 threats you need to be aware of.

In early July IBM Security and the Ponemon Institute released a new report titled ‘Cost of a Data Breach Study’. In this study it was reported that that the global average cost of a data breach and the average cost for lost or stolen information both increased. The former is up 6.4% to £2.94 million while the latter increased by 4.8% year over year to $112.57. This shows that cyberattacks on enterprises continue to rise. In particular over the last two years there has been a continual stream of concerning data security breaches.

One of the ways that organisations can defend against attacks is to ensure staff understand and are educated about the cyber threat landscape.

Understanding Threats to your Business

Getting the right technology, services, and security professionals is only a part of tackling the cyber security problem. It is also important that companies get a clear understanding of the cyber threat landscape. This means knowing where these types of attacks can come from and in turn, who is leading the attack (whether it be an individual or group). Often, knowing the answer to these types of questions leads to an understanding of the motive and makes countering the attacks easier. So, in this article, I wanted to highlight the areas of the cyber threat landscape that enterprises should be aware of.

  1. Nation State: This kind of hacking is often government versus government. It is often functionally indistinguishable from cyber terrorism, but the defining trait is that the attack is officially sanctioned by a country’s government. These attacks can involve not only hacking but the use of more traditional spying as well.
  2. Insider Threat: This is one area where many businesses least expect a threat to come from: inside the business itself. A reportfrom A10 Networks revealed that employee negligence is a major cause of cyber attacks. Employees unknowingly allowing hackers into the business through unauthorised apps. And, on the very rare occasion, a disgruntled employee could try and bring the business down in revenge, so it is always important to investigate who could have access because there is every chance that the threat could come from the inside.
  3. Individual Attackers: When you think of the stereotypical hacker most thoughts turn to a hooded youth sitting alone in their room. This is the individual attacker and their motives are often more one of curiosity and learning. They want to see if they can hack a system rather than attempt anything malicious. This is the most neutral cyber threat.
  4. Industrial Espionage: Sometimes an unrelated group and other times a rival business, cyber threats that deal with industrial espionage have the motive of creating problems for your business. The most common reason for industrial espionage is to discover the secrets of a rival business, often through spying. However, it could also involve destroying valuable data or, with some IoT devices, physically breaking the technology. Anything that can push a business over a competitor.
  5. Cybercriminals: Much like the individual attackers, cybercriminals are an all-encompassing cyber threat. Almost all hackers are criminals in some way and the motives can vary from demanding money, to setting up crypto-mining, to damaging company property. Whatever they do it won’t be a good thing.
  6. Phishing and Ransomware: These are some of the most common types of attacks you’ll find cyber criminals performing. These attacks are motivated purely by financials and exist to either scam a business out of money or hold valuable company data at ransom. Sometimes this can be a distraction to hide something more nefarious. Therefore, organisations need to make sure they are prepared for any escalation.
  7. Ethical Hackers: An ethical hacker is the opposite of a cybercriminal, as the term ‘ethical’ implies. These types of threats are often undertaken for the sake of a company, and often have been paid for by the business to see if it can hack into its own servers. These hackers test the security resilience of a business and locate areas that are vulnerable, before an ‘unethical’ hacker comes along.
  8. Hacktivists: A hacktivist is a sub-set of cybercriminals whose motives are more ideological. As the name references, a hacktivist is essentially a cyber activist. They are using hacking purely to push an agenda, whether political, religious, or otherwise, rather than a financial motive. A hacktivist attack can be something as simple as changing the text on a company website to a more nefarious act that interferes with the day to day running of the business.
  9. Cyber Terrorism: While hacktivists don’t always cause damage, a cyber-terrorist will. Just like real terrorism, cyber terrorism exists to bring terror to your business, country and customers. Examples include the attacks on the NHSlast year which aimed to bring systems down in hospitals and cause chaos and fear.

By understanding all the different types of attacks in the cyber threat landscape it can help you build your cyber defence by identifying a motive and being able to trace what kind of opponent your business is facing, as well as if this is an attack aimed primarily at an individual, an organisation or a national-level threat where the solution would be to work with other companies to stop the attack as a team.

Rising fears of cybercrime are prompting financial services firms to increase their spend on security, according to new research from Lloyds Bank Commercial Banking, which canvassed the views of the world’s largest financial institutions.

The research found that six out of seven (85%) financial services firms have spent more on tackling cyber risks in the past 12 months, with one in seven (14%) having significantly increased their spend.

Over the same period, almost nine in 10 (87%) have become more concerned about cyber-risks, with nearly a quarter (23%) becoming significantly more concerned.

Priorities and risks

When asked about what they wanted to achieve from their technology investment in the coming year, one in seven (14%) financial firms cited improved cyber-security as their top priority. It was the third highest priority area flagged behind reducing operating costs (17%) and revenue growth (26%).

The picture was similar when firms were asked about risks to their UK operations for 2018. Respondents said cyber security was one of the most significant risks, alongside increased market competition and geopolitical uncertainty, but behind macro factors such as the effects of Brexit and economic uncertainty.

Robina Barker Bennett, Managing Director, Head of Financial Institutions, Lloyds Bank Commercial Banking, said: “The pace of technological advancement continues to offer tremendous opportunities to financial institutions, but this has been mirrored by the rising threat of attacks from increasingly sophisticated cyber criminals. As a Group, we work closely with businesses across the UK to help build their digital skills, so it’s encouraging to see the UK’s financial sector is alive to the issue and responding with increased investment.”

Preparing for the worst

Despite firms prioritising investment in new technology to safeguard against cybercrime for the year ahead, one in 10 (10%) are still not insured against a cyber-attack.

A similar number (nine%) said they have taken no steps to arrange contingency funding, and seven% have made no contingency arrangements with banking providers, such as to guarantee payments, for example.

However, almost all (95%) firms questioned did say they were confident their finance and treasury functions were suitably prepared to recover from an attack, with one in five (20%) saying they were very confident.

Robina Barker Bennett added: “While reassuring overall, there are still a small minority of organisations that aren’t mitigating risk with insurance or contingency measures.

“The financial and reputational impact of a successful cyber-attack is becoming more severe. Investment in proactive, preventative cyber security measures should go hand-in-hand with robust planning for the worst-case scenario.”

(Source: Lloyds Bank Commercial Banking)

Paul Taylor, Partner and UK Head of Cyber Security at KPMG discusses why a shift in thinking is needed in the way we think about the role of cyber in business risk planning.

In the race to improve efficiency, increase productivity and outstrip rivals, the adoption of new technologies is now a permanent characteristic of the business landscape. The prospect of rapid productivity gains and breakthrough opportunities is driving organisations to automate processes, connect systems and leverage new kinds of infrastructure before the competition can. However, the reliance on competiveness through technological adoption has blurred the boundaries between devices, systems and employees, creating new vulnerabilities that are increasingly exploited by cyber criminals and nation-state backed groups.

In today’s digital landscape, connected medical devices provide physicians with faster and more accurate patient diagnoses, whilst retrofitted smart sensors allow production equipment to automatically signal to other devices once a process is complete and when the next processes need to begin, speeding up manufacturing time and efficiency. At the other end of Industry 4.0, rail providers adopt real-time cab signalling and traffic management systems, which have the potential to add time to train pathways and avoid the need for extra lines of track by increasing capacity on existing lines. In the public sphere, vehicle manufacturers race to deploy driverless cars with the latest automated control systems and sensory equipment, designed to help identify safe navigation paths, obstacles and traffic light systems.

The unrelenting pursuit of better, faster and more efficient ways of deploying and creating technology has driven innovation in our businesses and across our economy, ensuring the UK is a world leader in a multitude of industries. Yet this position at the top of the leader board has to an extent come at the cost of security. The current nature of cyberspace means it is far easier and simpler for malicious actors to carry out vulnerability-based attacks over targeted hacking campaigns. Taking full advantage of the constantly evolving technological landscape, hostile individuals and criminal groups invest their time researching digital infrastructures and devices in order to design attack software that exploits vulnerabilities and weak points.

This kind of exploit-based hacking was seen when criminals took advantage of an overlooked vulnerability in Sony’s computer systems, which gave them full access to the company’s wider network. The alleged group behind the attack crippled the company network before they released sensitive corporate data, including four unreleased films, business plans, contracts and the personal emails of senior staff – having a huge impact on the business. Such attacks are not only restricted to large company networks. Advances in the UK’s rail signalling system to upgrade to a ‘connected network’ have also been shown to be vulnerable to hackers who could use software to tell a train that it’s speeding up when it is slowing down or even give a false location. These fears were almost realised last year when it was revealed the UK rail network had been compromised in four major ‘exploratory’ cyber-attacks. In Finland, hackers hit a building management system with a distributed denial of service (DDoS) attack that left residents with no central heating and in 2015, Chrysler was forced to recall 1.4 million cars after security researchers revealed that the vehicle’s internet-connected entertainment system could be hacked. To add the icing on top, at last year’s cyber security contest DEF CON, contestants found 47 vulnerabilities in 23 IoT devices, including smart door locks, refrigerators, and solar panel arrays.

Whether it’s increased connectivity, automating systems or upgrading networks, organisations – both public and private – are finding themselves dependent on new technological capabilities long before they have even begun to consider how they are leaving them open to cyber-attacks.

Many businesses are taking steps to begin to deploy things like RegTech (Regulatory Technology) as part of preparation for regulations such as GDPR and MiFiD II, possibly taking this more seriously due to the fact that the cost of non-compliance is clear and outlined, however the impact and cost of a cyber hack could be just as bad, so there needs to be a shift in thinking – a cyber hack is not just a cyber hack, it’s a risk to the whole business.

The impact that these kinds of attacks can include lost revenue, losses to intellectual property and customer loyalty and reputational damage. The practice of innovation at the expense of security cannot therefore be maintained, and leaders need to start to think of a lack of security for what it really is – a risk to the whole business.

As outlined in a recent white paper on cyber security business risk by information security professionals body (ISC)2 titled, ‘What Every Business Leader Should Know About Cyber Risk’ organisations must ultimately incorporate cyber into the wider risk plan of the business. Within this, key operational dependencies that are being overhauled, upgraded or introduced must be identified and any critical technology that needs protection must be prioritised. This could be your organisation’s server network, the website upon which your customer’s financial trades take place or even individual devices. Bringing the CISO into risk evaluation discussions should also be made compulsory going forward.

Technological transformation is an inherent part of the world in which businesses operate, but in order to mitigate the threat, accepting cyber security as a business risk is paramount. Cyber attacks are only going to increase and businesses are offering hackers an open door by failing to incorporate cyber security within the risk register. If the uptake in new capabilities by businesses is to be maintained securely, then cyber security must come become a deciding factor in the implementation of any technology.

 

 

About Finance Monthly

Universal Media logo
Finance Monthly is a comprehensive website tailored for individuals seeking insights into the world of consumer finance and money management. It offers news, commentary, and in-depth analysis on topics crucial to personal financial management and decision-making. Whether you're interested in budgeting, investing, or understanding market trends, Finance Monthly provides valuable information to help you navigate the financial aspects of everyday life.
© 2024 Finance Monthly - All Rights Reserved.
News Illustration

Get our free weekly FM email

Subscribe to Finance Monthly and Get the Latest Finance News, Opinion and Insight Direct to you every week.
chevron-right-circle linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram