By Andy Barratt, UK managing director at Coalfire
In the wake of another 12 months of major IT glitches and cyber mishaps, the financial services sector continues to find it difficult to yield much faith from customers. In October, the Treasury Select Committee declared that the high number of IT failures suffered by banks and other financial services organisations was “unacceptable”, and that regulators needed to demonstrate that they “have teeth” to keep the market in check.
High on its agenda will have been TSB’s migration glitch, where the bank locked 1.9 million customers out of their accounts when it attempted to transfer its systems over to new parent Banco Sabadell.
Barclays, RBS and Visa have also been subject to cyber mishaps in recent years, contributing to the continued erosion of public trust.
The introduction of GDPR has also increased the level of risk for banks, financial services firms and fintechs, with greater emphasis – and subsequent punitive measures – in place to protect customer data. With such strict rules and regulations, the challenge of looking after customers’ data has become more than just preventing external actors from gaining access but also avoiding falling foul of regulators through internal errors.
It’s getting worse, not better
Despite the high stakes, banks and financial institutions are still failing to get a firm hold of their digital networks.
We recently released the findings of our second annual penetration risk report, which tests the defences of businesses across a range of tech-centric sectors. The study discovered that not only is the financial services sector the most vulnerable to cyberattacks, but its cyber defences are actually deteriorating. Indeed, in the 12 months since the first penetration risk report, the number of businesses in the financial services sector at high risk of attack has increased by more than two fifths (41%).
Five hundred and twenty five businesses from across the US, UK and Europe were subjected to intense security testing by our experts and, of the five sectors tested, the financial services sector is the only one to have become more vulnerable.
It’s not surprising that attackers target and attempt to exploit financial services businesses; by their nature, these businesses possess a lot of sensitive information that could be very valuable to cyber criminals. What is surprising, however, is the continued lack of action despite high levels of risk.
Part of the issue is that financial firms are generally big beasts. Improving security and migrating systems into the cloud is a major challenge and requires the coordination and configuration of multiple infrastructure providers and hybrid environments. What’s more, the public’s gaze is intense and fierce, which can often lead to a state of inertia for fear of getting it wrong.
That being said, it’s critical that the sector improves its security outlook if it is to better protect its customers’ essential data and funds.
A natural starting point in improving a cybersecurity strategy is with technology. However, applying improvements consistently is often more difficult the bigger an organisation is. As cyber criminals learn how to access systems, firms must continue to upgrade them to stay one step ahead.
Unfortunately, this requires an ‘always on’ approach in terms of investment and management. Without this approach, the ‘back door’ entry into an organisation’s infrastructure widens. As such, everyone from fintech start-ups to big banks must realise that the cost of improvement is not as high as the cost of failure.
Another technological downside that arises from the overall size of financial services organisations is operating as part of a supply chain or outsourcing work. Third parties such as payment processing companies or credit card providers, offer attackers with multiple opportunities to target weak links in the supply chain; all it takes is one third party to have a below-par security system to allow the hacker into the entire network.
It’s critical, then, that firms hold their partners up to scrutiny and ensure their backs are covered when they work with third parties. Although the blame for a failure may not fall at their feet, the responsibility and the reputational damage for it certainly does.
In addition to technology, people make up the other half of a robust cybersecurity strategy. Often, the weakest part of a system isn’t the system itself, but the people who use it. Our risk report highlighted that at almost three-quarters (71%) of the businesses tested, employees willingly gave up access credentials when targeted with phishing scams – when a hacker poses as a reputable contact via email.
Through firm-wide training sessions and engendering overall awareness, businesses can begin to significantly mitigate the risk of human error. A state-of-the-art security system is useless if the attacker can use the ‘front door’ rather than breaking in through the back.
What’s more, it’s important to foster a culture where staff feel confident in reporting issues so that solutions to otherwise avoidable issues can be found.
This two-fold approach will only work with regular, if not constant, introspection throughout and a business is only as strong as its weakest link, so continual improvements – to both technology and employee education – are imperative.
Without them, the financial services sector faces another year of bad press.
Coalfire is the trusted cybersecurity advisor that helps private and public-sector organisations avert threats, close gaps and effectively manage risk.
By providing independent and tailored advice, assessments, technical testing and cyber engineering services, we help clients develop scalable programs that improve their security posture, achieve their business objectives and fuel their continued success. Coalfire has been a cybersecurity thought leader for almost two decades and has offices throughout the United States and Europe.