– Steve Armstrong, Regional Director UK, Ireland & South Africa at Bitglass
There’s no doubt that financial services organisations are a prime target for cyber criminals. Regularly handling sensitive, regulated data like home addresses, bank statements, and Social Security numbers means that these firms need to be highly vigilant when it comes to cybersecurity. Failing to protect data and reach regulatory compliance can spell disaster for any company. Take Tesco Bank as a prime example. In October last year, the Financial Conduct Authority (FCA) fined the company over £16million as a direct result of a data breach it suffered in 2016.
Bitglass released its 2018 Financial Breach Report, a study that uncovers information about the top threats in financial services, the industry’s latest and largest breaches, and more. It found that 2018 has been far more dangerous than 2016, the last year that Bitglass conducted a financial breach report. In this year’s study, there were nearly three times as many breaches as there were two years ago. This is largely due to the explosive growth of hacking and malware around the world. These threats have undeniably led the charge against financial services firms this year.
With security teams battling an ever-growing number of cyber attacks, and regulations for data protection mounting, financial services firms need to have their wits about them. And with employees posing the biggest cyber risk of all, IT security teams have really got their work cut out for them. Here are some of the classic employee-generated ‘attack vectors’ together with some advice on how to avoid them:
- Misplaced handsets
Research showed that 26,000 devices were left in Transport for London’s lost property department in 2017. Once in the hands of the wrong person, an unprotected phone or device can be an open door straight into our lives, often containing all the information required for identity theft, financial fraud and a host of other criminal activities.
- Failing to patch or update software
At some time or another, we’ve all been guilty of ignoring requests to update the software on our smartphone or laptop. Many of these updates involve having to restart the device, which can be inconvenient if you’re trying to get something finished. However, these updates often contain critical security patches to new vulnerabilities, so the longer you wait to install the patch, the more danger you are unnecessarily putting yourself in. It may seem like a trivial matter, but failure to act when prompted can be the difference between staying protected and suffering significant data loss.
- Falling for fake Wi-Fi networks
Evil twins are spoofed Wi-Fi hotspots created by hackers with the sole purpose of stealing data and sensitive information. Often, they fool users by imitating a nearby legitimate hotspot operated by a local café or business, using the same name but not requiring a password, allowing for easy access. Unfortunately for anyone logging onto it, the fake hotspot can give the hacker complete oversight of what the user is doing, providing free reign to harvest information such as login credentials and personal passwords for later use.
- Downloading malicious applications
Bogus apps are on the rise and becoming more and more convincing to the untrained eye. When unwittingly installed on a device, many of them attempt to trick users into revealing sensitive information and credentials, while others will act as spyware, or secretly install malicious software on the device that allows hackers to monitor user behaviour.
- Malicious or ignorant use of data
In the modern business environment, efficient mobile/remote working often requires access to sensitive data at all times. But while providing this access (usually via remote network access from our work or personal devices) ensures employees can be as efficient as possible at their jobs, it also puts companies at significant risk. A careless mistake or purposeful action from a single ‘inside’ individual can quite easily lead to highly sensitive information ending up in the wrong hands. The fact that the devices used to access this data travel around with the employees, outside of the control of the business, only makes the threat that much more potent. Going back to the first point on this list, lost or stolen devices can not only lead hackers to personal information, but in many cases, they can also be a treasure trove of information about the company the victim works for.
Reducing risk doesn’t have to be expensive
As with so many security issues, the best way to minimise risk is through vigilance and taking effective protection measures. From a device perspective, complex passwords and multi-factor authentication can be very effective first lines of defence in the event of loss or theft. If you work for a large corporation and/or often work remotely, it’s also a good idea to talk to your IT team about the mobile security solutions they have in place. Many of the best solutions out there today can keep sensitive data on phones, laptops and tablet completely secure, without the need to download anything onto the device itself. This also means that if a device ever goes missing it can be wiped remotely, significantly reducing the risks of a major data breach. The same vigilant approach applies to the use of public Wi-Fi. If in any doubt, check with someone who works in the location and never access a strangely named hotspot, no matter how urgently you need to get online. When it comes to cyber security, a few relatively simple actions could mean the difference between keeping sensitive, regulated data safe, or facing a multi-million pounds fine, a damaged reputation and potentially the road to corporate ruin.