finance
monthly
Personal Finance. Money. Investing.
Contribute
Newsletter
Corporate

A recent survey shows 64% of organisations have deployed some level of IoT technology, and another 20% plan to do so within the next 12 months. This is an astonishing fact when you consider the lack of basic security on these devices, or any established security standards. Many companies are turning a blind eye to security issues, swayed by the potential benefits that IoT can bring. Here Ian Kilpatrick, EVP Cyber Security at the Nuvias Group, provides 10 key facts on IoT.

1. IoT - a cybercriminal’s dream

Any device or sensor with an IP address connected to a corporate network is an entry point for hackers and other cybercriminals – like leaving your front door wide open for thieves.

Managing endpoints is already a challenge, but the IoT will usher in a raft of new network-connected devices that threaten to overwhelm the IT department charged with securing them – a thankless task considering the lack of basic safeguards in place on the devices.

Of particular concern is that many IoT devices are not designed to be secured or updated after deployment. Any vulnerabilities discovered post deployment cannot be protected against in the device; and corrupted devices cannot be cleansed.

2. IT or OT

IT professionals are more used to securing PCs, laptops and other devices, but they will now be expected to become experts in areas such as smart lighting, heating and air conditioning systems, security cameras and integrated facilities management systems.

A lack of experience in this Operating Technology (OT) is a cause for concern. It is seen as operational rather than strategic, so deployment and management is often shifted well away from Board awareness and oversight.

Nevertheless, the majority of organisations are deploying IoT technology with minimal regard to the risk profile or the tactical requirements needed to secure them against unforeseen consequences.

3. Increase in DDoS attacks

DDoS (Distributed Denial of Service) attacks are on the rise, with 41% of UK organisations saying they have experienced one.

IoT devices are a perfect vehicle for criminals to access a company’s network. 2016’s high-profile Mirai attack used IoT devices to mount wide-scale DDoS attacks that disrupted internet service for more than 900,000 Deutsche Telekom customers in Germany, and infected almost 2,400 TalkTalk routers in the UK.

4. ... and ransomware attacks

There has been an almost 2000% jump in ransomware detections since 2015. In 2017, WannaCry targeted more than 200,000 computers across 150 countries, with damages ranging from hundreds to billions of dollars.

While most ransomware attacks currently infiltrate an organisation via email, IoT presents a new delivery system for both mass and targeted attacks.

5. Increasing intensity and sophistication of attacks

The sophistication of attacks targeting organisations is accelerating at an unprecedented rate, with criminals leveraging the disruptive opportunities the IoT brings.

According to Fortinet’s latest Quarterly Threat Landscape report, three of the top twenty attacks identified in Q4 2017 were IoT botnets. But unlike previous attacks, which focused on a single vulnerability, new IoT botnets such as Reaper and Hajime target multiple vulnerabilities simultaneously, which is much harder to combat.

Wi-Fi cameras were targeted by criminals, with more than four times the number of exploit attempts detected over Q3 2017.

6. The effects of an attack

The aftermath of a cyberattack can be devastating for any company, leading to huge financial losses, compounded by regulatory fines for data breaches, and plummeting market share or job losses. At best, a company could suffer irreparable reputational damage and loss of customer loyalty.

On top of that, IoT devices have the potential to create organisational and infrastructure risks, and even pose a threat to human life, if attacked. We have already seen the impact of nation-state attack tools being used as nation state weapons, then getting out and being used in commercial criminal activity.

7. Profit over security

It’s crazy to think that devices with the potential to enable so much damage to homes, businesses and even entire cities often lack basic security design, implementation and testing. In the main this is because device manufacturers are pushing through their products to get them to market as quickly as possible, to cash in on the current buzz around IoT.

Lawrence Munro, vice president SpiderLabs at Trustwave agrees IoT manufacturers are sidestepping security fundamentals: “We are seeing lack of familiarity with secure coding concepts resulting in vulnerabilities, some of them a decade old, incorporated into final designs,” he notes.

8. Can you see the problem?

Another huge problem is that once a network in attacked, it’s much easier for subsequent attacks to occur.

Yet, recent data shows just half of IT decision makers feel confident they have full visibility and control of all devices with network access. The same%age believe they have full visibility of the access level of all third parties, who frequently have access to networks; and only 54% say they have full visibility and control of all employees.

9. Turning a blind eye

Despite security concerns often cited as the number one barrier to greater IoT adoption, Trustwave research shows sixty-one% of firms who have deployed some level of IoT technology have had to deal with a security incident related to IoT, and 55% believe an attack will occur sometime during the next two years. Only 28% of organisations surveyed consider that their IoT security strategy is ‘very important’ when compared to other cybersecurity priorities.

10. Efforts to standardise

In the UK, the government’s five-year National Cyber Security Programme (NCSP) is looking to work with the IT industry to build security into IoT devices through its ‘Secure by Default’ initiative. The group published a review earlier this month that proposes a draft Code of Practice for IoT manufacturers and developers.

While there seems to be some light at the end of the tunnel, it may not be enough. Regulators won’t force device manufacturers to introduce the necessary security regulations and practices before thousands of businesses fall victim to attacks. Turning a blind eye to the IoT security risks could leave your organisation permanently paralysed.

Where do cyber threats begin? What is the root of the issue and how can we eradicate the source of any risk? What does this look like when you’re a maturing startup compared to a global corporation? Thomas Parsons, Sr. Director of product management at Tenable Network Security here takes to Finance Monthly back to the basics and gives his thoughts on the current global cyber situation.

Ransomware had previously been considered just another piece of nuisance malware that largely targeted unsuspecting consumers. However, the recent uptick of new variations, and their drastic impact in restricting access to enterprise systems and data, has catapulted this threat firmly into the spotlight. Events in the last few months have established ransomware as one of the most impactful and persistent global cyber threats.

Ransomware on the global stage

Increasingly in recent years, we’ve seen a shift from hackers using ransomware to target individual users to much larger attacks on enterprises. Top of mind is WannaCry, which wormed its way into networks around the world and encrypted data, closely followed by ‘Petya’ and also ‘NotPetya.’

Ransomware operates by compromising a system, infecting it with malware and encrypting data using a private key, preventing users from accessing the system. Hackers then send a message demanding payment to provide the key and restore the user’s data. Weaponising ransomware with worm capabilities, i.e. EternalBlue, has given hackers the opportunity to maximize the damage as the malware spreads from system to system. When ransomware latches onto systems that contain valuable company data, the systems become inaccessible, effectively bringing business to a halt.

For any organisation, the breach of personal data can not only impact the bottom line, but it can also cause irreversible reputational damage.

To pay or not to pay

WannaCry and Petya/NotPetya represent the new normal of today’s sophisticated threat environment. And with ransomware now impacting the global community, organisations must grapple with whether to pay the ransom.

Unfortunately, there is no guarantee that an organisation, which has its data held hostage by cyber criminals, will get a decryption key by paying the ransom – after all you’re dealing with criminals.

Paying the ransom also further funds the criminals’ antics, validating the business model and encouraging repeat infections – a practice that doesn’t benefit anyone in the long run, except perhaps the criminals.

However, the debate as to whether to pay cyber ransom shouldn’t be the focus, given that these attacks can be preventable.

Rather than a sophisticated attack or zero-day exploit, ransomware often takes advantage of well-known software vulnerabilities that organisations have failed to patch or update. The truth is attackers would much rather gain entry to the network by exploiting a known, but unpatched vulnerability, or a phishing email, because these techniques have a much higher return on investment.

But patching isn’t always that simple. Security teams can't control everything, and while it has become increasingly easy to deploy changes into environments, there are some mission-critical systems that can’t be updated with a click of a mouse or a simple script. For those systems that can’t be taken offline without disrupting business operations, security teams must implement compensating controls and make proper, risk-based decisions to mitigate the threat.

Cyber 101: Back to the basics

If we’re to leave ransomware in the past, organisations must get back to the basics, focusing on the foundations of strong cybersecurity.

To start, organisations need to implement security controls that prevent untrusted or unknown applications from being installed, while not impeding end-user productivity. This means security teams should use application whitelisting, blacklisting, dynamic listing, real-time privilege elevation and application reputation.

Organisations should also consider adopting the principle of least privilege, which gives privilege to users according to job necessities. In the event of an accidental link click or attachment opening that attempts to execute an application requiring elevated privileges (such as encrypting a hard drive, network share or folder), the user privileges would not allow those actions to be performed, stopping the attack immediately.

Even more important is end-user security training and awareness, backed by a solid understanding of attack methods used to gain information from users. Educating users on how to spot a phishing email and the dangers of sharing personal information and installing software from unknown sources can benefit them both at work and home.

In the modern computing environment, which now spans cloud, on-premises, IoT and operational technology, continuous visibility into the vulnerability status of every asset is critical to understanding the business impact of ransomware attacks and to fundamentally improve how organisations think about cybersecurity.

Here is a simple mantra to help focus the mind - If you can’t patch it, then you must protect it. And if you can’t do either, then you should prepare for the consequences.

Austen Clark, managing director of Scottish IT specialists Clark Integrated Technologies tells Finance Monthly that a ransomware demand can be commercial suicide for a business, as it has the potential to ruin its reputation, send share prices plummeting and it may struggle to recover from the damage done.

Austen’s advice is simple - prevention is better than cure.

“Should companies pay cyber ransoms? The answer is that they should never have been in the position to be ransomed in the first place.

“Ransomware is the most financially successful hacking tool over the past four years. Revenues from ransomware have been increasing exponentially year on year – in 2016 it was reported a 6,000% increase in revenues.

“It is also one of the most publicised forms of attack so companies really have no excuse for failing to have appropriates backups, data recovery and updates in place. This can be avoided – hence why a business should not find itself in this position.”

Even after an organisation has been compromised, it should not consider paying a cyber ransom, explains Austen.

“By paying the attackers, you have confirmed that their method works, and paying a ransom does not guarantee you will get your data back. These are dishonest people, and even when you hand over the ransom there is no guarantee they will honour the arrangement. It has been well documented that they do not always release all of the data, holding out with additional requests.”

Austen outlines practical preventative measures relevant to all businesses to defend against a ransomware attack.

As long as companies continue to pay up, then hackers will strike in this way.

Austen adds: “There are few that will admit to an attack – and even less admit to paying up, so this is vastly under reported but this has crippled companies before, and it will again. Organisations like Nayana will be in the press for a long time and for all the wrong reasons.

“If you follow these points you will reduce the risk of a ransomware attack which really is the best defence. In the event of falling victim you can restore your information and not have to pay a ransom. Back-up data to a separate source like a Data Centre, Cloud, or external hardrive, basically anywhere but your current source.”

The threat of cyber extortionists holding data hostage is significant. Symantec’s 2017 Internet Security Threat Report lists ransomware as the ‘most dangerous cybercrime threat facing consumers and businesses’.

Last week, South Korean web-hosting firm Nayana agreed to pay a $1m ransom to unlock computers frozen by hackers. Security experts warned that firms should not pay such ransoms or enter into negotiations with hackers. In addition, today several firms globally were held to cyber ransoms including banks, airports and government systems around the world. Even DLA Piper suffered an attack according to the BBC.

When considering high-risk industries like financial markets, the data and infrastructure at risk is both incredibly sensitive and complex. Once adversaries gain access to an environment, they can access everything from proprietary algorithms and trading strategies through to sensitive customer data.

This week, Finance Monthly received its biggest ever number of responses to the question ‘Should Companies Pay Cyber Ransoms?’ Below are just a few of the responses from top experts around the world.

Jack Bird, Content Specialist, Team Umbrella:

The magic of the internet and today’s cutting edge technology is based on a give and take relationship. To take all the lightning quick information and globalised communication, we have to give our personal details and highly sensitive information in return; like a sacrifice to the all-powerful cyber gods that we’re forced to trust so our crops might be more fruitful next year.

The easier things get for us, the larger the anvil hanging over our head becomes; and this form of cyber terrorism we’re seeing with Nayana is only going to grow. This might soon see a return to more physical forms of media to avoid the proxy-warfare of recent headlines, but for now, and it is a weak answer: it’s a matter of balances.

Maybe the correct move is to stand up to the bully and not give them your lunch money, because next week they might come back for your homework or the intricate details of your eight figure business plans. Giving in to demands, however, might result in you going hungry throughout the day – or, to put an end to that analogy, your work force of mothers and fathers going hungry because you can’t pay them anymore.

Films taught us to puff our chest out, but, even though this news story might resemble the plot line of a 1980’s Paul Verhoeven film – this isn’t a film. There is no simple answer because every question is different. Is the $1 million more valuable than the files they’re holding a gun to the head of? Maybe they’re outdated and you don’t need the information anymore?

There is no definite answer, which makes this a bad one – but, also, the right one.

Rafe Pilling, Senior Security Researcher, Counter Threat Unit, SecureWorks:

To paraphrase a well-worn bit of philosophy, all that is necessary for ransomware attackers to succeed is for well meaning

organizations to pay the ransom. In 2016, it became common for thought leaders to say “Never pay the ransom, but …” and that “but” was meant to allow wiggle room for instances when a $500 ransom was cheaper than the hassle of not paying, or when healthcare entities were dealing with true matters of life and death. But the problem with either of those scenarios is: As soon as one pays the ransom, then one has reinforced that the attackers made the right decision to attack. The only reason this crime thrives is because it’s profitable organizations (despite what they say publicly) continue to pay the ransom. When that stops, so will the attacks.

Eric Berdeaux, CEO, OXIAL:

If the situation has gone so far that an organisation has actually been breached, then paying can be the best option open to them. Ransomware is truly insidious and can often encrypt most, or if not all of an organisation’s data. This makes it completely unusable and puts a halt to any internal business and IT processes. Such is the professionalism and expertise of modern hackers, it can be very difficult to fend off Ransomware once it has taken hold. To try and clean the virus, delete all of the encrypted files and then restore them, would not only cost a lot of money but would require a number of highly skilled engineers too. Even then, there is no guarantee of success. That’s why I believe that when it has gone this far, the only way is to pay.

Of course, it would have been far better to spend this money in a different way – securing the data properly and effectively in the first place, and covering any residual risk with good insurance. Organisations do not always do this even when they have suffered an attack, believing lightening won’t strike twice. This is misguided. When it comes to cyberattacks, lightning can and will strike on many occasions - the security threat in 2017 is incredibly complex, varied and on-going. Without continuous protection, organisations will be hugely vulnerable and may find themselves facing expensive ransom demands.

Rob Norris, VP Head of Enterprise & Cyber Security EMEIA, Fujitsu:

The news that South Korean web-hosting firm Nayana has agreed to pay a $1m ransom to unlock computers frozen by hackers is stirring a new narrative around whether we should be giving in to hackers. While industry experts have been preaching against this, companies are ultimately left facing the prospect of irreversibly losing valuable data, or paying a certain, often excruciating, amount of money to save their businesses.

Paying ransomware encourages the lucrative side of malicious cyber activity, which subsequently attracts more actors willing to engage for their personal gain. The truth is that many organisations probably don’t see themselves as ‘high value targets’ for attackers and it’s likely that they have very minimal protection or staff training and awareness. However, for many malicious actors finding vulnerabilities is their bread and butter, and they will look to hold organisations to ransom through a ‘soft attack’ that compromises its data.

Organisations should ensure they have good backups if they are infected. They must take a proactive and intelligence driven approach to security, by monitoring phishing campaigns which evade their mail gateway controls for example. Backups, risk analysis, staff training and further practical advice such as application whitelisting and incident response will ensure the risks associated with ransomware are as low as possible.

With this knowledge there is no excuse not to be prepared. Cyber criminals are entrepreneurial, well-sourced and motivated, and we shouldn’t be repaying their efforts in hefty amounts of ransom.

Sarah Adams, Cyber Risk Expert, PolicyBee:

Faced with not having access to your systems, data or website, it’s tempting to take what seems like the line of least resistance and pay a ransom straightaway. But there are good reasons why that might not be the best thing.

From a cyber insurance point of view, the most obvious alternative is to get in touch with your insurer. This kind of situation is exactly the sort of thing your policy is for. Your insurer has access to cyber security experts who will evaluate and deal with the problem for you.

Of course, if there’s no way around it, your policy will cover the ransom. But ideally your insurer will want to sort the situation by other, technical means if possible – there’s no guarantee paying up means case closed. Who’s to say you’ll get your files back, even if you cough up? Your insurer certainly doesn’t want to trust the word of a cybercriminal.

The point here is that two (or more) heads are better than one. You don’t have to deal with a ransomware problem – or any other cyber-attack – on your own.  Cybercrime is alien territory for most businesses, and it makes sense to get help when you need it most. A specialist insurer not only has the money to sort out these situations, it has the time and the expertise too.

Although undoubtedly unsettling and very much an unknown quantity, cyber-attacks involving ransomware aren’t always the business disaster they might first appear to be. Paying up doesn’t have to be a given and doing so, worst-case scenario, can risk turning you into a future blank cheque.

Preventing an attack in the first place can be equally expensive and time-consuming (and, given the odds, arguably futile), so it pays to have help and support on standby for if and when you’re targeted. You don’t need to be a cyber security expert to recover from an attack – you just need to know someone who is.

Dr Guy Bunker, Senior Vice President of Products, Clearswift:

This case sets an unfortunate precedent. Whereby larger organizations are shown to be prepared to pay significant sums of money to cyber-criminals. It will only stoke the fire of ransomware and the attacks on business if the perpetrators think they will get away with it. In the non-cyber world, we saw this with the Somali pirates, where once ransoms started to be paid, there was a huge rise in vessels and crew being taken hostage.

Our advice is always the same for both individuals and organisations: once you’ve been compromised, do not pay the ransom. By paying, you’re opening yourself up to further attacks as the criminals will see that A) the organisation has the willingness to pay ransom and B) the cash reserves to do so. Furthermore, in more than 30% of cases, access to the information is not returned, i.e. you still don’t get your data back in an unencrypted form. All too often, the cyber-criminals take the money and then re-encrypt systems a short while later – as the malware will still be lurking in the background, unless it has been fully removed.

This is not the only issue, negotiations between the criminals and organisation can take up valuable time and resources – according to reports it took Nayana over a week of back and forth with the hackers to come to an agreement. Ransomwares’ biggest impact is downtime of the organization, with several organizations requiring complete IT shut-down and the return to pen and paper while the issues are resolved.

The best defense against ransomware is firstly, to ensure all systems and applications are kept up to date with security patches being applied; secondly, ensuring that security systems are in place that strip hidden active content (the type likely to be ransomware) out of documents and emails coming into your organization; and thirdly, to regularly backup critical information. Backups are key and can ensure that even if information is encrypted, you won’t be in a position where you have to pay – minimizing the harm to you and the reward to the criminal to zero.

Robert Rutherford, CEO, QuoStar:

Ransomware is an increasing threat, and one which is here to stay. Although businesses may not like the thought of paying a cyber ransom, in today’s digital era if an entire business’s IT environment is frozen then they are unable to function, this loss of productivity can come at a far higher cost than the ransom itself.

When it comes to deciding whether to pay a ransom, a business essentially needs to understand how much an outage or a loss of key data assets is going to cost them. This information will allow a business to measure risk against cost and make an informed decision. If a cyber ransom is £500 for example, whereas loss of productivity could cost thousands, the decision can be made easily by those responsible for IT security within a business.

Furthermore, this information should also be used by a firm’s senior leadership team to determine which protections and solutions should be put in place to prevent the business from being infiltrated by ransomware again, or by another type of cybersecurity threat in the future. IT security must be a priority, however, and firms must not wait until ransomware strikes to conduct these risks versus cost reviews and act ahead of time.

Giovanni Vigna, CTO and co-founder, Lastline:

Companies should not pay ransom. However, there might be situations in which not paying ransom would cause irreparable damage to a company, putting the company out of business. In these cases, paying might be the only option, but these situations can be avoided by being prepared. Ransomware, in a way, is not very different from a catastrophic event. What if a room full of server is flooded and the machines damaged beyond repair? Would the company be ready to restore the service (and the associated data) after such an event? If the answer is “yes” the company could probably withstand a ransomware attack as well…

Andrew Stuart, Managing Director, EMEA, Datto:

Firms should never cave in to ransom demands from hackers. First of all, paying up does not guarantee the safe return of data. Datto conducted some research into this topic during the twelve months up until September 2016. We found that almost half – 47% – of the European firms which opted to pay ransoms, didn’t get all of their data back.

Secondly, firms that choose to cough up can quickly gain a reputation amongst cybercriminals for being a soft target. This leaves particularly susceptible to future attacks.

On a wider scale, each and every time a ransom is paid more money is ploughed into the criminal underworld. Today’s hackers work like businesses, with a portion of their income being invested in R&D. This extra cash could be used to develop new strains of malware or to exploit new vulnerabilities. While paying a ransom seems like a quick fix, it has negative, long-term consequences for all organisations.

Instead of paying ransoms – especially ones with $1 million price tags – organisations need to invest in better defences. Patching vulnerable IT systems is vital, as are perimeter defences such as anti-virus software and firewalls. But these alone are not enough. Firms also need to back up their data. If they call roll back their systems to a point in time before their data was illegally encrypted by hackers, firms can carry on as normal, with no dramas and no ransoms.

Andrew Bushby, UK director at Fidelis Cybersecurity:

An analogy often used to describe ransomware and whether to pay up or not is ‘protection racket’. In old-fashioned mob movies, two guys walk into a grocery store saying ‘Hey, nice store. Would be a shame if something were to happen.’ The reason the mob ‘insurance’ scams worked is because the value of the protection was higher than the cost of the insurance – and the mob delivered on their promises. In the case of ransomware, the value of the data is higher than the ransom and operators go through great effort to ensure users get their data back. Occasionally there are errors, but in general, people do get their data back.

In an ideal world, consumers and organisations would be better prepared. With sound backups in place, ransomware infections would merely be annoying exercises involving file restoration.  Ensuring backups of critical or valuable information has been a best practice for decades, but because reality rarely matches the ideal, this often doesn’t happen.  Consequently, a few tips can help those dealing with a ransomware attack:

Stu Sjouwerman, CEO, KnowBe4:

Ransomware has been called the most profitable criminal business model in history. Bad guys infect a workstation or whole network and hold the data hostage until a fee is paid to get it back. Last month, the WannaCry ransomware strain went global, impacting computers in more than 150 countries and wreaking havoc on Britain’s National Health Service, Spain’s Telefonica and France’s Renault automobile factory.

Ransomware has become a “when, not if” scenario for businesses of all sizes. Typically ransomware comes into a company through an employee– usually by opening the attachment of a phishing email which then gives cyber criminals the ability to download the malware onto the users’ computer or network without their knowledge.

Most antivirus programs do not detect it as it is rapidly changing with new variations every day. Being successfully hit by a ransomware attack can set a business back 50 years, using “pen and paper” management and the ransom amount can get very high. WannaCry charged $300/machine, which adds up very quickly, particularly for small and mid-sized businesses (SMBs)

Now to pay or not to pay – this is ultimately a business decision, and one which most organizations do not make lightly. There are different types of ransomware infections:

It is crucial to start with a so-called defense-in-depth strategy to protect your network, including weapons-grade backups that are regularly tested, ensuring all software is up to date, running antivirus software but not relying on it, identifying users who handle sensitive information and checking firewall configurations to make sure no criminal network traffic is allowed out and educating your users as your last line of defense so they can stop ransomware before it comes in.

Alex Manea, Chief Security Officer at BlackBerry:

Companies that experience ransomware attacks should never consider paying any ransom demand. Not only does it cause reputational damage and a loss in customer confidence, but once an organisation succumbs to paying a cybercriminal there is still no guarantee that full recovery will occur. Trusting cybercriminals to provide a decryption key can often take days, weeks or not happen at all.

Businesses should also keep in mind that cybercriminals are anonymous and they have no reputation to protect, which means they have no incentive to hand over the decryption key, as this could make them easier to trace.

In addition to this, there is now evidence that hackers are actually repeating other hackers’ successful ransomware activities. This not only suggests that businesses that are paying ransoms aren’t getting their data back, but are likely inspiring future attacks.

If a company does choose to pay the ransom, as in this case Nayana did, and they gain access to the decryption key or a tool which can help them to access their files again, there is still no certainty that the organisation is secure again. Indeed, in many ways the company is now more vulnerable to ransomware attacks, as it will have a reputation for paying and this could actively encourage additional ransomware attacks and even bigger financial demands.

We would also love to hear more of Your Thoughts on this, so feel free to comment below and tell us what you think!

With cybercrime and ransom hacks being a common occurrence in today’s newsrooms, Karen Wheeler, VP UK Country Manager at Affinion talks to Finance Monthly about the opportunities that can arise from these kinds of threats, for the banking sector in particular.

We’re living in a world where high profile data hacking scandals and cybercrime attacks dominate our headlines on an almost daily basis. New research by Barclays has revealed that last year alone saw a total of 5.6m cases of cyber fraud reported across the UK; a figure accounting for nearly half of all UK crimes, affecting both companies and consumers alike.

The newest member of the ever-growing club of victims is the NHS, which last week saw a colossal attack in which criminals took control of computers and held hospitals at ransom. But despite the mass media coverage, it’s not just high-profile organisations that are targeted. Cyber criminals are also after sensitive customer information and payment details that can be traded on the dark web.

Clearly, no one is exempt from the threat of digital fraud, and Barclays’ research highlights the need for education on protection methods amongst UK consumers. In fact, almost 40% of people believe they can’t prevent cybercrime, according to a survey by Get Safe Online.

While there’s no doubt that cyber-crime exists, the number of reported cases suggests there could be a lack of clarity around who can be targeted and what constitutes risky cyber behaviour. Furthermore, who is responsible to protect against digital crimes and how customers can protect themselves.

Step 1: Recognise the opportunity

Following its research, Barclays’ has also announced plans to lead a £10million campaign against digital fraud with a primary aim to educate customers. Its campaign, and the current climate in which cybercrime is rife, illustrates a clear opportunity for banks to step up and adopt a role of responsibility in this field; positioning themselves as experts in educating on risk and how customers can protect their identities from digital fraud.

While some financial services institutions may question whether or not this is their job, given the amount of money they lose as a result of fraud, perhaps the question they should be asking is whether or not they can afford not to address this issue?

However, the truth is that banks are actually among the most trusted brands by consumers when it comes to data security. The Symantec State of Privacy Report in 2015 revealed that 66% of banks were the third most trusted by their customers to handle data; only hospitals and medical services ranked above.  Evidently, there’s already a great deal of trust and brand value that exists for financial services institutions when it comes to handling data, meaning customers are likely to value their banks’ advice. This is something that currently, many are failing to utilise.

There’s a lot to learn from Barclays and by recognising this as an opportunity, not a challenge, banks can enable customers to make better fraud prevention choices, enhance loyalty and build deeper, more valuable customer relations in a fiercely competitive market.

Step 2: Educate and empower

By enabling people to make better security and fraud prevention choices that are backed up by relevant and knowledgeable support when things go wrong, banks can enhance their reputation amongst existing and potential customers. For example, Barclays’ upcoming digital-led safety campaign provides free support to SMEs as well as an online quiz for customers to assess their overall digital safety level - equipped with advice and tips for improvement.

Whilst this might sound like simple advice, it is guidance that could empower customers to be a little more careful about who they disclose their personal information to. Other examples might include a helpline to provide customers with peace of mind. Such a service could increase a customer’s bond and loyalty to their bank.

Step 3: Offer additional services

In addition to educating and advising customers about risks and ways to protect their identity, banks can also take further steps to build loyalty by offering additional and exclusive services. Barclays is now giving customers the opportunity to set up daily ATM withdrawal limits on their mobile banking app, to prevent the risk of security breaches. This is just one example of an additional account protection service that a bank could offer its customers on top of advice.

By taking responsibility and offering customers not just advice, but an actual service that will help protect themselves, a bank can its extend the influence into customers’ lives, improving their value and retention. In fact, our recent study looking at customer engagement found that banks that offer ‘protecting the customer’ products have 13 per cent higher customer engagement scores compared to the average, meaning they stay longer and are more likely to recommend to others.

Cyber-security attacks have, and will continue to, present a significant threat because of the connectivity of modern life, unless action is taken. There is an ever-rising level of customer data online, which both businesses and customers need to take responsibility for keeping safe. But amidst the threat and concern, there is an opportunity for financial services institutions to look beyond this and instead see the challenge as a chance to build more loyal and lasting customer relations.

About Finance Monthly

Universal Media logo
Finance Monthly is a comprehensive website tailored for individuals seeking insights into the world of consumer finance and money management. It offers news, commentary, and in-depth analysis on topics crucial to personal financial management and decision-making. Whether you're interested in budgeting, investing, or understanding market trends, Finance Monthly provides valuable information to help you navigate the financial aspects of everyday life.
© 2024 Finance Monthly - All Rights Reserved.
News Illustration

Get our free monthly FM email

Subscribe to Finance Monthly and Get the Latest Finance News, Opinion and Insight Direct to you every month.
chevron-right-circle linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram