By Anna Webb, Head of Security Operations at Kocho
The Bank of England has released a cyber security framework with the intention of helping financial institutions across the UK identify areas of vulnerability that could expose them to cyberattack. Cyber security in financial services is as important as it is complex, notably due to advancements in technology and digitalisation projects, which accelerated during the pandemic. The mass-movement to hybrid working exposed access points to confidential information from outside corporate networks, increasing the risk of attack and putting the onus of compliance onto home-based workers who may not have a security background. All the while ransomware attacks have been increasing in number and sophistication, adding extra pressure.
Indeed, the UK Government’s 2022 Cyber Security Breaches Survey found that 39 per cent of UK businesses have identified a cyberattack in the last 12 months. While there are no quick-fixes to mitigate these concerns, or ease the burden on overworked IT teams, financial services organisations can make significant improvements by breaking down the challenge of bolstering their cyber defences into bite-sized pieces.
How to remain secure in an age of hybrid work
Balancing security with remote work provisions has been a substantial challenge for most organisations. Financial services companies aiming to be modern employers, providing flexibility to employees, have begun to introduce specific security protocols that are reflective of each employee’s job function. These protocols take into consideration the individual applications and systems certain employees need access to in order to complete their role efficiently.
Teams that are likely to continue working from home in the long-term, will continue to need solutions that strengthen their local security posture. In practice, marketing, accounting and admin teams that are still working from home, might require significant authentication steps before logging onto corporate networks. Whereas traders, who are more likely to be back in the office, will remain covered by local, more robust, security protocols.
These cyber security nuances apply equally to financial advisors and commercial bankers, who, in today’s workplace, rely on video conferencing to establish key business relationships. The security tools needed to support these interactions must ensure that any data shared is adequately protected and that access points cannot be opened up by potential attackers.
Outsourcing security
For many organisations, the task of securing all of these complex environments is time-consuming and costly. Organisations that have traditionally controlled their security in house – without robust processes in place for securing external network access – have faced a logistical challenge. So how can financial service businesses de-risk their operations without wasting resources and time?
By choosing to outsource their IT and cyber security, organisations can relieve the burden on internal security teams and gain access to expertise and resources that can keep them ahead of emerging threats. Yet not all providers are created equal. When deciding which managed security service provider is right for them, organisations should look for industry recognised certifications that can confirm compliance standards. These include Cyber Essentials Plus programme and ISO 27001 certifications. Additionally, companies should check supplier credentials by asking for case studies of existing finserv customers.
The case for compliance
Along with the ever-evolving efforts of cyber criminals to find weak spots in business infrastructure, legislation and regulation is also ever-changing, as authorities play catch-up in a rapidly advancing technology landscape. In order to continue to innovate and stay ahead of competitors, financial organisations should emphasise sustainability and safety during their digital transformation efforts, particularly if they are working with third parties that have access to sensitive data.
The recently released CBEST security assessment framework is designed by the Bank of England to aid financial services in bolstering their cybersecurity resilience. This regulatory development is also part of the supervisory strategies of the Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA). Organisations using the voluntary assessments should find it easier to uncover hidden weaknesses and vulnerabilities, which in turn will provide a stepping stone to strategically fortify their systems, while also contributing to the security and functionality of the wider financial network.
The assessment is conducted as a series of realistic attacks performed by a top-skilled cyber threat intelligence analyst. These tests mirror modern hacking techniques, without wreaking havoc. The assessment is also used to indicate how well cyber defences are performing in comparison to the standard key performance indicators. Using CBEST regularly and continuously proves to be an excellent regulatory assessment framework, which also works on a cross-jurisdictional basis, and in cooperation with other regulations and frameworks.
Furthermore, for financial service organisations working with third-party suppliers, it is important to understand the security of their entire supply chain. The spike in supply chain attacks has caused the UK government to design further legislation, known as National Cyber Strategy 2022 (NCS). Its purpose is to support UK organisations in fortifying their IT network security against attacks that are aimed at third party suppliers. Currently in the proposal stage, it is expected to be introduced during 2023.
Conclusion
In this time of economic uncertainty, financial services organisations must be able to operate seamlessly and securely; this includes ensuring customer data is protected.
Even though securing digital assets is becoming more complex, making security feel like a titanic effort, organisations can decrease risk and exposure by focusing on their key requirements. Priority should be given to following recognised security frameworks and controls that include basics like adopting best practice identity management, and building cyber security awareness and best practices amongst employees among others. Combined, these steps go a long way in helping mitigate the risk of an attack.
