The financial sector faces cyber threats daily. Educating employees on the risks posed and methods used by cyber criminals is the first line of business defence.
In a recent interview Darrell King, Global Director, Governance, Risk and Compliance at Axis Corporate explains his concerns around data security in the financial sector.
“Global cyber-attack signalled the growing and dangerous threat to information security and the significant disruption to systems which are vulnerable to attack,” says King. “The NHS and banks are the latest victims with these most recent attacks causing losses estimated in the billions.”
The cyber-attack took the form of malware called “WannaCry” that infected thousands of computers. The National Cyber Security Centre (NCSC) identified that the malware encrypts files before prompting the user with a ransom demand, a countdown timer and a bitcoin wallet where the ransom can be paid to release the files. NCSC is currently investigating the ongoing incident to a coordinate a response to any future attacks.
“Regulation has forced companies to prepare better warning systems, as they are obliged to inform the regulator the Financial Conduct Authority (FCA) about any known hacks and are expected to be able to identify them in a timely manner” explains King.
Cyber security breaches are not a new threat. In 2015 a Government press release urged companies to take preventative messages following research that showed 90% or large organisations and 74% of SMEs had experienced an information security breach.
“The reality is that even the smallest firms hold large quantities of sensitive data,” Says King. “Which, if compromised, could then have a ripple effect to other areas of the financial sector. Indeed, as attacks become more sophisticated, it is critical that companies develop and implement solutions that enable the timely sharing of data to prevent incidents and their spread, as well as to promote faster incident detection and response.”
Aside from the sophisticated technology required to both prevent and tackle a cyber breach, a documented remediation plan and a system for its proactive deployment is essential. A review of a companies’ IT Security policy needs to include awareness of the risks, consequence of a breach and the response required by both employees and IT staff.
Here is five employee based considerations to examine in the planning process to ensure shared responsibility across a business.
Staff onboarding process – risk awareness measures.
The classic example is when company laptop disappears from a crowded restaurant, any sensitive data stored on the hard drive rather than on the server, could put your business at risk. Staff need to know that swift action is required rather than an email to IT the following morning. Data is hacked 24-7.
Do you have the right team?
In a recent report on data crime predictions the lack of IT security staff to implement a security risk strategy is a major stumbling block. A 24-hour remediation plan to deal with a breach is an investment that could save billions and prevent lost customer trust. A planned PR response, should a breach occur, could reassure customers or investors
Passwords are puzzles hackers like to crack
Make staff aware of the consequences of a breach and how their activities undermine business security. Whether staff are accessing sensitive files over open Wi-Fi of have lost a device, a criminal may turn to Facebook, look up the mother’s maiden name and begin the process of cracking a password with computer programmes even chess masters would find hard to outsmart
Lunch and learn sessions and newsletter broadcasts
Broadcast the latest cyber-crime tactics. Staff need reminders and prevention is cheaper than the cure. IT risk assessment team require a channel to explain the risks and latest preventative methods.
Safe browsing – links and attachments.
The tiny open window is the cat burglars favourite. A phishing email or link on social media accessed on the company device can allow the malware to spread. During the onboarding process, staff need to know what response is required should they feel the company has been compromised.