By Alex Bransome, CISO at Doherty Associates, specialists in managing and securing cloud services in the finance sector.
A recent in-depth study into 3000 UK firms and 2000 employees commissioned by our team at Doherty Associates found that 42% of the financial and legal firms questioned including those in private equity, investment and asset management, said their firm was inadequately protected against the cyber risks of hybrid working.
At the same time, one in five of the firms admitted that a major cyber attack could significantly cost their business at least £10 million or more in irreversible damage such as through loss of sensitive information, corporate and confidential data, due to a GDPR breach or fine, and long-term reputational damage to the firm.
Yet hybrid working is here to stay for over half of the firms we spoke to, despite being more vulnerable than ever to a cyber breach. A recent BBC poll on 50 of the biggest employers in Britain, including investment firms JP Morgan, Rathbones and investment bank VSA Capital, said they had no immediate plans to bring staff back to the office full-time.
And you can see why flexible working is the preferred choice for both firm and employee, as over a third of the finance and legal professionals we spoke to said that they found it easier to win new business and close deals when working from home.
However, a more flexible, hybrid scenario is creating increasingly complex cyber security challenges as employees move between different set-ups, in different places, using different devices.
More than one front door
With employees working outside of the office, using a blend of personal and company devices, finance firms no longer have a single ‘front door’ to protect but a multitude of entry points to secure against cyber criminals.
While it remains the case that most information leaks out by accident, the chances of this happening increases with more employees working from home, as the ‘attack surface area’ extends out to every device being used, no matter who owns it. At the same time, cyber criminals are finding ever more sophisticated ways to target remote employees, with finance an increasingly attractive target due to the high value of transactions. What’s more, it seems a high number of employees working remotely are experiencing cyber or data breaches unknown to the firm.
It’s the unknown you need to worry about
52% of the finance and legal firms we interviewed said their organisation has yet to experience a cyber attack or data breach since transitioning to remote working since the first UK Covid-19 lockdown back in March 2020. Yet, a quarter of employees said they had been the victim of a data breach or caused one themselves since working remotely, one in seven had experienced a phishing attack or similar, and 42% admitted to emailing confidential client information or unencrypted attachments.
The difference between how many firms are detecting breaches compared to the reality of them occurring suggests that employees are not reporting all of the mistakes they make. It also shows that firms are still in need of a well-rounded cyber security programme that incorporates protective, detective and responsive solutions, if they are to keep their information, people and workforce safe.
It’s not the tip of the iceberg you need to worry about. It’s the bit you can’t see underneath. Underestimating the risks and vulnerabilities that come with home and hybrid working could prove costly.
Reinforce your moats to protect your castles
Many firms appreciate that a single ‘castle and moat’ perimeter defence approach – where employees are protected within the boundaries of the office firewall – is no longer fit for purpose in a hybrid workplace. However, some are struggling to keep up with the fast-moving challenges that blended working brings, but there are steps your firm can put in place to safeguard a firm’s ‘borderless’ network.
- Improve your cyber hygiene and widen your security perimeter to protect those working outside the office
Cloud-based technologies such as Data Loss Prevention and Information Protection can help protect against data leakage. Ensure that all internet facing systems have multi-factor authentication, so employees keep their identity secure while working remotely, and restrict the use of personal devices.
Use software that ringfences and encrypts all the corporate data on a mobile or ‘bring your own’ devices as this means the corporate data can be wiped if the device is lost or stolen without this affecting any personal data – such as family photos – if the device is then found or recovered. Also using disk encryption to protect all data on company devices such as laptops, will mitigate the risk of it being lost or compromised if the device is stolen.
Ensuring though that no company information is shared via personal cloud storage platforms where documents can easily be forgotten, and just as easily hacked, is also advised.
- Conduct a cyber risk assessment at least every six months to improve your security posture
This will identify and address any critical vulnerabilities, gaps or compliance issues. An assessment should involve identifying your most important/critical assets; identifying any weakness/vulnerabilities in those assets, or in how they are used or accessed, assessing the likelihood of a risk materialising; and finally identifying controls to help address the identified risks, to reduce risk to an acceptable level.
- Carry out regular cyber awareness training
Over a third of the financial professionals in our poll say they’ve had no cyber training since working from home from the start of the pandemic despite the fact that they are now using different software and platforms to collaborate as well as a mix of personal and work devices.
Building in regular comprehensive cyber security awareness training for every employee is critical to safeguarding against any vulnerabilities, weak spots or compliance breaches.
It should most importantly clearly convey your organisation’s approved methods of working, communicating and sharing data. Beyond this, user awareness should cover the end user security best practices and how to spot common attacks such as phishing, plus phishing assessments to actively test and measure awareness levels across the organisation.
Empowering employees with the knowledge to identify threats in real-time can become a firm’s greatest security asset so making cyber security training a ‘must’ and not just a nice-to-have is critical in this new era of hybrid working.
Your firm is only as safe as your weakest link but cyber savvy employees, robust cyber security measures, and a strong cyber defence system will keep both firm and workforce safe and secure no matter where they are.
